asyncrat | 7dd09a71615dc2a60ba9dd906aebcff010f8442f4db392e4feb88baa01f8c999

Analysis

max time kernel
149s
max time network
151s
platform
windows10_x64
resource
win10v200430
submitted
02-07-2020 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e9df84d18c9e1255a7a28dfc8ed17e7.exe
Size

1.5MB
MD5

3e9df84d18c9e1255a7a28dfc8ed17e7
SHA1

d31b528323e2dfff28f665c5014d6790411168f7
SHA256

7dd09a71615dc2a60ba9dd906aebcff010f8442f4db392e4feb88baa01f8c999
SHA512

c4b1aec1a13eab9f2a20c3a4b8d58cc8e2fa93c468e52ab3e6ca5812c1aa7a24c6887aef1951cd119e727cf0ea854c714a1482af89951f473522e926cad40b83

Score

10^/10

asyncrat azorult oski raccoon discovery evasion infostealer ransomware rat spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Tue Jun 23 14:23:14 2020 Launched at: 2020.07.02 - 08:11:53 GMT Bot_ID: 3E009A64-65D7-465C-9098-F2673DD3F416_Admin Running on a desktop =R=A=C=C=O=O=N= System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.13 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: OWZMOTQA - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (688 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2052-77-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file
Downloads MZ/PE file

yara_rule
raccoon_log_file

Executes dropped EXE 11 IoCs

Processes:

cvsdfvc.exedfgvbghf.execvsdfvc.exedfgvbghf.exelwLLiUwcwa.exegkTa2h30YX.exeGKL2T4Ojrn.exeAzzT9T8CCW.exeAzzT9T8CCW.exegkTa2h30YX.exegkTa2h30YX.exe

pid	process
2924	cvsdfvc.exe
548	dfgvbghf.exe
1136	cvsdfvc.exe
1168	dfgvbghf.exe
3300	lwLLiUwcwa.exe
3520	gkTa2h30YX.exe
772	GKL2T4Ojrn.exe
2996	AzzT9T8CCW.exe
2052	AzzT9T8CCW.exe
3812	gkTa2h30YX.exe
1924	gkTa2h30YX.exe

Loads dropped DLL 9 IoCs

Processes:

dfgvbghf.exe3e9df84d18c9e1255a7a28dfc8ed17e7.exe

pid	process
1168	dfgvbghf.exe
744	3e9df84d18c9e1255a7a28dfc8ed17e7.exe
744	3e9df84d18c9e1255a7a28dfc8ed17e7.exe
744	3e9df84d18c9e1255a7a28dfc8ed17e7.exe
1168	dfgvbghf.exe
1168	dfgvbghf.exe
1168	dfgvbghf.exe
1168	dfgvbghf.exe
1168	dfgvbghf.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

AzzT9T8CCW.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	AzzT9T8CCW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	AzzT9T8CCW.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

dfgvbghf.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini dfgvbghf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini	dfgvbghf.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lwLLiUwcwa.exe

description	ioc	process
File opened (read-only)	\??\V:	lwLLiUwcwa.exe
File opened (read-only)	\??\W:	lwLLiUwcwa.exe
File opened (read-only)	\??\Q:	lwLLiUwcwa.exe
File opened (read-only)	\??\E:	lwLLiUwcwa.exe
File opened (read-only)	\??\G:	lwLLiUwcwa.exe
File opened (read-only)	\??\I:	lwLLiUwcwa.exe
File opened (read-only)	\??\J:	lwLLiUwcwa.exe
File opened (read-only)	\??\M:	lwLLiUwcwa.exe
File opened (read-only)	\??\N:	lwLLiUwcwa.exe
File opened (read-only)	\??\R:	lwLLiUwcwa.exe
File opened (read-only)	\??\B:	lwLLiUwcwa.exe
File opened (read-only)	\??\T:	lwLLiUwcwa.exe
File opened (read-only)	\??\Y:	lwLLiUwcwa.exe
File opened (read-only)	\??\S:	lwLLiUwcwa.exe
File opened (read-only)	\??\O:	lwLLiUwcwa.exe
File opened (read-only)	\??\H:	lwLLiUwcwa.exe
File opened (read-only)	\??\F:	lwLLiUwcwa.exe
File opened (read-only)	\??\K:	lwLLiUwcwa.exe
File opened (read-only)	\??\L:	lwLLiUwcwa.exe
File opened (read-only)	\??\P:	lwLLiUwcwa.exe
File opened (read-only)	\??\U:	lwLLiUwcwa.exe
File opened (read-only)	\??\X:	lwLLiUwcwa.exe
File opened (read-only)	\??\Z:	lwLLiUwcwa.exe
File opened (read-only)	\??\A:	lwLLiUwcwa.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

cvsdfvc.exedfgvbghf.exe

pid process

1136 cvsdfvc.exe
1136 cvsdfvc.exe
1168 dfgvbghf.exe
1168 dfgvbghf.exe

pid	process
1136	cvsdfvc.exe
1136	cvsdfvc.exe
1168	dfgvbghf.exe
1168	dfgvbghf.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

3e9df84d18c9e1255a7a28dfc8ed17e7.execvsdfvc.exedfgvbghf.exeAzzT9T8CCW.exegkTa2h30YX.exe

description	pid	process	target process
PID 3812 set thread context of 744	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	3e9df84d18c9e1255a7a28dfc8ed17e7.exe
PID 2924 set thread context of 1136	2924	cvsdfvc.exe	cvsdfvc.exe
PID 548 set thread context of 1168	548	dfgvbghf.exe	dfgvbghf.exe
PID 2996 set thread context of 2052	2996	AzzT9T8CCW.exe	AzzT9T8CCW.exe
PID 3520 set thread context of 1924	3520	gkTa2h30YX.exe	gkTa2h30YX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3832 772 WerFault.exe GKL2T4Ojrn.exe

pid	pid_target	process	target process
3832	772	WerFault.exe	GKL2T4Ojrn.exe

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3e9df84d18c9e1255a7a28dfc8ed17e7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3e9df84d18c9e1255a7a28dfc8ed17e7.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3676 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2132 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2868 taskkill.exe

pid	process
3676	schtasks.exe

pid	process
2132	timeout.exe

pid	process
2868	taskkill.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

WerFault.exepowershell.exegkTa2h30YX.exe

pid	process
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
4016	powershell.exe
3520	gkTa2h30YX.exe
3520	gkTa2h30YX.exe
4016	powershell.exe
4016	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

3e9df84d18c9e1255a7a28dfc8ed17e7.execvsdfvc.exedfgvbghf.exe

pid process

3812 3e9df84d18c9e1255a7a28dfc8ed17e7.exe
2924 cvsdfvc.exe
548 dfgvbghf.exe

pid	process
3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe
2924	cvsdfvc.exe
548	dfgvbghf.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

taskkill.exeWerFault.exepowershell.exegkTa2h30YX.exe

description	pid	process
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeRestorePrivilege	3832	WerFault.exe
Token: SeBackupPrivilege	3832	WerFault.exe
Token: SeDebugPrivilege	3832	WerFault.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	3520	gkTa2h30YX.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

3e9df84d18c9e1255a7a28dfc8ed17e7.execvsdfvc.exedfgvbghf.exe

pid process

3812 3e9df84d18c9e1255a7a28dfc8ed17e7.exe
2924 cvsdfvc.exe
548 dfgvbghf.exe

pid	process
3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe
2924	cvsdfvc.exe
548	dfgvbghf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e9df84d18c9e1255a7a28dfc8ed17e7.execvsdfvc.exedfgvbghf.exe3e9df84d18c9e1255a7a28dfc8ed17e7.execmd.exedfgvbghf.execmd.exelwLLiUwcwa.exe

description	pid	process	target process
PID 3812 wrote to memory of 2924	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	cvsdfvc.exe
PID 3812 wrote to memory of 2924	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	cvsdfvc.exe
PID 3812 wrote to memory of 2924	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	cvsdfvc.exe
PID 3812 wrote to memory of 548	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	dfgvbghf.exe
PID 3812 wrote to memory of 548	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	dfgvbghf.exe
PID 3812 wrote to memory of 548	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	dfgvbghf.exe
PID 3812 wrote to memory of 744	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	3e9df84d18c9e1255a7a28dfc8ed17e7.exe
PID 3812 wrote to memory of 744	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	3e9df84d18c9e1255a7a28dfc8ed17e7.exe
PID 3812 wrote to memory of 744	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	3e9df84d18c9e1255a7a28dfc8ed17e7.exe
PID 3812 wrote to memory of 744	3812	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	3e9df84d18c9e1255a7a28dfc8ed17e7.exe
PID 2924 wrote to memory of 1136	2924	cvsdfvc.exe	cvsdfvc.exe
PID 2924 wrote to memory of 1136	2924	cvsdfvc.exe	cvsdfvc.exe
PID 2924 wrote to memory of 1136	2924	cvsdfvc.exe	cvsdfvc.exe
PID 2924 wrote to memory of 1136	2924	cvsdfvc.exe	cvsdfvc.exe
PID 548 wrote to memory of 1168	548	dfgvbghf.exe	dfgvbghf.exe
PID 548 wrote to memory of 1168	548	dfgvbghf.exe	dfgvbghf.exe
PID 548 wrote to memory of 1168	548	dfgvbghf.exe	dfgvbghf.exe
PID 548 wrote to memory of 1168	548	dfgvbghf.exe	dfgvbghf.exe
PID 744 wrote to memory of 2656	744	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	cmd.exe
PID 744 wrote to memory of 2656	744	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	cmd.exe
PID 744 wrote to memory of 2656	744	3e9df84d18c9e1255a7a28dfc8ed17e7.exe	cmd.exe
PID 2656 wrote to memory of 2868	2656	cmd.exe	taskkill.exe
PID 2656 wrote to memory of 2868	2656	cmd.exe	taskkill.exe
PID 2656 wrote to memory of 2868	2656	cmd.exe	taskkill.exe
PID 1168 wrote to memory of 3300	1168	dfgvbghf.exe	lwLLiUwcwa.exe
PID 1168 wrote to memory of 3300	1168	dfgvbghf.exe	lwLLiUwcwa.exe
PID 1168 wrote to memory of 3300	1168	dfgvbghf.exe	lwLLiUwcwa.exe
PID 1168 wrote to memory of 3520	1168	dfgvbghf.exe	gkTa2h30YX.exe
PID 1168 wrote to memory of 3520	1168	dfgvbghf.exe	gkTa2h30YX.exe
PID 1168 wrote to memory of 3520	1168	dfgvbghf.exe	gkTa2h30YX.exe
PID 1168 wrote to memory of 772	1168	dfgvbghf.exe	GKL2T4Ojrn.exe
PID 1168 wrote to memory of 772	1168	dfgvbghf.exe	GKL2T4Ojrn.exe
PID 1168 wrote to memory of 772	1168	dfgvbghf.exe	GKL2T4Ojrn.exe
PID 1168 wrote to memory of 2996	1168	dfgvbghf.exe	AzzT9T8CCW.exe
PID 1168 wrote to memory of 2996	1168	dfgvbghf.exe	AzzT9T8CCW.exe
PID 1168 wrote to memory of 2996	1168	dfgvbghf.exe	AzzT9T8CCW.exe
PID 1168 wrote to memory of 3020	1168	dfgvbghf.exe	cmd.exe
PID 1168 wrote to memory of 3020	1168	dfgvbghf.exe	cmd.exe
PID 1168 wrote to memory of 3020	1168	dfgvbghf.exe	cmd.exe
PID 3020 wrote to memory of 2132	3020	cmd.exe	timeout.exe
PID 3020 wrote to memory of 2132	3020	cmd.exe	timeout.exe
PID 3020 wrote to memory of 2132	3020	cmd.exe	timeout.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe
PID 3300 wrote to memory of 3492	3300	lwLLiUwcwa.exe	TapiUnattend.exe

C:\Users\Admin\AppData\Local\Temp\3e9df84d18c9e1255a7a28dfc8ed17e7.exe
"C:\Users\Admin\AppData\Local\Temp\3e9df84d18c9e1255a7a28dfc8ed17e7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\cvsdfvc.exe
  "C:\Users\Admin\AppData\Local\Temp\cvsdfvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\cvsdfvc.exe
    "C:\Users\Admin\AppData\Local\Temp\cvsdfvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1136
- C:\Users\Admin\AppData\Local\Temp\dfgvbghf.exe
  "C:\Users\Admin\AppData\Local\Temp\dfgvbghf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\dfgvbghf.exe
    "C:\Users\Admin\AppData\Local\Temp\dfgvbghf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\lwLLiUwcwa.exe
      "C:\Users\Admin\AppData\Local\Temp\lwLLiUwcwa.exe"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\Windows\SysWOW64\TapiUnattend.exe
        
        "C:\Windows\System32\TapiUnattend.exe"
        5⤵
        
        PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\gkTa2h30YX.exe
      "C:\Users\Admin\AppData\Local\Temp\gkTa2h30YX.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lIuskVgXrJqrJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F32.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:3676
    - - C:\Users\Admin\AppData\Local\Temp\gkTa2h30YX.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:3812
    - - C:\Users\Admin\AppData\Local\Temp\gkTa2h30YX.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\GKL2T4Ojrn.exe
      "C:\Users\Admin\AppData\Local\Temp\GKL2T4Ojrn.exe"
      4⤵
      Executes dropped EXE
      PID:772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1108
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\AzzT9T8CCW.exe
      "C:\Users\Admin\AppData\Local\Temp\AzzT9T8CCW.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\AzzT9T8CCW.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        Windows security modification
        
        PID:2052
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\dfgvbghf.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:2132
- C:\Users\Admin\AppData\Local\Temp\3e9df84d18c9e1255a7a28dfc8ed17e7.exe
  "C:\Users\Admin\AppData\Local\Temp\3e9df84d18c9e1255a7a28dfc8ed17e7.exe"
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /pid 744 & erase C:\Users\Admin\AppData\Local\Temp\3e9df84d18c9e1255a7a28dfc8ed17e7.exe & RD /S /Q C:\\ProgramData\\810091965902844\\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /pid 744
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gkTa2h30YX.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Temp\AzzT9T8CCW.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AzzT9T8CCW.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AzzT9T8CCW.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKL2T4Ojrn.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKL2T4Ojrn.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvsdfvc.exe

MD5
3af0aad890837379ecd24776c264951e

SHA1
9d470c3abeff8e6a3ba25f5b016cfc6408cde9aa

SHA256
edeb28ce2d8a6d2cf44efff271c48f1eaef95bc9779f55f8f0fd50b06975f5e6

SHA512
ed35c6e0c14ce542eb6441542ff92eae6e1a950f4a987a33e65c7859dfa4e6d227bee47bdc37d71c8dbb96eebeffce7890c06a14ea40d2f039de40886d154a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvsdfvc.exe

MD5
3af0aad890837379ecd24776c264951e

SHA1
9d470c3abeff8e6a3ba25f5b016cfc6408cde9aa

SHA256
edeb28ce2d8a6d2cf44efff271c48f1eaef95bc9779f55f8f0fd50b06975f5e6

SHA512
ed35c6e0c14ce542eb6441542ff92eae6e1a950f4a987a33e65c7859dfa4e6d227bee47bdc37d71c8dbb96eebeffce7890c06a14ea40d2f039de40886d154a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvsdfvc.exe

MD5
3af0aad890837379ecd24776c264951e

SHA1
9d470c3abeff8e6a3ba25f5b016cfc6408cde9aa

SHA256
edeb28ce2d8a6d2cf44efff271c48f1eaef95bc9779f55f8f0fd50b06975f5e6

SHA512
ed35c6e0c14ce542eb6441542ff92eae6e1a950f4a987a33e65c7859dfa4e6d227bee47bdc37d71c8dbb96eebeffce7890c06a14ea40d2f039de40886d154a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgvbghf.exe

MD5
c13fbbac4bb7aba5131350c33a0a0222

SHA1
e33debee6a89bea039d95ec9c9ce7f4ded169acd

SHA256
923c3115beaa6b6b8c6d9061d38ee74e9889aeb4c3e12d018d7830468cc5b644

SHA512
4fbac3297524f8cb402c333baa6958a90758e892140759261608fed86f72608b3183c0e6e3f090ad2636f8ce5522e8dffa7be1137c761ebd331ffe1423cb96b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgvbghf.exe

MD5
c13fbbac4bb7aba5131350c33a0a0222

SHA1
e33debee6a89bea039d95ec9c9ce7f4ded169acd

SHA256
923c3115beaa6b6b8c6d9061d38ee74e9889aeb4c3e12d018d7830468cc5b644

SHA512
4fbac3297524f8cb402c333baa6958a90758e892140759261608fed86f72608b3183c0e6e3f090ad2636f8ce5522e8dffa7be1137c761ebd331ffe1423cb96b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgvbghf.exe

MD5
c13fbbac4bb7aba5131350c33a0a0222

SHA1
e33debee6a89bea039d95ec9c9ce7f4ded169acd

SHA256
923c3115beaa6b6b8c6d9061d38ee74e9889aeb4c3e12d018d7830468cc5b644

SHA512
4fbac3297524f8cb402c333baa6958a90758e892140759261608fed86f72608b3183c0e6e3f090ad2636f8ce5522e8dffa7be1137c761ebd331ffe1423cb96b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkTa2h30YX.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkTa2h30YX.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkTa2h30YX.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkTa2h30YX.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwLLiUwcwa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwLLiUwcwa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F32.tmp

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/548-5-0x0000000000000000-mapping.dmp

Download
memory/744-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/744-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/744-12-0x0000000000417A8B-mapping.dmp

Download
memory/772-55-0x0000000000000000-mapping.dmp

Download
memory/772-58-0x0000000000000000-mapping.dmp

Download
memory/772-44-0x0000000000000000-mapping.dmp

Download
memory/772-57-0x0000000000000000-mapping.dmp

Download
memory/772-56-0x0000000000000000-mapping.dmp

Download
memory/772-54-0x0000000000000000-mapping.dmp

Download
memory/772-53-0x0000000000000000-mapping.dmp

Download
memory/1136-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1136-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1136-16-0x000000000041A684-mapping.dmp

Download
memory/1168-20-0x000000000043F8B6-mapping.dmp

Download
memory/1168-18-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1168-22-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1924-102-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1924-104-0x000000000040C77E-mapping.dmp

Download
memory/2052-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2052-78-0x0000000000403BEE-mapping.dmp

Download
memory/2132-51-0x0000000000000000-mapping.dmp

Download
memory/2656-36-0x0000000000000000-mapping.dmp

Download
memory/2868-37-0x0000000000000000-mapping.dmp

Download
memory/2924-2-0x0000000000000000-mapping.dmp

Download
memory/2996-47-0x0000000000000000-mapping.dmp

Download
memory/3020-48-0x0000000000000000-mapping.dmp

Download
memory/3300-38-0x0000000000000000-mapping.dmp

Download
memory/3492-85-0x0000000000000000-mapping.dmp

Download
memory/3492-113-0x0000000000000000-mapping.dmp

Download
memory/3492-68-0x0000000000000000-mapping.dmp

Download
memory/3492-69-0x0000000000000000-mapping.dmp

Download
memory/3492-70-0x0000000000000000-mapping.dmp

Download
memory/3492-71-0x0000000000000000-mapping.dmp

Download
memory/3492-72-0x0000000000000000-mapping.dmp

Download
memory/3492-73-0x0000000000000000-mapping.dmp

Download
memory/3492-74-0x0000000000000000-mapping.dmp

Download
memory/3492-75-0x0000000000000000-mapping.dmp

Download
memory/3492-76-0x0000000000000000-mapping.dmp

Download
memory/3492-66-0x0000000000000000-mapping.dmp

Download
memory/3492-65-0x0000000000000000-mapping.dmp

Download
memory/3492-79-0x0000000000000000-mapping.dmp

Download
memory/3492-64-0x0000000000000000-mapping.dmp

Download
memory/3492-81-0x0000000000000000-mapping.dmp

Download
memory/3492-160-0x0000000000000000-mapping.dmp

Download
memory/3492-83-0x0000000000000000-mapping.dmp

Download
memory/3492-159-0x0000000000000000-mapping.dmp

Download
memory/3492-63-0x0000000000000000-mapping.dmp

Download
memory/3492-86-0x0000000000000000-mapping.dmp

Download
memory/3492-87-0x0000000000000000-mapping.dmp

Download
memory/3492-88-0x0000000000000000-mapping.dmp

Download
memory/3492-89-0x0000000000000000-mapping.dmp

Download
memory/3492-90-0x0000000000000000-mapping.dmp

Download
memory/3492-91-0x0000000000000000-mapping.dmp

Download
memory/3492-92-0x0000000000000000-mapping.dmp

Download
memory/3492-62-0x0000000000000000-mapping.dmp

Download
memory/3492-94-0x0000000000000000-mapping.dmp

Download
memory/3492-95-0x0000000000000000-mapping.dmp

Download
memory/3492-96-0x0000000000000000-mapping.dmp

Download
memory/3492-97-0x0000000000000000-mapping.dmp

Download
memory/3492-98-0x0000000000000000-mapping.dmp

Download
memory/3492-99-0x0000000000000000-mapping.dmp

Download
memory/3492-100-0x0000000000000000-mapping.dmp

Download
memory/3492-61-0x0000000000000000-mapping.dmp

Download
memory/3492-60-0x0000000000000000-mapping.dmp

Download
memory/3492-103-0x0000000000000000-mapping.dmp

Download
memory/3492-158-0x0000000000000000-mapping.dmp

Download
memory/3492-157-0x0000000000000000-mapping.dmp

Download
memory/3492-106-0x0000000000000000-mapping.dmp

Download
memory/3492-156-0x0000000000000000-mapping.dmp

Download
memory/3492-108-0x0000000000000000-mapping.dmp

Download
memory/3492-109-0x0000000000000000-mapping.dmp

Download
memory/3492-110-0x0000000000000000-mapping.dmp

Download
memory/3492-111-0x0000000000000000-mapping.dmp

Download
memory/3492-112-0x0000000000000000-mapping.dmp

Download
memory/3492-67-0x0000000000000000-mapping.dmp

Download
memory/3492-114-0x0000000000000000-mapping.dmp

Download
memory/3492-115-0x0000000000000000-mapping.dmp

Download
memory/3492-116-0x0000000000000000-mapping.dmp

Download
memory/3492-117-0x0000000000000000-mapping.dmp

Download
memory/3492-118-0x0000000000000000-mapping.dmp

Download
memory/3492-119-0x0000000000000000-mapping.dmp

Download
memory/3492-120-0x0000000000000000-mapping.dmp

Download
memory/3492-121-0x0000000000000000-mapping.dmp

Download
memory/3492-122-0x0000000000000000-mapping.dmp

Download
memory/3492-123-0x0000000000000000-mapping.dmp

Download
memory/3492-124-0x0000000000000000-mapping.dmp

Download
memory/3492-125-0x0000000000000000-mapping.dmp

Download
memory/3492-126-0x0000000000000000-mapping.dmp

Download
memory/3492-127-0x0000000000000000-mapping.dmp

Download
memory/3492-128-0x0000000000000000-mapping.dmp

Download
memory/3492-129-0x0000000000000000-mapping.dmp

Download
memory/3492-130-0x0000000000000000-mapping.dmp

Download
memory/3492-131-0x0000000000000000-mapping.dmp

Download
memory/3492-132-0x0000000000000000-mapping.dmp

Download
memory/3492-133-0x0000000000000000-mapping.dmp

Download
memory/3492-134-0x0000000000000000-mapping.dmp

Download
memory/3492-135-0x0000000000000000-mapping.dmp

Download
memory/3492-136-0x0000000000000000-mapping.dmp

Download
memory/3492-137-0x0000000000000000-mapping.dmp

Download
memory/3492-138-0x0000000000000000-mapping.dmp

Download
memory/3492-139-0x0000000000000000-mapping.dmp

Download
memory/3492-140-0x0000000000000000-mapping.dmp

Download
memory/3492-141-0x0000000000000000-mapping.dmp

Download
memory/3492-142-0x0000000000000000-mapping.dmp

Download
memory/3492-143-0x0000000000000000-mapping.dmp

Download
memory/3492-144-0x0000000000000000-mapping.dmp

Download
memory/3492-145-0x0000000000000000-mapping.dmp

Download
memory/3492-146-0x0000000000000000-mapping.dmp

Download
memory/3492-147-0x0000000000000000-mapping.dmp

Download
memory/3492-148-0x0000000000000000-mapping.dmp

Download
memory/3492-149-0x0000000000000000-mapping.dmp

Download
memory/3492-150-0x0000000000000000-mapping.dmp

Download
memory/3492-151-0x0000000000000000-mapping.dmp

Download
memory/3492-152-0x0000000000000000-mapping.dmp

Download
memory/3492-153-0x0000000000000000-mapping.dmp

Download
memory/3492-154-0x0000000000000000-mapping.dmp

Download
memory/3492-155-0x0000000000000000-mapping.dmp

Download
memory/3520-41-0x0000000000000000-mapping.dmp

Download
memory/3676-84-0x0000000000000000-mapping.dmp

Download
memory/3832-52-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/3832-59-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4016-82-0x0000000000000000-mapping.dmp

Download