asyncrat | ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca

Analysis

max time kernel
49s
max time network
150s
platform
windows10_x64
resource
win10v200722
submitted
08-10-2020 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76bcbb2aa116aa713dc99159888f457c.exe
Size

1.2MB
MD5

76bcbb2aa116aa713dc99159888f457c
SHA1

5722b004ae8ad114625dd5d5f04a830c2d2e66c3
SHA256

ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
SHA512

cfc17e2fe5d6a25c166cd92e318da425657182fef39dd5dd9e21d844fe795e3c31dba0721891f0d1df7f266fc074f379e56f62f6ac29cccca34464ee89d9d3fa

Score

10^/10

asyncrat azorult oski raccoon discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/3580-71-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral2/memory/3580-72-0x000000000040616E-mapping.dmp	disable_win_def
behavioral2/memory/352-73-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral2/memory/352-74-0x0000000000403BEE-mapping.dmp	disable_win_def
C:\Windows\Temp\jqgjz1cm.exe	disable_win_def
C:\Windows\temp\jqgjz1cm.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

HJfgdytdjkhdfg.exeJHdvbyutrevcxz.exeHJfgdytdjkhdfg.exeJHdvbyutrevcxz.exeOvrIM65dKL.exey7QlGxWmEI.exeBW7VnYJxMl.exeLQI4qkNo06.exeBW7VnYJxMl.exeLQI4qkNo06.exeOvrIM65dKL.exejqgjz1cm.exe

pid	process
3904	HJfgdytdjkhdfg.exe
3220	JHdvbyutrevcxz.exe
3412	HJfgdytdjkhdfg.exe
972	JHdvbyutrevcxz.exe
3916	OvrIM65dKL.exe
688	y7QlGxWmEI.exe
3496	BW7VnYJxMl.exe
3648	LQI4qkNo06.exe
3580	BW7VnYJxMl.exe
352	LQI4qkNo06.exe
2548	OvrIM65dKL.exe
3088	jqgjz1cm.exe

Loads dropped DLL 9 IoCs

Processes:

JHdvbyutrevcxz.exe76bcbb2aa116aa713dc99159888f457c.exe

pid	process
972	JHdvbyutrevcxz.exe
972	JHdvbyutrevcxz.exe
972	JHdvbyutrevcxz.exe
3980	76bcbb2aa116aa713dc99159888f457c.exe
3980	76bcbb2aa116aa713dc99159888f457c.exe
3980	76bcbb2aa116aa713dc99159888f457c.exe
3980	76bcbb2aa116aa713dc99159888f457c.exe
3980	76bcbb2aa116aa713dc99159888f457c.exe
3980	76bcbb2aa116aa713dc99159888f457c.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

LQI4qkNo06.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	LQI4qkNo06.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	LQI4qkNo06.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

76bcbb2aa116aa713dc99159888f457c.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\FLesFFxEsEs\desktop.ini 76bcbb2aa116aa713dc99159888f457c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\FLesFFxEsEs\desktop.ini	76bcbb2aa116aa713dc99159888f457c.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

76bcbb2aa116aa713dc99159888f457c.exeHJfgdytdjkhdfg.exeJHdvbyutrevcxz.exeBW7VnYJxMl.exeLQI4qkNo06.exeOvrIM65dKL.exe

description	pid	process	target process
PID 508 set thread context of 3980	508	76bcbb2aa116aa713dc99159888f457c.exe	76bcbb2aa116aa713dc99159888f457c.exe
PID 3904 set thread context of 3412	3904	HJfgdytdjkhdfg.exe	HJfgdytdjkhdfg.exe
PID 3220 set thread context of 972	3220	JHdvbyutrevcxz.exe	JHdvbyutrevcxz.exe
PID 3496 set thread context of 3580	3496	BW7VnYJxMl.exe	BW7VnYJxMl.exe
PID 3648 set thread context of 352	3648	LQI4qkNo06.exe	LQI4qkNo06.exe
PID 3916 set thread context of 2548	3916	OvrIM65dKL.exe	OvrIM65dKL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

JHdvbyutrevcxz.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JHdvbyutrevcxz.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3356 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1552 taskkill.exe
3872 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JHdvbyutrevcxz.exe

pid	process
3356	timeout.exe

pid	process
1552	taskkill.exe
3872	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BW7VnYJxMl.exe

pid	process
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

76bcbb2aa116aa713dc99159888f457c.exeHJfgdytdjkhdfg.exeJHdvbyutrevcxz.exe

pid process

508 76bcbb2aa116aa713dc99159888f457c.exe
3904 HJfgdytdjkhdfg.exe
3220 JHdvbyutrevcxz.exe

pid	process
508	76bcbb2aa116aa713dc99159888f457c.exe
3904	HJfgdytdjkhdfg.exe
3220	JHdvbyutrevcxz.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

taskkill.exeOvrIM65dKL.exeBW7VnYJxMl.exeLQI4qkNo06.exeBW7VnYJxMl.exepowershell.exePowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	3916	OvrIM65dKL.exe
Token: SeDebugPrivilege	3496	BW7VnYJxMl.exe
Token: SeDebugPrivilege	3648	LQI4qkNo06.exe
Token: SeDebugPrivilege	3580	BW7VnYJxMl.exe
Token: SeDebugPrivilege	188	powershell.exe
Token: SeDebugPrivilege	1256	Powershell.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeIncreaseQuotaPrivilege	3120	powershell.exe
Token: SeSecurityPrivilege	3120	powershell.exe
Token: SeTakeOwnershipPrivilege	3120	powershell.exe
Token: SeLoadDriverPrivilege	3120	powershell.exe
Token: SeSystemProfilePrivilege	3120	powershell.exe
Token: SeSystemtimePrivilege	3120	powershell.exe
Token: SeProfSingleProcessPrivilege	3120	powershell.exe
Token: SeIncBasePriorityPrivilege	3120	powershell.exe
Token: SeCreatePagefilePrivilege	3120	powershell.exe
Token: SeBackupPrivilege	3120	powershell.exe
Token: SeRestorePrivilege	3120	powershell.exe
Token: SeShutdownPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeSystemEnvironmentPrivilege	3120	powershell.exe
Token: SeRemoteShutdownPrivilege	3120	powershell.exe
Token: SeUndockPrivilege	3120	powershell.exe
Token: SeManageVolumePrivilege	3120	powershell.exe
Token: 33	3120	powershell.exe
Token: 34	3120	powershell.exe
Token: 35	3120	powershell.exe
Token: 36	3120	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

76bcbb2aa116aa713dc99159888f457c.exeHJfgdytdjkhdfg.exeJHdvbyutrevcxz.exeBW7VnYJxMl.exe

pid process

508 76bcbb2aa116aa713dc99159888f457c.exe
3904 HJfgdytdjkhdfg.exe
3220 JHdvbyutrevcxz.exe
3580 BW7VnYJxMl.exe
3580 BW7VnYJxMl.exe

pid	process
508	76bcbb2aa116aa713dc99159888f457c.exe
3904	HJfgdytdjkhdfg.exe
3220	JHdvbyutrevcxz.exe
3580	BW7VnYJxMl.exe
3580	BW7VnYJxMl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

76bcbb2aa116aa713dc99159888f457c.exeHJfgdytdjkhdfg.exeJHdvbyutrevcxz.exeJHdvbyutrevcxz.execmd.exe76bcbb2aa116aa713dc99159888f457c.execmd.exeBW7VnYJxMl.exeLQI4qkNo06.exeOvrIM65dKL.exe

description	pid	process	target process
PID 508 wrote to memory of 3904	508	76bcbb2aa116aa713dc99159888f457c.exe	HJfgdytdjkhdfg.exe
PID 508 wrote to memory of 3904	508	76bcbb2aa116aa713dc99159888f457c.exe	HJfgdytdjkhdfg.exe
PID 508 wrote to memory of 3904	508	76bcbb2aa116aa713dc99159888f457c.exe	HJfgdytdjkhdfg.exe
PID 508 wrote to memory of 3220	508	76bcbb2aa116aa713dc99159888f457c.exe	JHdvbyutrevcxz.exe
PID 508 wrote to memory of 3220	508	76bcbb2aa116aa713dc99159888f457c.exe	JHdvbyutrevcxz.exe
PID 508 wrote to memory of 3220	508	76bcbb2aa116aa713dc99159888f457c.exe	JHdvbyutrevcxz.exe
PID 508 wrote to memory of 3980	508	76bcbb2aa116aa713dc99159888f457c.exe	76bcbb2aa116aa713dc99159888f457c.exe
PID 508 wrote to memory of 3980	508	76bcbb2aa116aa713dc99159888f457c.exe	76bcbb2aa116aa713dc99159888f457c.exe
PID 508 wrote to memory of 3980	508	76bcbb2aa116aa713dc99159888f457c.exe	76bcbb2aa116aa713dc99159888f457c.exe
PID 508 wrote to memory of 3980	508	76bcbb2aa116aa713dc99159888f457c.exe	76bcbb2aa116aa713dc99159888f457c.exe
PID 3904 wrote to memory of 3412	3904	HJfgdytdjkhdfg.exe	HJfgdytdjkhdfg.exe
PID 3904 wrote to memory of 3412	3904	HJfgdytdjkhdfg.exe	HJfgdytdjkhdfg.exe
PID 3904 wrote to memory of 3412	3904	HJfgdytdjkhdfg.exe	HJfgdytdjkhdfg.exe
PID 3904 wrote to memory of 3412	3904	HJfgdytdjkhdfg.exe	HJfgdytdjkhdfg.exe
PID 3220 wrote to memory of 972	3220	JHdvbyutrevcxz.exe	JHdvbyutrevcxz.exe
PID 3220 wrote to memory of 972	3220	JHdvbyutrevcxz.exe	JHdvbyutrevcxz.exe
PID 3220 wrote to memory of 972	3220	JHdvbyutrevcxz.exe	JHdvbyutrevcxz.exe
PID 3220 wrote to memory of 972	3220	JHdvbyutrevcxz.exe	JHdvbyutrevcxz.exe
PID 972 wrote to memory of 3416	972	JHdvbyutrevcxz.exe	cmd.exe
PID 972 wrote to memory of 3416	972	JHdvbyutrevcxz.exe	cmd.exe
PID 972 wrote to memory of 3416	972	JHdvbyutrevcxz.exe	cmd.exe
PID 3416 wrote to memory of 1552	3416	cmd.exe	taskkill.exe
PID 3416 wrote to memory of 1552	3416	cmd.exe	taskkill.exe
PID 3416 wrote to memory of 1552	3416	cmd.exe	taskkill.exe
PID 3980 wrote to memory of 3916	3980	76bcbb2aa116aa713dc99159888f457c.exe	OvrIM65dKL.exe
PID 3980 wrote to memory of 3916	3980	76bcbb2aa116aa713dc99159888f457c.exe	OvrIM65dKL.exe
PID 3980 wrote to memory of 3916	3980	76bcbb2aa116aa713dc99159888f457c.exe	OvrIM65dKL.exe
PID 3980 wrote to memory of 688	3980	76bcbb2aa116aa713dc99159888f457c.exe	y7QlGxWmEI.exe
PID 3980 wrote to memory of 688	3980	76bcbb2aa116aa713dc99159888f457c.exe	y7QlGxWmEI.exe
PID 3980 wrote to memory of 688	3980	76bcbb2aa116aa713dc99159888f457c.exe	y7QlGxWmEI.exe
PID 3980 wrote to memory of 3496	3980	76bcbb2aa116aa713dc99159888f457c.exe	BW7VnYJxMl.exe
PID 3980 wrote to memory of 3496	3980	76bcbb2aa116aa713dc99159888f457c.exe	BW7VnYJxMl.exe
PID 3980 wrote to memory of 3496	3980	76bcbb2aa116aa713dc99159888f457c.exe	BW7VnYJxMl.exe
PID 3980 wrote to memory of 3648	3980	76bcbb2aa116aa713dc99159888f457c.exe	LQI4qkNo06.exe
PID 3980 wrote to memory of 3648	3980	76bcbb2aa116aa713dc99159888f457c.exe	LQI4qkNo06.exe
PID 3980 wrote to memory of 3648	3980	76bcbb2aa116aa713dc99159888f457c.exe	LQI4qkNo06.exe
PID 3980 wrote to memory of 3924	3980	76bcbb2aa116aa713dc99159888f457c.exe	cmd.exe
PID 3980 wrote to memory of 3924	3980	76bcbb2aa116aa713dc99159888f457c.exe	cmd.exe
PID 3980 wrote to memory of 3924	3980	76bcbb2aa116aa713dc99159888f457c.exe	cmd.exe
PID 3924 wrote to memory of 3356	3924	cmd.exe	timeout.exe
PID 3924 wrote to memory of 3356	3924	cmd.exe	timeout.exe
PID 3924 wrote to memory of 3356	3924	cmd.exe	timeout.exe
PID 3496 wrote to memory of 3580	3496	BW7VnYJxMl.exe	BW7VnYJxMl.exe
PID 3496 wrote to memory of 3580	3496	BW7VnYJxMl.exe	BW7VnYJxMl.exe
PID 3496 wrote to memory of 3580	3496	BW7VnYJxMl.exe	BW7VnYJxMl.exe
PID 3496 wrote to memory of 3580	3496	BW7VnYJxMl.exe	BW7VnYJxMl.exe
PID 3496 wrote to memory of 3580	3496	BW7VnYJxMl.exe	BW7VnYJxMl.exe
PID 3496 wrote to memory of 3580	3496	BW7VnYJxMl.exe	BW7VnYJxMl.exe
PID 3496 wrote to memory of 3580	3496	BW7VnYJxMl.exe	BW7VnYJxMl.exe
PID 3496 wrote to memory of 3580	3496	BW7VnYJxMl.exe	BW7VnYJxMl.exe
PID 3648 wrote to memory of 352	3648	LQI4qkNo06.exe	LQI4qkNo06.exe
PID 3648 wrote to memory of 352	3648	LQI4qkNo06.exe	LQI4qkNo06.exe
PID 3648 wrote to memory of 352	3648	LQI4qkNo06.exe	LQI4qkNo06.exe
PID 3648 wrote to memory of 352	3648	LQI4qkNo06.exe	LQI4qkNo06.exe
PID 3648 wrote to memory of 352	3648	LQI4qkNo06.exe	LQI4qkNo06.exe
PID 3648 wrote to memory of 352	3648	LQI4qkNo06.exe	LQI4qkNo06.exe
PID 3648 wrote to memory of 352	3648	LQI4qkNo06.exe	LQI4qkNo06.exe
PID 3648 wrote to memory of 352	3648	LQI4qkNo06.exe	LQI4qkNo06.exe
PID 3916 wrote to memory of 1256	3916	OvrIM65dKL.exe	Powershell.exe
PID 3916 wrote to memory of 1256	3916	OvrIM65dKL.exe	Powershell.exe
PID 3916 wrote to memory of 1256	3916	OvrIM65dKL.exe	Powershell.exe
PID 3916 wrote to memory of 2548	3916	OvrIM65dKL.exe	OvrIM65dKL.exe
PID 3916 wrote to memory of 2548	3916	OvrIM65dKL.exe	OvrIM65dKL.exe
PID 3916 wrote to memory of 2548	3916	OvrIM65dKL.exe	OvrIM65dKL.exe

C:\Users\Admin\AppData\Local\Temp\76bcbb2aa116aa713dc99159888f457c.exe
"C:\Users\Admin\AppData\Local\Temp\76bcbb2aa116aa713dc99159888f457c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\HJfgdytdjkhdfg.exe
"C:\Users\Admin\AppData\Local\Temp\HJfgdytdjkhdfg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\HJfgdytdjkhdfg.exe
"C:\Users\Admin\AppData\Local\Temp\HJfgdytdjkhdfg.exe"
3⤵
- Executes dropped EXE
PID:3412

C:\Users\Admin\AppData\Local\Temp\JHdvbyutrevcxz.exe
"C:\Users\Admin\AppData\Local\Temp\JHdvbyutrevcxz.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\JHdvbyutrevcxz.exe
"C:\Users\Admin\AppData\Local\Temp\JHdvbyutrevcxz.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 972 & erase C:\Users\Admin\AppData\Local\Temp\JHdvbyutrevcxz.exe & RD /S /Q C:\\ProgramData\\119245394216483\\* & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 972
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\AppData\Local\Temp\76bcbb2aa116aa713dc99159888f457c.exe
"C:\Users\Admin\AppData\Local\Temp\76bcbb2aa116aa713dc99159888f457c.exe"
2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\OvrIM65dKL.exe
"C:\Users\Admin\AppData\Local\Temp\OvrIM65dKL.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\ddvlc.exe"'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Users\Admin\AppData\Local\Temp\OvrIM65dKL.exe
"C:\Users\Admin\AppData\Local\Temp\OvrIM65dKL.exe"
4⤵
- Executes dropped EXE
PID:2548

C:\Users\Admin\AppData\Local\Temp\y7QlGxWmEI.exe
"C:\Users\Admin\AppData\Local\Temp\y7QlGxWmEI.exe"
3⤵
- Executes dropped EXE
PID:688

C:\Users\Admin\AppData\Local\Temp\BW7VnYJxMl.exe
"C:\Users\Admin\AppData\Local\Temp\BW7VnYJxMl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Local\Temp\BW7VnYJxMl.exe
"C:\Users\Admin\AppData\Local\Temp\BW7VnYJxMl.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3580

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\p10l0yun.inf
5⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\LQI4qkNo06.exe
"C:\Users\Admin\AppData\Local\Temp\LQI4qkNo06.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Temp\LQI4qkNo06.exe
"C:\Users\Admin\AppData\Local\Temp\LQI4qkNo06.exe"
4⤵
- Executes dropped EXE
- Windows security modification
PID:352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:188

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\76bcbb2aa116aa713dc99159888f457c.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:3356

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\jqgjz1cm.exe
2⤵
PID:3692

C:\Windows\temp\jqgjz1cm.exe
C:\Windows\temp\jqgjz1cm.exe
3⤵
- Executes dropped EXE
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BW7VnYJxMl.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OvrIM65dKL.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\BW7VnYJxMl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BW7VnYJxMl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BW7VnYJxMl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJfgdytdjkhdfg.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJfgdytdjkhdfg.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJfgdytdjkhdfg.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\JHdvbyutrevcxz.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\JHdvbyutrevcxz.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\JHdvbyutrevcxz.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQI4qkNo06.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQI4qkNo06.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQI4qkNo06.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvrIM65dKL.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvrIM65dKL.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvrIM65dKL.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7QlGxWmEI.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7QlGxWmEI.exe

Download Submit
C:\Windows\Temp\jqgjz1cm.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\jqgjz1cm.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\p10l0yun.inf

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\LIbesLLibEs\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/188-161-0x00000000099F0000-0x00000000099F1000-memory.dmp

Filesize
4KB

Download
memory/188-157-0x0000000009A90000-0x0000000009A91000-memory.dmp

Filesize
4KB

Download
memory/188-98-0x0000000071280000-0x000000007196E000-memory.dmp

Filesize
6.9MB

Download
memory/188-112-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/188-114-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/188-154-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/188-90-0x0000000000000000-mapping.dmp

Download
memory/188-119-0x0000000008750000-0x0000000008751000-memory.dmp

Filesize
4KB

Download
memory/352-74-0x0000000000403BEE-mapping.dmp

Download
memory/352-78-0x0000000071280000-0x000000007196E000-memory.dmp

Filesize
6.9MB

Download
memory/352-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/688-46-0x0000000000000000-mapping.dmp

Download
memory/788-179-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/788-170-0x0000000000000000-mapping.dmp

Download
memory/972-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/972-20-0x0000000000417A8B-mapping.dmp

Download
memory/972-33-0x0000000003A60000-0x0000000003A61000-memory.dmp

Filesize
4KB

Download
memory/972-22-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1256-102-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/1256-99-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/1256-110-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/1256-106-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/1256-171-0x0000000008440000-0x0000000008441000-memory.dmp

Filesize
4KB

Download
memory/1256-152-0x00000000090D0000-0x00000000090D1000-memory.dmp

Filesize
4KB

Download
memory/1256-117-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/1256-108-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/1256-77-0x0000000000000000-mapping.dmp

Download
memory/1256-96-0x0000000071280000-0x000000007196E000-memory.dmp

Filesize
6.9MB

Download
memory/1256-138-0x00000000090F0000-0x0000000009123000-memory.dmp

Filesize
204KB

Download
memory/1552-34-0x0000000000000000-mapping.dmp

Download
memory/1932-97-0x0000000000000000-mapping.dmp

Download
memory/1932-104-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/2548-87-0x00000000004252EE-mapping.dmp

Download
memory/2548-85-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2548-92-0x0000000071280000-0x000000007196E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-132-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/2584-176-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2584-166-0x0000000000000000-mapping.dmp

Download
memory/3048-169-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/3048-159-0x0000000000000000-mapping.dmp

Download
memory/3088-127-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/3088-122-0x0000000000000000-mapping.dmp

Download
memory/3088-123-0x0000000000000000-mapping.dmp

Download
memory/3088-126-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/3120-134-0x0000019F97EB0000-0x0000019F97EB1000-memory.dmp

Filesize
4KB

Download
memory/3120-136-0x0000019FB2D50000-0x0000019FB2D51000-memory.dmp

Filesize
4KB

Download
memory/3120-133-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/3120-130-0x0000000000000000-mapping.dmp

Download
memory/3220-5-0x0000000000000000-mapping.dmp

Download
memory/3356-65-0x0000000000000000-mapping.dmp

Download
memory/3412-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3412-15-0x000000000041A684-mapping.dmp

Download
memory/3412-14-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3416-32-0x0000000000000000-mapping.dmp

Download
memory/3496-69-0x0000000000930000-0x000000000093D000-memory.dmp

Filesize
52KB

Download
memory/3496-55-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3496-53-0x0000000071280000-0x000000007196E000-memory.dmp

Filesize
6.9MB

Download
memory/3496-50-0x0000000000000000-mapping.dmp

Download
memory/3496-68-0x0000000000AE0000-0x0000000000AF5000-memory.dmp

Filesize
84KB

Download
memory/3580-116-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3580-88-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/3580-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3580-72-0x000000000040616E-mapping.dmp

Download
memory/3580-80-0x0000000071280000-0x000000007196E000-memory.dmp

Filesize
6.9MB

Download
memory/3580-95-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3648-67-0x0000000004A50000-0x0000000004A66000-memory.dmp

Filesize
88KB

Download
memory/3648-54-0x0000000000000000-mapping.dmp

Download
memory/3648-62-0x0000000071280000-0x000000007196E000-memory.dmp

Filesize
6.9MB

Download
memory/3648-63-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/3692-121-0x0000000000000000-mapping.dmp

Download
memory/3780-168-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/3780-160-0x0000000000000000-mapping.dmp

Download
memory/3872-128-0x0000000000000000-mapping.dmp

Download
memory/3904-2-0x0000000000000000-mapping.dmp

Download
memory/3916-56-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3916-47-0x0000000071280000-0x000000007196E000-memory.dmp

Filesize
6.9MB

Download
memory/3916-66-0x0000000004D20000-0x0000000004D47000-memory.dmp

Filesize
156KB

Download
memory/3916-43-0x0000000000000000-mapping.dmp

Download
memory/3924-57-0x0000000000000000-mapping.dmp

Download
memory/3980-12-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3980-13-0x0000000000440102-mapping.dmp

Download
memory/3980-18-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4032-175-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/4032-163-0x0000000000000000-mapping.dmp

Download
memory/4196-177-0x0000000000000000-mapping.dmp

Download
memory/4196-181-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/4308-178-0x0000000000000000-mapping.dmp

Download
memory/4308-185-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/4420-180-0x0000000000000000-mapping.dmp

Download
memory/4420-191-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/4516-193-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/4516-183-0x0000000000000000-mapping.dmp

Download
memory/4592-186-0x0000000000000000-mapping.dmp

Download
memory/4592-194-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/4672-189-0x0000000000000000-mapping.dmp

Download
memory/4672-196-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download
memory/4804-192-0x0000000000000000-mapping.dmp

Download
memory/4804-199-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download