asyncrat | 9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4

Analysis

max time kernel
38s
max time network
153s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe
Size

3.5MB
MD5

182d028b33e65fb17d4a601cbfe38dff
SHA1

fdc5b33a43ca57abe13f5d03c429897cafddda5b
SHA256

9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4
SHA512

4cbe9456ecbab9674e8d168a306b2327d1eb57a0b98bcfe64bc84c371387dda8f4714ea128b8d98ba98c85b5b0b059c749cbf10fc5b8032874997125f1fc0de6

Score

10^/10

asyncrat darkcomet warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

sandyclark255.hopto.org:5200

Extracted

Family

asyncrat

Version

0.5.6A

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Mutex

adweqsds5

Attributes

aes_key
kv5uVyBGd24QqEsgPMVYkssYB7jsYam1
anti_detection
true
autorun
true
bdos
false
delay
host
sandyclark255.hopto.org
hwid
install_file
install_folder
%AppData%
mutex
adweqsds5
pastebin_config
null
port
6606,8808,7707
version
0.5.6A

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svlhost.exePPdyN41Iz4JLLYLF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\skypew.exe"	svlhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\gWQDM54ylfqI5n0F\\YM8nBkiQr1NY.exe\",explorer.exe"	PPdyN41Iz4JLLYLF.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2724-261-0x000000000E670000-0x000000000E67D000-memory.dmp	asyncrat

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1648-74-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/1648-72-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1648-77-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4340-170-0x0000000000405CE2-mapping.dmp	warzonerat

Drops file in Drivers directory 1 IoCs

Processes:

svlhost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts svlhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svlhost.exe

Executes dropped EXE 14 IoCs

Processes:

PPdyN41Iz4JLLYLF.exe14DkTauLAGHz0Ggs.exe8funtj1VnuWOdAUa.exe5e546zrCH6oUYrme.exeOKTkYEstkDu4UtHi.exePODGRQEfA5aeQaBl.exesvthost.exesvlhost.exevideolc.exevideolc.exevideolc.exewindrvr.exeskypew.exerrsdssdsde.exe

pid	process
200	PPdyN41Iz4JLLYLF.exe
3660	14DkTauLAGHz0Ggs.exe
3524	8funtj1VnuWOdAUa.exe
2652	5e546zrCH6oUYrme.exe
2724	OKTkYEstkDu4UtHi.exe
2120	PODGRQEfA5aeQaBl.exe
3832	svthost.exe
3976	svlhost.exe
3876	videolc.exe
2144	videolc.exe
1648	videolc.exe
2132	windrvr.exe
3996	skypew.exe
1792	rrsdssdsde.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svlhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	svlhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svlhost.exevideolc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\skype = "C:\\Users\\Admin\\Documents\\skypew.exe"	svlhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adobe = "C:\\ProgramData\\windrvr.exe"	videolc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe8funtj1VnuWOdAUa.exe14DkTauLAGHz0Ggs.exePPdyN41Iz4JLLYLF.exe

description	pid	process	target process
PID 3132 set thread context of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3524 set thread context of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3660 set thread context of 1648	3660	14DkTauLAGHz0Ggs.exe	videolc.exe
PID 200 set thread context of 1792	200	PPdyN41Iz4JLLYLF.exe	rrsdssdsde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1900	3132	WerFault.exe	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe
2884	3524	WerFault.exe	8funtj1VnuWOdAUa.exe
3192	3660	WerFault.exe	14DkTauLAGHz0Ggs.exe

Modifies registry class 1 IoCs

Processes:

svlhost.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance svlhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	svlhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exeWerFault.exe8funtj1VnuWOdAUa.exeWerFault.exe14DkTauLAGHz0Ggs.exeWerFault.exePPdyN41Iz4JLLYLF.exe

pid	process
3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe
3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe
3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
3524	8funtj1VnuWOdAUa.exe
3524	8funtj1VnuWOdAUa.exe
3524	8funtj1VnuWOdAUa.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
3660	14DkTauLAGHz0Ggs.exe
3660	14DkTauLAGHz0Ggs.exe
3660	14DkTauLAGHz0Ggs.exe
3660	14DkTauLAGHz0Ggs.exe
3660	14DkTauLAGHz0Ggs.exe
3660	14DkTauLAGHz0Ggs.exe
3660	14DkTauLAGHz0Ggs.exe
3660	14DkTauLAGHz0Ggs.exe
3660	14DkTauLAGHz0Ggs.exe
3660	14DkTauLAGHz0Ggs.exe
3660	14DkTauLAGHz0Ggs.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
3192	WerFault.exe
200	PPdyN41Iz4JLLYLF.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exeWerFault.exe8funtj1VnuWOdAUa.exe14DkTauLAGHz0Ggs.exesvlhost.exeWerFault.exePPdyN41Iz4JLLYLF.exeWerFault.exerrsdssdsde.exe

description	pid	process
Token: SeDebugPrivilege	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe
Token: SeDebugPrivilege	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe
Token: SeRestorePrivilege	1900	WerFault.exe
Token: SeBackupPrivilege	1900	WerFault.exe
Token: SeDebugPrivilege	3524	8funtj1VnuWOdAUa.exe
Token: SeDebugPrivilege	3524	8funtj1VnuWOdAUa.exe
Token: SeDebugPrivilege	1900	WerFault.exe
Token: SeDebugPrivilege	3660	14DkTauLAGHz0Ggs.exe
Token: SeDebugPrivilege	3660	14DkTauLAGHz0Ggs.exe
Token: SeIncreaseQuotaPrivilege	3976	svlhost.exe
Token: SeSecurityPrivilege	3976	svlhost.exe
Token: SeTakeOwnershipPrivilege	3976	svlhost.exe
Token: SeLoadDriverPrivilege	3976	svlhost.exe
Token: SeSystemProfilePrivilege	3976	svlhost.exe
Token: SeSystemtimePrivilege	3976	svlhost.exe
Token: SeProfSingleProcessPrivilege	3976	svlhost.exe
Token: SeIncBasePriorityPrivilege	3976	svlhost.exe
Token: SeCreatePagefilePrivilege	3976	svlhost.exe
Token: SeBackupPrivilege	3976	svlhost.exe
Token: SeRestorePrivilege	3976	svlhost.exe
Token: SeShutdownPrivilege	3976	svlhost.exe
Token: SeDebugPrivilege	3976	svlhost.exe
Token: SeSystemEnvironmentPrivilege	3976	svlhost.exe
Token: SeChangeNotifyPrivilege	3976	svlhost.exe
Token: SeRemoteShutdownPrivilege	3976	svlhost.exe
Token: SeUndockPrivilege	3976	svlhost.exe
Token: SeManageVolumePrivilege	3976	svlhost.exe
Token: SeImpersonatePrivilege	3976	svlhost.exe
Token: SeCreateGlobalPrivilege	3976	svlhost.exe
Token: 33	3976	svlhost.exe
Token: 34	3976	svlhost.exe
Token: 35	3976	svlhost.exe
Token: 36	3976	svlhost.exe
Token: SeDebugPrivilege	2884	WerFault.exe
Token: SeDebugPrivilege	200	PPdyN41Iz4JLLYLF.exe
Token: SeDebugPrivilege	200	PPdyN41Iz4JLLYLF.exe
Token: SeDebugPrivilege	3192	WerFault.exe
Token: SeShutdownPrivilege	1792	rrsdssdsde.exe
Token: SeDebugPrivilege	1792	rrsdssdsde.exe
Token: SeTcbPrivilege	1792	rrsdssdsde.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rrsdssdsde.exe

pid process

1792 rrsdssdsde.exe

pid	process
1792	rrsdssdsde.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe8funtj1VnuWOdAUa.exesvlhost.exe14DkTauLAGHz0Ggs.exe

description	pid	process	target process
PID 3132 wrote to memory of 200	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	PPdyN41Iz4JLLYLF.exe
PID 3132 wrote to memory of 200	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	PPdyN41Iz4JLLYLF.exe
PID 3132 wrote to memory of 200	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	PPdyN41Iz4JLLYLF.exe
PID 3132 wrote to memory of 3660	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	14DkTauLAGHz0Ggs.exe
PID 3132 wrote to memory of 3660	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	14DkTauLAGHz0Ggs.exe
PID 3132 wrote to memory of 3660	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	14DkTauLAGHz0Ggs.exe
PID 3132 wrote to memory of 3524	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	8funtj1VnuWOdAUa.exe
PID 3132 wrote to memory of 3524	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	8funtj1VnuWOdAUa.exe
PID 3132 wrote to memory of 3524	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	8funtj1VnuWOdAUa.exe
PID 3132 wrote to memory of 2652	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	5e546zrCH6oUYrme.exe
PID 3132 wrote to memory of 2652	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	5e546zrCH6oUYrme.exe
PID 3132 wrote to memory of 2652	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	5e546zrCH6oUYrme.exe
PID 3132 wrote to memory of 2724	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	OKTkYEstkDu4UtHi.exe
PID 3132 wrote to memory of 2724	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	OKTkYEstkDu4UtHi.exe
PID 3132 wrote to memory of 2724	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	OKTkYEstkDu4UtHi.exe
PID 3132 wrote to memory of 2120	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	PODGRQEfA5aeQaBl.exe
PID 3132 wrote to memory of 2120	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	PODGRQEfA5aeQaBl.exe
PID 3132 wrote to memory of 2120	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	PODGRQEfA5aeQaBl.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3132 wrote to memory of 3832	3132	9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe	svthost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3524 wrote to memory of 3976	3524	8funtj1VnuWOdAUa.exe	svlhost.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3976 wrote to memory of 3604	3976	svlhost.exe	notepad.exe
PID 3660 wrote to memory of 3876	3660	14DkTauLAGHz0Ggs.exe	videolc.exe
PID 3660 wrote to memory of 3876	3660	14DkTauLAGHz0Ggs.exe	videolc.exe
PID 3660 wrote to memory of 3876	3660	14DkTauLAGHz0Ggs.exe	videolc.exe
PID 3660 wrote to memory of 2144	3660	14DkTauLAGHz0Ggs.exe	videolc.exe
PID 3660 wrote to memory of 2144	3660	14DkTauLAGHz0Ggs.exe	videolc.exe

C:\Users\Admin\AppData\Local\Temp\9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe
"C:\Users\Admin\AppData\Local\Temp\9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132

C:\Users\Admin\AppData\Local\Temp\PPdyN41Iz4JLLYLF.exe
"C:\Users\Admin\AppData\Local\Temp\PPdyN41Iz4JLLYLF.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Users\Admin\AppData\Local\Temp\UF1nC59nKyZO0dkn\rrsdssdsde.exe
"C:\Users\Admin\AppData\Local\Temp\UF1nC59nKyZO0dkn\rrsdssdsde.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1792

C:\Users\Admin\AppData\Local\Temp\14DkTauLAGHz0Ggs.exe
"C:\Users\Admin\AppData\Local\Temp\14DkTauLAGHz0Ggs.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660

C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe
"C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe"
3⤵
- Executes dropped EXE
PID:3876

C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe
"C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe"
3⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe
"C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1648

C:\ProgramData\windrvr.exe
"C:\ProgramData\windrvr.exe"
4⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 1088
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Users\Admin\AppData\Local\Temp\8funtj1VnuWOdAUa.exe
"C:\Users\Admin\AppData\Local\Temp\8funtj1VnuWOdAUa.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\Temp\3M5545LrtWIfsfdC\svlhost.exe
"C:\Users\Admin\AppData\Local\Temp\3M5545LrtWIfsfdC\svlhost.exe"
3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:3604

C:\Users\Admin\Documents\skypew.exe
"C:\Users\Admin\Documents\skypew.exe"
4⤵
- Executes dropped EXE
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1072
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Users\Admin\AppData\Local\Temp\5e546zrCH6oUYrme.exe
"C:\Users\Admin\AppData\Local\Temp\5e546zrCH6oUYrme.exe"
2⤵
- Executes dropped EXE
PID:2652

C:\Users\Admin\AppData\Local\Temp\OKTkYEstkDu4UtHi.exe
"C:\Users\Admin\AppData\Local\Temp\OKTkYEstkDu4UtHi.exe"
2⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\AppData\Local\Temp\PODGRQEfA5aeQaBl.exe
"C:\Users\Admin\AppData\Local\Temp\PODGRQEfA5aeQaBl.exe"
2⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\AppData\Local\Temp\eU4Zi2RY521LBL3Z\svthost.exe
"C:\Users\Admin\AppData\Local\Temp\eU4Zi2RY521LBL3Z\svthost.exe"
2⤵
- Executes dropped EXE
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1584
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\windrvr.exe

Download Submit
C:\ProgramData\windrvr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\14DkTauLAGHz0Ggs.exe
MD5
67247ee85391a318a2cf047ad3636108

SHA1
2e099ba12ab1044d96f96bf69d45af31a3089802

SHA256
c04afce12a4a547bd3c1de6bcc7188ff389bbb69f61221566362f26158752b73

SHA512
14c5d9422990afac279f7e5f5b487d5a864505450b264cecaaa6766c7cbf5186195c6f54b37056226af83ea1ad0270916a90eeeab6aff07c12858825f0c79d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\14DkTauLAGHz0Ggs.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3M5545LrtWIfsfdC\svlhost.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3M5545LrtWIfsfdC\svlhost.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3M5545LrtWIfsfdC\svlhost.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3M5545LrtWIfsfdC\svlhost.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e546zrCH6oUYrme.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e546zrCH6oUYrme.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8funtj1VnuWOdAUa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8funtj1VnuWOdAUa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKTkYEstkDu4UtHi.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKTkYEstkDu4UtHi.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PODGRQEfA5aeQaBl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PODGRQEfA5aeQaBl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPdyN41Iz4JLLYLF.exe
MD5
23b7d71312a305d0d8adb3d41d1fba5e

SHA1
9ef3530c30f8414e623d5c27500c4ba920775b12

SHA256
63d929179451809fdd3fe4634465dacf1f568ae92c3b1ff52255d6bf94280b38

SHA512
0aea917e9322c0a34bfc7d2b60c2b1f160849b5c6e632bca27a68e3ebb09f974e76bf4034927b7d9d85c3a2aa233b2962b40e8b4c673b86ee6ba26384b86f176

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPdyN41Iz4JLLYLF.exe
MD5
23b7d71312a305d0d8adb3d41d1fba5e

SHA1
9ef3530c30f8414e623d5c27500c4ba920775b12

SHA256
63d929179451809fdd3fe4634465dacf1f568ae92c3b1ff52255d6bf94280b38

SHA512
0aea917e9322c0a34bfc7d2b60c2b1f160849b5c6e632bca27a68e3ebb09f974e76bf4034927b7d9d85c3a2aa233b2962b40e8b4c673b86ee6ba26384b86f176

Download Submit
C:\Users\Admin\AppData\Local\Temp\UF1nC59nKyZO0dkn\rrsdssdsde.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UF1nC59nKyZO0dkn\rrsdssdsde.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4TG0oA3duRtVosP\videolc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\eU4Zi2RY521LBL3Z\svthost.exe

Download Submit
C:\Users\Admin\Documents\skypew.exe

Download Submit
C:\Users\Admin\Documents\skypew.exe

Download Submit
memory/200-0-0x0000000000000000-mapping.dmp

Download
memory/1648-77-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1648-72-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1648-74-0x0000000000405CE2-mapping.dmp

Download
memory/1792-111-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1792-113-0x000000000046A08C-mapping.dmp

Download
memory/1792-118-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1900-30-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/1900-26-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/1900-25-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/2120-13-0x0000000000000000-mapping.dmp

Download
memory/2132-191-0x0000000000000000-mapping.dmp

Download
memory/2132-100-0x0000000000000000-mapping.dmp

Download
memory/2132-210-0x0000000000000000-mapping.dmp

Download
memory/2132-217-0x0000000000000000-mapping.dmp

Download
memory/2132-208-0x0000000000000000-mapping.dmp

Download
memory/2132-192-0x0000000000000000-mapping.dmp

Download
memory/2132-207-0x0000000000000000-mapping.dmp

Download
memory/2132-189-0x0000000000000000-mapping.dmp

Download
memory/2132-187-0x0000000000000000-mapping.dmp

Download
memory/2132-185-0x0000000000000000-mapping.dmp

Download
memory/2132-183-0x0000000000000000-mapping.dmp

Download
memory/2132-213-0x0000000000000000-mapping.dmp

Download
memory/2652-9-0x0000000000000000-mapping.dmp

Download
memory/2724-21-0x0000000070D60000-0x000000007144E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-10-0x0000000000000000-mapping.dmp

Download
memory/2724-148-0x0000000002A50000-0x0000000002A6D000-memory.dmp

Filesize
116KB

Download
memory/2724-28-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2724-22-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2724-261-0x000000000E670000-0x000000000E67D000-memory.dmp

Filesize
52KB

Download
memory/2724-24-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/2724-31-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2884-53-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/2884-65-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/3192-83-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/3192-103-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3524-165-0x0000000000000000-mapping.dmp

Download
memory/3524-161-0x0000000000000000-mapping.dmp

Download
memory/3524-62-0x0000000000000000-mapping.dmp

Download
memory/3524-61-0x0000000000000000-mapping.dmp

Download
memory/3524-63-0x0000000000000000-mapping.dmp

Download
memory/3524-60-0x0000000000000000-mapping.dmp

Download
memory/3524-59-0x0000000000000000-mapping.dmp

Download
memory/3524-172-0x0000000000000000-mapping.dmp

Download
memory/3524-6-0x0000000000000000-mapping.dmp

Download
memory/3524-168-0x0000000000000000-mapping.dmp

Download
memory/3524-162-0x0000000000000000-mapping.dmp

Download
memory/3524-57-0x0000000000000000-mapping.dmp

Download
memory/3604-58-0x0000000000000000-mapping.dmp

Download
memory/3604-56-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/3604-55-0x0000000000000000-mapping.dmp

Download
memory/3660-91-0x0000000000000000-mapping.dmp

Download
memory/3660-120-0x0000000000000000-mapping.dmp

Download
memory/3660-96-0x0000000000000000-mapping.dmp

Download
memory/3660-89-0x0000000000000000-mapping.dmp

Download
memory/3660-3-0x0000000000000000-mapping.dmp

Download
memory/3660-87-0x0000000000000000-mapping.dmp

Download
memory/3660-98-0x0000000000000000-mapping.dmp

Download
memory/3660-115-0x0000000000000000-mapping.dmp

Download
memory/3660-122-0x0000000000000000-mapping.dmp

Download
memory/3660-126-0x0000000000000000-mapping.dmp

Download
memory/3660-94-0x0000000000000000-mapping.dmp

Download
memory/3660-124-0x0000000000000000-mapping.dmp

Download
memory/3832-19-0x000000000048F888-mapping.dmp

Download
memory/3832-18-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3976-47-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3976-42-0x000000000048F888-mapping.dmp

Download
memory/3976-40-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3996-249-0x0000000000000000-mapping.dmp

Download
memory/3996-256-0x0000000000000000-mapping.dmp

Download
memory/3996-253-0x0000000000000000-mapping.dmp

Download
memory/3996-252-0x0000000000000000-mapping.dmp

Download
memory/3996-251-0x0000000000000000-mapping.dmp

Download
memory/3996-250-0x0000000000000000-mapping.dmp

Download
memory/3996-104-0x0000000000000000-mapping.dmp

Download
memory/3996-248-0x0000000000000000-mapping.dmp

Download
memory/3996-260-0x0000000000000000-mapping.dmp

Download
memory/3996-259-0x0000000000000000-mapping.dmp

Download
memory/3996-255-0x0000000000000000-mapping.dmp

Download
memory/3996-257-0x0000000000000000-mapping.dmp

Download
memory/4340-170-0x0000000000405CE2-mapping.dmp

Download
memory/4440-195-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/4440-179-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/4576-212-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/4576-197-0x0000000000000000-mapping.dmp

Download
memory/4576-215-0x0000000000000000-mapping.dmp

Download
memory/4828-240-0x000000000048F888-mapping.dmp

Download
memory/4828-242-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4872-246-0x0000000000000000-mapping.dmp

Download
memory/4872-245-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/4872-244-0x0000000000000000-mapping.dmp

Download
memory/4892-254-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/4892-247-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download