asyncrat | 61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167

Analysis

max time kernel
52s
max time network
149s
platform
windows10_x64
resource
win10v200722
submitted
04-10-2020 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
Size

2.0MB
MD5

3f1a2ab1e63458d3c75ded4c3f4d47c5
SHA1

10d187b94b082e33513030ac825de250eec0dd5a
SHA256

61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
SHA512

1fcc78d47e7527c50ad83c5dee4310dea72f9f5f95c759b59f921adc4cf113fcce8aab69642dfbb6013f5e9d1b5996a36ba8fc5f866f22ed34f4305e3d512c45

Score

10^/10

asyncrat azorult oski raccoon discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

masonp.ac.ug:6970

marcapalgo.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
8mYi28y4mrIIgAY4z5LziR6M66VfapOc
anti_detection
false
autorun
false
bdos
false
delay
Default
host
masonp.ac.ug,marcapalgo.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2116-72-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral2/memory/2116-73-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral2/memory/1704-74-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral2/memory/1704-78-0x000000000040616E-mapping.dmp	disable_win_def
C:\Windows\Temp\amufvkbu.exe	disable_win_def
C:\Windows\temp\amufvkbu.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1212-87-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1212-90-0x000000000040C72E-mapping.dmp	asyncrat

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

BhfgwserGB.exeIertvbDSFvca.exeBhfgwserGB.exeIertvbDSFvca.exeAjs3M4Nxss.exegQfJ0OzL4l.exei5pKBFzgPO.exefQLG7soq8z.exefQLG7soq8z.exei5pKBFzgPO.exeAjs3M4Nxss.exeAjs3M4Nxss.exeamufvkbu.exe

pid	process
2748	BhfgwserGB.exe
3760	IertvbDSFvca.exe
3844	BhfgwserGB.exe
3896	IertvbDSFvca.exe
3824	Ajs3M4Nxss.exe
992	gQfJ0OzL4l.exe
3052	i5pKBFzgPO.exe
788	fQLG7soq8z.exe
2116	fQLG7soq8z.exe
1704	i5pKBFzgPO.exe
2188	Ajs3M4Nxss.exe
1212	Ajs3M4Nxss.exe
3968	amufvkbu.exe

Loads dropped DLL 9 IoCs

Processes:

IertvbDSFvca.exe3f1a2ab1e63458d3c75ded4c3f4d47c5.exe

pid	process
3896	IertvbDSFvca.exe
3896	IertvbDSFvca.exe
3896	IertvbDSFvca.exe
4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

fQLG7soq8z.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	fQLG7soq8z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	fQLG7soq8z.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

3f1a2ab1e63458d3c75ded4c3f4d47c5.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\FLesFFxEsEs\desktop.ini 3f1a2ab1e63458d3c75ded4c3f4d47c5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\FLesFFxEsEs\desktop.ini	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

3f1a2ab1e63458d3c75ded4c3f4d47c5.exeBhfgwserGB.exeIertvbDSFvca.exefQLG7soq8z.exei5pKBFzgPO.exeAjs3M4Nxss.exe

description	pid	process	target process
PID 3288 set thread context of 4028	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
PID 2748 set thread context of 3844	2748	BhfgwserGB.exe	BhfgwserGB.exe
PID 3760 set thread context of 3896	3760	IertvbDSFvca.exe	IertvbDSFvca.exe
PID 788 set thread context of 2116	788	fQLG7soq8z.exe	fQLG7soq8z.exe
PID 3052 set thread context of 1704	3052	i5pKBFzgPO.exe	i5pKBFzgPO.exe
PID 3824 set thread context of 1212	3824	Ajs3M4Nxss.exe	Ajs3M4Nxss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

IertvbDSFvca.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString IertvbDSFvca.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1976 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2804 taskkill.exe
3780 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	IertvbDSFvca.exe

pid	process
1976	timeout.exe

pid	process
2804	taskkill.exe
3780	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ajs3M4Nxss.exei5pKBFzgPO.exe

pid	process
3824	Ajs3M4Nxss.exe
3824	Ajs3M4Nxss.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

3f1a2ab1e63458d3c75ded4c3f4d47c5.exeBhfgwserGB.exeIertvbDSFvca.exe

pid process

3288 3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
2748 BhfgwserGB.exe
3760 IertvbDSFvca.exe

pid	process
3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
2748	BhfgwserGB.exe
3760	IertvbDSFvca.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

taskkill.exeAjs3M4Nxss.exei5pKBFzgPO.exefQLG7soq8z.exei5pKBFzgPO.exePowershell.exepowershell.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	3824	Ajs3M4Nxss.exe
Token: SeDebugPrivilege	3052	i5pKBFzgPO.exe
Token: SeDebugPrivilege	788	fQLG7soq8z.exe
Token: SeDebugPrivilege	1704	i5pKBFzgPO.exe
Token: SeDebugPrivilege	564	Powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeIncreaseQuotaPrivilege	3080	powershell.exe
Token: SeSecurityPrivilege	3080	powershell.exe
Token: SeTakeOwnershipPrivilege	3080	powershell.exe
Token: SeLoadDriverPrivilege	3080	powershell.exe
Token: SeSystemProfilePrivilege	3080	powershell.exe
Token: SeSystemtimePrivilege	3080	powershell.exe
Token: SeProfSingleProcessPrivilege	3080	powershell.exe
Token: SeIncBasePriorityPrivilege	3080	powershell.exe
Token: SeCreatePagefilePrivilege	3080	powershell.exe
Token: SeBackupPrivilege	3080	powershell.exe
Token: SeRestorePrivilege	3080	powershell.exe
Token: SeShutdownPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeSystemEnvironmentPrivilege	3080	powershell.exe
Token: SeRemoteShutdownPrivilege	3080	powershell.exe
Token: SeUndockPrivilege	3080	powershell.exe
Token: SeManageVolumePrivilege	3080	powershell.exe
Token: 33	3080	powershell.exe
Token: 34	3080	powershell.exe
Token: 35	3080	powershell.exe
Token: 36	3080	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

3f1a2ab1e63458d3c75ded4c3f4d47c5.exeBhfgwserGB.exeIertvbDSFvca.exei5pKBFzgPO.exe

pid process

3288 3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
2748 BhfgwserGB.exe
3760 IertvbDSFvca.exe
1704 i5pKBFzgPO.exe
1704 i5pKBFzgPO.exe

pid	process
3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
2748	BhfgwserGB.exe
3760	IertvbDSFvca.exe
1704	i5pKBFzgPO.exe
1704	i5pKBFzgPO.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f1a2ab1e63458d3c75ded4c3f4d47c5.exeBhfgwserGB.exeIertvbDSFvca.exeIertvbDSFvca.execmd.exe3f1a2ab1e63458d3c75ded4c3f4d47c5.execmd.exefQLG7soq8z.exei5pKBFzgPO.exeAjs3M4Nxss.exe

description	pid	process	target process
PID 3288 wrote to memory of 2748	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	BhfgwserGB.exe
PID 3288 wrote to memory of 2748	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	BhfgwserGB.exe
PID 3288 wrote to memory of 2748	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	BhfgwserGB.exe
PID 3288 wrote to memory of 3760	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	IertvbDSFvca.exe
PID 3288 wrote to memory of 3760	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	IertvbDSFvca.exe
PID 3288 wrote to memory of 3760	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	IertvbDSFvca.exe
PID 3288 wrote to memory of 4028	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
PID 3288 wrote to memory of 4028	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
PID 3288 wrote to memory of 4028	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
PID 3288 wrote to memory of 4028	3288	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
PID 2748 wrote to memory of 3844	2748	BhfgwserGB.exe	BhfgwserGB.exe
PID 2748 wrote to memory of 3844	2748	BhfgwserGB.exe	BhfgwserGB.exe
PID 2748 wrote to memory of 3844	2748	BhfgwserGB.exe	BhfgwserGB.exe
PID 2748 wrote to memory of 3844	2748	BhfgwserGB.exe	BhfgwserGB.exe
PID 3760 wrote to memory of 3896	3760	IertvbDSFvca.exe	IertvbDSFvca.exe
PID 3760 wrote to memory of 3896	3760	IertvbDSFvca.exe	IertvbDSFvca.exe
PID 3760 wrote to memory of 3896	3760	IertvbDSFvca.exe	IertvbDSFvca.exe
PID 3760 wrote to memory of 3896	3760	IertvbDSFvca.exe	IertvbDSFvca.exe
PID 3896 wrote to memory of 184	3896	IertvbDSFvca.exe	cmd.exe
PID 3896 wrote to memory of 184	3896	IertvbDSFvca.exe	cmd.exe
PID 3896 wrote to memory of 184	3896	IertvbDSFvca.exe	cmd.exe
PID 184 wrote to memory of 2804	184	cmd.exe	taskkill.exe
PID 184 wrote to memory of 2804	184	cmd.exe	taskkill.exe
PID 184 wrote to memory of 2804	184	cmd.exe	taskkill.exe
PID 4028 wrote to memory of 3824	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	Ajs3M4Nxss.exe
PID 4028 wrote to memory of 3824	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	Ajs3M4Nxss.exe
PID 4028 wrote to memory of 3824	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	Ajs3M4Nxss.exe
PID 4028 wrote to memory of 992	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	gQfJ0OzL4l.exe
PID 4028 wrote to memory of 992	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	gQfJ0OzL4l.exe
PID 4028 wrote to memory of 992	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	gQfJ0OzL4l.exe
PID 4028 wrote to memory of 3052	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	i5pKBFzgPO.exe
PID 4028 wrote to memory of 3052	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	i5pKBFzgPO.exe
PID 4028 wrote to memory of 3052	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	i5pKBFzgPO.exe
PID 4028 wrote to memory of 788	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	fQLG7soq8z.exe
PID 4028 wrote to memory of 788	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	fQLG7soq8z.exe
PID 4028 wrote to memory of 788	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	fQLG7soq8z.exe
PID 4028 wrote to memory of 3432	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	cmd.exe
PID 4028 wrote to memory of 3432	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	cmd.exe
PID 4028 wrote to memory of 3432	4028	3f1a2ab1e63458d3c75ded4c3f4d47c5.exe	cmd.exe
PID 3432 wrote to memory of 1976	3432	cmd.exe	timeout.exe
PID 3432 wrote to memory of 1976	3432	cmd.exe	timeout.exe
PID 3432 wrote to memory of 1976	3432	cmd.exe	timeout.exe
PID 788 wrote to memory of 2116	788	fQLG7soq8z.exe	fQLG7soq8z.exe
PID 788 wrote to memory of 2116	788	fQLG7soq8z.exe	fQLG7soq8z.exe
PID 788 wrote to memory of 2116	788	fQLG7soq8z.exe	fQLG7soq8z.exe
PID 788 wrote to memory of 2116	788	fQLG7soq8z.exe	fQLG7soq8z.exe
PID 788 wrote to memory of 2116	788	fQLG7soq8z.exe	fQLG7soq8z.exe
PID 788 wrote to memory of 2116	788	fQLG7soq8z.exe	fQLG7soq8z.exe
PID 788 wrote to memory of 2116	788	fQLG7soq8z.exe	fQLG7soq8z.exe
PID 788 wrote to memory of 2116	788	fQLG7soq8z.exe	fQLG7soq8z.exe
PID 3052 wrote to memory of 1704	3052	i5pKBFzgPO.exe	i5pKBFzgPO.exe
PID 3052 wrote to memory of 1704	3052	i5pKBFzgPO.exe	i5pKBFzgPO.exe
PID 3052 wrote to memory of 1704	3052	i5pKBFzgPO.exe	i5pKBFzgPO.exe
PID 3052 wrote to memory of 1704	3052	i5pKBFzgPO.exe	i5pKBFzgPO.exe
PID 3052 wrote to memory of 1704	3052	i5pKBFzgPO.exe	i5pKBFzgPO.exe
PID 3052 wrote to memory of 1704	3052	i5pKBFzgPO.exe	i5pKBFzgPO.exe
PID 3052 wrote to memory of 1704	3052	i5pKBFzgPO.exe	i5pKBFzgPO.exe
PID 3052 wrote to memory of 1704	3052	i5pKBFzgPO.exe	i5pKBFzgPO.exe
PID 3824 wrote to memory of 564	3824	Ajs3M4Nxss.exe	Powershell.exe
PID 3824 wrote to memory of 564	3824	Ajs3M4Nxss.exe	Powershell.exe
PID 3824 wrote to memory of 564	3824	Ajs3M4Nxss.exe	Powershell.exe
PID 3824 wrote to memory of 2188	3824	Ajs3M4Nxss.exe	Ajs3M4Nxss.exe
PID 3824 wrote to memory of 2188	3824	Ajs3M4Nxss.exe	Ajs3M4Nxss.exe
PID 3824 wrote to memory of 2188	3824	Ajs3M4Nxss.exe	Ajs3M4Nxss.exe

C:\Users\Admin\AppData\Local\Temp\3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
"C:\Users\Admin\AppData\Local\Temp\3f1a2ab1e63458d3c75ded4c3f4d47c5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\BhfgwserGB.exe
"C:\Users\Admin\AppData\Local\Temp\BhfgwserGB.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\BhfgwserGB.exe
"C:\Users\Admin\AppData\Local\Temp\BhfgwserGB.exe"
3⤵
- Executes dropped EXE
PID:3844

C:\Users\Admin\AppData\Local\Temp\IertvbDSFvca.exe
"C:\Users\Admin\AppData\Local\Temp\IertvbDSFvca.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3760

C:\Users\Admin\AppData\Local\Temp\IertvbDSFvca.exe
"C:\Users\Admin\AppData\Local\Temp\IertvbDSFvca.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 3896 & erase C:\Users\Admin\AppData\Local\Temp\IertvbDSFvca.exe & RD /S /Q C:\\ProgramData\\135365317430511\\* & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 3896
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Users\Admin\AppData\Local\Temp\3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
"C:\Users\Admin\AppData\Local\Temp\3f1a2ab1e63458d3c75ded4c3f4d47c5.exe"
2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\Ajs3M4Nxss.exe
"C:\Users\Admin\AppData\Local\Temp\Ajs3M4Nxss.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\dcvlc.exe"'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Users\Admin\AppData\Local\Temp\Ajs3M4Nxss.exe
"C:\Users\Admin\AppData\Local\Temp\Ajs3M4Nxss.exe"
4⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\AppData\Local\Temp\Ajs3M4Nxss.exe
"C:\Users\Admin\AppData\Local\Temp\Ajs3M4Nxss.exe"
4⤵
- Executes dropped EXE
PID:1212

C:\Users\Admin\AppData\Local\Temp\gQfJ0OzL4l.exe
"C:\Users\Admin\AppData\Local\Temp\gQfJ0OzL4l.exe"
3⤵
- Executes dropped EXE
PID:992

C:\Users\Admin\AppData\Local\Temp\i5pKBFzgPO.exe
"C:\Users\Admin\AppData\Local\Temp\i5pKBFzgPO.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\i5pKBFzgPO.exe
"C:\Users\Admin\AppData\Local\Temp\i5pKBFzgPO.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1704

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\mkyw4gwz.inf
5⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\fQLG7soq8z.exe
"C:\Users\Admin\AppData\Local\Temp\fQLG7soq8z.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\fQLG7soq8z.exe
"C:\Users\Admin\AppData\Local\Temp\fQLG7soq8z.exe"
4⤵
- Executes dropped EXE
- Windows security modification
PID:2116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3f1a2ab1e63458d3c75ded4c3f4d47c5.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1976

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\amufvkbu.exe
2⤵
PID:3988

C:\Windows\temp\amufvkbu.exe
C:\Windows\temp\amufvkbu.exe
3⤵
- Executes dropped EXE
PID:3968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\i5pKBFzgPO.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ajs3M4Nxss.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ajs3M4Nxss.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ajs3M4Nxss.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ajs3M4Nxss.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BhfgwserGB.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BhfgwserGB.exe
MD5
e225ac32820ab1f3aa08ac9156ac521e

SHA1
dafebade4b195528f04ff5a6d7cdc82862d3f1c9

SHA256
25961226d94f6dffa80f965dac4de131f5212450b5a6c002e453fd2cd2870e7f

SHA512
4b792a8d0daa25f1d1547d23dc781ec72a83260e1b42f944ebbac78a0a940795caa713651ba49929f44cca41b0ffd1e920eec9bd53c83b72bf5117c7cabaf790

Download Submit
C:\Users\Admin\AppData\Local\Temp\BhfgwserGB.exe
MD5
e225ac32820ab1f3aa08ac9156ac521e

SHA1
dafebade4b195528f04ff5a6d7cdc82862d3f1c9

SHA256
25961226d94f6dffa80f965dac4de131f5212450b5a6c002e453fd2cd2870e7f

SHA512
4b792a8d0daa25f1d1547d23dc781ec72a83260e1b42f944ebbac78a0a940795caa713651ba49929f44cca41b0ffd1e920eec9bd53c83b72bf5117c7cabaf790

Download Submit
C:\Users\Admin\AppData\Local\Temp\IertvbDSFvca.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IertvbDSFvca.exe
MD5
67f514516a6ff8ad345f187d5ac2b39f

SHA1
48bda482592462d08bd2630c0b231646856e639b

SHA256
2e225d68ecda32ef730ca4d9554d7156f15c77edfad304181b6d621aff61e6fc

SHA512
09c94c2150343d8e2610b0cc4df580506f3bb78381dcf0650407040368b4494b2b043039d2b650e37499427266e87a250033804d5ac01375d01d387b3a7134c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IertvbDSFvca.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQLG7soq8z.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQLG7soq8z.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQLG7soq8z.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQfJ0OzL4l.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5pKBFzgPO.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5pKBFzgPO.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5pKBFzgPO.exe

Download Submit
C:\Windows\Temp\amufvkbu.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\amufvkbu.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\mkyw4gwz.inf

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/184-32-0x0000000000000000-mapping.dmp

Download
memory/412-122-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/412-97-0x0000000071A40000-0x000000007212E000-memory.dmp

Filesize
6.9MB

Download
memory/412-130-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/412-120-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/412-124-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/412-165-0x00000000091B0000-0x00000000091B1000-memory.dmp

Filesize
4KB

Download
memory/412-118-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/412-86-0x0000000000000000-mapping.dmp

Download
memory/564-164-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/564-126-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/564-101-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/564-116-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/564-91-0x0000000071A40000-0x000000007212E000-memory.dmp

Filesize
6.9MB

Download
memory/564-161-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/564-147-0x0000000008D10000-0x0000000008D43000-memory.dmp

Filesize
204KB

Download
memory/564-98-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/564-76-0x0000000000000000-mapping.dmp

Download
memory/788-67-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/788-64-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/788-60-0x0000000071A40000-0x000000007212E000-memory.dmp

Filesize
6.9MB

Download
memory/788-61-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/788-53-0x0000000000000000-mapping.dmp

Download
memory/788-70-0x00000000027A0000-0x00000000027AD000-memory.dmp

Filesize
52KB

Download
memory/992-46-0x0000000000000000-mapping.dmp

Download
memory/1212-90-0x000000000040C72E-mapping.dmp

Download
memory/1212-93-0x0000000071A40000-0x000000007212E000-memory.dmp

Filesize
6.9MB

Download
memory/1212-87-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1704-74-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1704-94-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/1704-89-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/1704-78-0x000000000040616E-mapping.dmp

Download
memory/1704-81-0x0000000071A40000-0x000000007212E000-memory.dmp

Filesize
6.9MB

Download
memory/1704-128-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1976-66-0x0000000000000000-mapping.dmp

Download
memory/2116-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2116-77-0x0000000071A40000-0x000000007212E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-73-0x0000000000403BEE-mapping.dmp

Download
memory/2748-2-0x0000000000000000-mapping.dmp

Download
memory/2804-33-0x0000000000000000-mapping.dmp

Download
memory/3052-69-0x00000000017B0000-0x00000000017C7000-memory.dmp

Filesize
92KB

Download
memory/3052-48-0x0000000000000000-mapping.dmp

Download
memory/3052-65-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/3052-54-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3052-51-0x0000000071A40000-0x000000007212E000-memory.dmp

Filesize
6.9MB

Download
memory/3080-146-0x000001BBF2AC0000-0x000001BBF2AC1000-memory.dmp

Filesize
4KB

Download
memory/3080-143-0x000001BBD77C0000-0x000001BBD77C1000-memory.dmp

Filesize
4KB

Download
memory/3080-142-0x00007FF96C600000-0x00007FF96CFEC000-memory.dmp

Filesize
9.9MB

Download
memory/3080-141-0x0000000000000000-mapping.dmp

Download
memory/3432-56-0x0000000000000000-mapping.dmp

Download
memory/3760-5-0x0000000000000000-mapping.dmp

Download
memory/3780-140-0x0000000000000000-mapping.dmp

Download
memory/3820-99-0x0000000000000000-mapping.dmp

Download
memory/3820-109-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3820-113-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3824-45-0x0000000071A40000-0x000000007212E000-memory.dmp

Filesize
6.9MB

Download
memory/3824-42-0x0000000000000000-mapping.dmp

Download
memory/3824-63-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3824-52-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3824-68-0x0000000002300000-0x000000000231A000-memory.dmp

Filesize
104KB

Download
memory/3844-15-0x000000000041A684-mapping.dmp

Download
memory/3844-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3844-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3896-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3896-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3896-20-0x0000000000417A8B-mapping.dmp

Download
memory/3968-138-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3968-133-0x0000000000000000-mapping.dmp

Download
memory/3968-137-0x00007FF96C600000-0x00007FF96CFEC000-memory.dmp

Filesize
9.9MB

Download
memory/3968-134-0x0000000000000000-mapping.dmp

Download
memory/3988-132-0x0000000000000000-mapping.dmp

Download
memory/4028-19-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4028-12-0x0000000000440102-mapping.dmp

Download
memory/4028-9-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download