f3075816f60feaf04e278ad2ed3ab2aff1345b77c0978f1ebbd1bf3dd3b9677a

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DRAFT DOCUMENTS.js
Size

479KB
MD5

b5f0861bf48f0fb76e6c504eba4a0128
SHA1

7cf3a28b5255bbda0cff658a6f2a08b132d75e80
SHA256

f3075816f60feaf04e278ad2ed3ab2aff1345b77c0978f1ebbd1bf3dd3b9677a
SHA512

dfc3d832a2bb39546f80e8b96c2337317f5a33d6dac3a948fe805683c7416711088dbbe9b4361ff98f2becd492ffa65b2af0cb86772a414dbacaf821a9b21ff4
SSDEEP

12288:ljuNGDcp8kQrSKUjlhkEgV/54KG9dvbcYImaKu82ZYHs5dMM8AQ11WGrp0sa:KGDcpIEjW

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	608	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2334367085"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6ae7fc137728b4d8f1885e01307ea05000000000200000000001066000000010000200000002ee99fc29951f0cc179e853dec4c575b44c4352bc49edd5bbe8c38feb09ab6b2000000000e80000000020000200000009e503d92ecfcdc4ab0fb93de1aec1f1a2a4e076821342f1c2cfb6498ecd39bec200000003883fa2811680c044a0eec0143c79c4f98761bf37d73f5e7bad7124ffe78d84a4000000089d1059705b53951e06a40c5e5dd2118744fe686c896cbee82bdbb40b5688aae32457d9c1706c4ccaffed9dd84cbee5bfcc4a8a69b68893fe77e08332176e4b3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B6859F9C-4C13-11EF-AF84-CAEAA890B1DB} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2368117333"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31121440"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428848280"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6ae7fc137728b4d8f1885e01307ea0500000000020000000000106600000001000020000000640494f4ac3b9c78f1bb64531de205829dcf100c16ec1fb99b5464d32c493dcc000000000e8000000002000020000000ed31a072413746b4a126f7a19dc697c8996be539e657d4314bc674be008125ad2000000060b3099c451b1339481bd271c49610b463c60acfdbde3e05723c69a65ede8cc240000000df1018b7538913f33cd7e7e67984de2c6c567ff109bf750173af47b0993d9adb024ee29f2117b9d9c4216cf03b61f5e2db7b35fb94ad738222b6f3b4bd9c15d2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121440"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d02c9820e0da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121440"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2334367085"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40be229820e0da01	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
2924	powershell.exe
2924	powershell.exe
4168	powershell.exe
4168	powershell.exe
4168	powershell.exe
2924	powershell.exe
2924	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
4520	powershell.exe
4520	powershell.exe
5028	powershell.exe
5028	powershell.exe
4520	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
936	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
936	iexplore.exe
936	iexplore.exe
4476	IEXPLORE.EXE
4476	IEXPLORE.EXE
4476	IEXPLORE.EXE
4476	IEXPLORE.EXE
4476	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 3020	3228	WScript.exe	104
PID 3228 wrote to memory of 3020	3228	WScript.exe	104
PID 3020 wrote to memory of 4768	3020	powershell.exe	107
PID 3020 wrote to memory of 4768	3020	powershell.exe	107
PID 3228 wrote to memory of 2924	3228	WScript.exe	109
PID 3228 wrote to memory of 2924	3228	WScript.exe	109
PID 936 wrote to memory of 4476	936	iexplore.exe	113
PID 936 wrote to memory of 4476	936	iexplore.exe	113
PID 936 wrote to memory of 4476	936	iexplore.exe	113
PID 3228 wrote to memory of 4168	3228	WScript.exe	115
PID 3228 wrote to memory of 4168	3228	WScript.exe	115
PID 4168 wrote to memory of 1304	4168	powershell.exe	117
PID 4168 wrote to memory of 1304	4168	powershell.exe	117
PID 2924 wrote to memory of 5104	2924	powershell.exe	118
PID 2924 wrote to memory of 5104	2924	powershell.exe	118
PID 3228 wrote to memory of 3052	3228	WScript.exe	119
PID 3228 wrote to memory of 3052	3228	WScript.exe	119
PID 3052 wrote to memory of 2272	3052	powershell.exe	121
PID 3052 wrote to memory of 2272	3052	powershell.exe	121
PID 3228 wrote to memory of 4520	3228	WScript.exe	122
PID 3228 wrote to memory of 4520	3228	WScript.exe	122
PID 3228 wrote to memory of 5028	3228	WScript.exe	124
PID 3228 wrote to memory of 5028	3228	WScript.exe	124
PID 5028 wrote to memory of 3000	5028	powershell.exe	126
PID 5028 wrote to memory of 3000	5028	powershell.exe	126
PID 4520 wrote to memory of 1896	4520	powershell.exe	127
PID 4520 wrote to memory of 1896	4520	powershell.exe	127
PID 3228 wrote to memory of 4620	3228	WScript.exe	128
PID 3228 wrote to memory of 4620	3228	WScript.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\DRAFT DOCUMENTS.js"
1⤵
- Blocklisted process makes network request
PID:608

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\UfFiqQIFyjJeqsw.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3020" "2816" "2756" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4768
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2924" "2592" "2536" "2772" "0" "0" "2780" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5104
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4168" "2720" "2652" "2724" "0" "0" "2728" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1304
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3052" "2768" "2688" "2772" "0" "0" "2776" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2272
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4520" "2964" "2904" "2968" "0" "0" "2972" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1896
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5028" "2776" "2696" "2780" "0" "0" "2784" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:3000
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:4620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:936 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSEI9KX6\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
5329f01253062b80d1fb38567705e3de

SHA1
518f6602bf524ef027784efe9cf1c336cbec9035

SHA256
406558ad0104b225e3549270ff2b2e34c6f398aae76848d6d51b75672380ca19

SHA512
5918ae98d0b0e8000d064d90a2da65538ef808f07030687130328e2b6f131d037030f826d0bd4016661c602bc211ccf36b483b2d4725c19c167841808d84ed52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
787e0940e5bfdd9a9226ce0ef6b350cb

SHA1
da6a2622214e9f8d2eeeb107d036bb362d67c375

SHA256
ed8e9589abebaf199e64f0cddbdc8523d422cb57ef5e76df95f811781436ff71

SHA512
0f92751bc1d1186b7c896749396ff03de19cd9f62fa96ceae2f31ec58810ddecc743fa3ffe657dbf7d482f405d9c46f2f090e83a05697ec5700015e8817d09e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
5919b85f51aed3534795919ee799ac0b

SHA1
5069203f24a117d51cbea9a512b76156cc54d501

SHA256
7326e190843fba67a449b17cf838915b5669df7408d572eb9b64d9ca8f593f95

SHA512
0887a6d59a18138b9b768973f8429a345e543b93276b47375c541874f07468ad0442bb12cbafd33566608881f9c51a2a32b0010d7754c9d32d32188b63169755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
331a8d64334563947502d9567e4287ad

SHA1
de1942bfd384512d668d23e245275220a240b054

SHA256
971873bed287e4d69190d0a3929750e3c996c4d5111f398622faac3ee006776b

SHA512
0ac79459b45846401ccbc187a48a7e54d8c1ee4797ba05ef45b8c339be7035c4246f4b19bc0f4606debcc83081ac5c8b9012e47a32d51a3e42bd524971fdb6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yf54qiyc.zez.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
504B

MD5
86ccb7b5ab55ecce82b3b3833999e030

SHA1
c16a343006809b3e72593b93f9101a250dd0ca7a

SHA256
46422a1656153851d142525ebf78c005fb0461fd8107a46cb17919c8d43f914e

SHA512
d830ec097ec22f3a4cc83f514091cd88cd6e76375934e649790dfc4302cdbbdebfc464402c6684fd6666ae24a24a4e71a2bde4c696046eb603fc07aa0588c952

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
756B

MD5
7ed8a9428b9830957137bdfa2376f08d

SHA1
37ba65c54968203384b104c595abf42bc91a37c7

SHA256
bad5487828979be8190e3c8116c4cd988029e53a23a65ba1059ab8c20095e74b

SHA512
dd3087a88c1cf229a11c53d961b4f4e22e8143e4da4b17cdec45eaf877e0b2b638f2cfb148735f295b2601a582f286c4b8f585fa7f0db6ec007618bc67b96dcb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
252B

MD5
b8f2913229787922f5450b13bd545775

SHA1
3428335cdd8eced281d5af6b40dc131a5e0c36f7

SHA256
322910ce972c6e0be92e4d2d0bb2806f2b683cb94099f046235c0f9af25b5775

SHA512
c5f4bd936ad22ba5c625cb9b9a3cd8b8bcda3258c2c481678af39f9b74654d5509660171411b074c5d1dacc864730df82f140bb61779fe3661e2f46e65838ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
80ffd564868162da6fc514d48c1ba38b

SHA1
560015de6ac02af11f5fc2d962b39dc0ad15e6f3

SHA256
dffd4c12cd1af81aa66e25126a42baafdc32e5840ade3cf0fd13341b54fe42b6

SHA512
fa7785d5898cc4b244539dd7a5838fd962157f34db934266f60c69c7f2537085ace8b855961a3f022de10d8952eb7ba302f72afd15044f70d8531a7d89560e77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
115fb43b6efedcd707d86d2b70705fcd

SHA1
0ab5fa1834017d6a397f40280fb6f13bd5b7b41f

SHA256
2d94776a966844725ae0dcc0d89d8cf7bfd535ee9ddaa4f1e3204dec7586cf0e

SHA512
59f25865fa7b205165aee42ca867da545028e1f21ee08185972d836f2ac6bd1fe9db76d5ce42c374c9da8ad396a851be6223cd39998229f3e94d3c39134f2598

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
7c1f31e4aa962940b52412a423067e72

SHA1
242488f6a0370d773e6deaf28aa4dff38f0d68fd

SHA256
84083c9ffe7ad0cd00ecb5baf5ee7c844b7e61f184de2d3353f29dd6633f5073

SHA512
ae6f469543a43792a2c96be508cb28cf23546d7f46886049fd8f95d66e18f71b5db288403275cd5cd60710d5df0183fd7d80cc9504cc6d030dfa5a7f2d73a9fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
cab9aae8bedc27d0c964cb48a824626f

SHA1
27118c65a93d25147cab3453d0c9707c68dac787

SHA256
76a8f388ee160e9fdb70e21c9fdb6fbff0514c77c7bff7dd5e14649ec4d5602f

SHA512
b2670edf2f1054790aa9b70c3a79015ecbe4f2feef6be885d8f4644805c61a5842dc4ac65811f6d780789837b237219f55a983da6065a4c3979473344a4e04bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
beff80f230319abee0b57c450ac50751

SHA1
9cd73eb829577e82def004ddc1db519b818534fb

SHA256
d672420efebdd5de53aa4925bccefbdef89358a076a123f226b298235d29ee30

SHA512
4ef3192709590702ea85d3779b185be306a97801a83e581704a32408f1fbe83ab74203c97df2175854ce0bdcdfce0a0778e321b6209ff64a47f8036f28fdb4e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
ef32940b4bab1a78980b7c98227ce797

SHA1
67e91aa5ee5b1c52dfeba3019beee440f639c274

SHA256
ce1530a6beb213ffeb5179c2f34aba939fb1676fe66e609e972423f354df4307

SHA512
008d3715ff1fbf31f1f9d9629baaf6deae60dbd450dbd6161e453f80a51c59231addf13bd7a7ec04a9254da3d00a98da14612f63f09b86bdcc5ffdda756ca23b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
aa3c73035fef1728302306bbf7970c87

SHA1
512468cbfaa8df1a7d5f4148dc4a47b752c72f47

SHA256
5981beb759e7d1034828b7be9f2ea82d31288ee14457722c4c30c54118fe9d60

SHA512
ffa0303e636874fe85ea6f0a53132508c367d009e5c2779f6a801f43d630563ce0ddc3d42e9acdeaf448bed71be6f0393dc1c8f4105b7a46e415680c61439f84

Download Submit
C:\Users\Admin\UfFiqQIFyjJeqsw.vbs

Filesize
1KB

MD5
497215d7a2476941168d769ae3f69bdc

SHA1
965596f250bfb962d6f084fb2f4bb4d349ee73b2

SHA256
6d3a8a1889f3752e50f48670c0cc32f1462b9ccc8c438c0571a63a0ef44d5d6c

SHA512
58b1bd95ea3b30bc04390ed2d4f051887f509df5d1ee0747a49b156e8851a7521a2be8a3f46498a7a96be7e4e678cd0a9ce18b3caea888119ea64e3a6785e5d2

Download Submit
memory/3020-17-0x000001C6782F0000-0x000001C678366000-memory.dmp

Filesize
472KB

Download
memory/3020-16-0x000001C678220000-0x000001C678264000-memory.dmp

Filesize
272KB

Download
memory/3020-8-0x000001C675CD0000-0x000001C675CF2000-memory.dmp

Filesize
136KB

Download