asyncrat | 404bd9129e5278d4b52da95e23861e32883f8c31daefc7a8ca7dbff279b84111

Analysis

max time kernel
102s
max time network
99s
platform
windows10_x64
resource
win10-en-20211014
submitted
24-10-2021 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe
Size

3.1MB
MD5

9aad21656226a1e5faecd8845f6bf5f6
SHA1

c842abda589d1a9e70b4201e92b84294e396604f
SHA256

05d8a8bf79967e16aa9cf2901d0b51727c5f85414d94e9a1285145abf3398982
SHA512

0f3443509607616649d6d804d17b53a8b7b05c82835958d9237660aa86881e28e43386d984b42776f53601f47dc639af0f15c3af47d0a7e47921ffbfa551605d

Score

10^/10

asyncrat quasar default pro21 discovery rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

pettbull.ddns.net:6606

pettbull.ddns.net:7707

pettbull.ddns.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

PRO21

pettbull.ddns.net:4782

Mutex

23e7ca58-8298-4c9f-b276-3466dcf2cfc0

Attributes

encryption_key
DAE9E02E5E04D59D9AF2AA1D5E82248D5919AC6A
install_name
Windows Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Windows
subdirectory
System32

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Quasar Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1928-195-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar
behavioral2/memory/1928-196-0x000000000047E7CE-mapping.dmp	family_quasar
behavioral2/memory/1928-208-0x00000000051E0000-0x00000000056DE000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2636-148-0x000000000040C73E-mapping.dmp	asyncrat
behavioral2/memory/2636-147-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 5 IoCs

Processes:

svchost.exesvchost.exeHost.exeHost.exeSet-up.exe

pid process

3740 svchost.exe
2636 svchost.exe
1368 Host.exe
1928 Host.exe
3488 Set-up.exe

pid	process
3740	svchost.exe
2636	svchost.exe
1368	Host.exe
1928	Host.exe
3488	Set-up.exe

Drops startup file 3 IoCs

Processes:

PowerShell.exePowerShell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	PowerShell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	PowerShell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	PowerShell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 api.ipify.org
36 api.ipify.org

flow	ioc
35	api.ipify.org
36	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

svchost.exeHost.exe

description	pid	process	target process
PID 3740 set thread context of 2636	3740	svchost.exe	svchost.exe
PID 1368 set thread context of 1928	1368	Host.exe	Host.exe

Drops file in Program Files directory 3 IoCs

Processes:

05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe
File opened for modification	C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe
File created	C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Set-up.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Set-up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001"	Set-up.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Set-up.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PowerShell.exePowerShell.exetaskmgr.exe

pid	process
636	PowerShell.exe
636	PowerShell.exe
636	PowerShell.exe
2428	PowerShell.exe
2428	PowerShell.exe
2428	PowerShell.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2552 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

PowerShell.exesvchost.exePowerShell.exetaskmgr.exesvchost.exeHost.exeHost.exe

description	pid	process
Token: SeDebugPrivilege	636	PowerShell.exe
Token: SeDebugPrivilege	3740	svchost.exe
Token: SeDebugPrivilege	2428	PowerShell.exe
Token: SeDebugPrivilege	2552	taskmgr.exe
Token: SeSystemProfilePrivilege	2552	taskmgr.exe
Token: SeCreateGlobalPrivilege	2552	taskmgr.exe
Token: SeDebugPrivilege	2636	svchost.exe
Token: SeDebugPrivilege	1368	Host.exe
Token: SeDebugPrivilege	1928	Host.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

taskmgr.exeSet-up.exe

pid	process
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
3488	Set-up.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

taskmgr.exe

pid	process
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe
2552	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Host.exe

pid process

1928 Host.exe

pid	process
1928	Host.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exesvchost.exeHost.exe

description	pid	process	target process
PID 2744 wrote to memory of 3740	2744	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe	svchost.exe
PID 2744 wrote to memory of 3740	2744	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe	svchost.exe
PID 2744 wrote to memory of 3740	2744	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe	svchost.exe
PID 3740 wrote to memory of 636	3740	svchost.exe	PowerShell.exe
PID 3740 wrote to memory of 636	3740	svchost.exe	PowerShell.exe
PID 3740 wrote to memory of 636	3740	svchost.exe	PowerShell.exe
PID 3740 wrote to memory of 2636	3740	svchost.exe	svchost.exe
PID 3740 wrote to memory of 2636	3740	svchost.exe	svchost.exe
PID 3740 wrote to memory of 2636	3740	svchost.exe	svchost.exe
PID 3740 wrote to memory of 2636	3740	svchost.exe	svchost.exe
PID 3740 wrote to memory of 2636	3740	svchost.exe	svchost.exe
PID 3740 wrote to memory of 2636	3740	svchost.exe	svchost.exe
PID 3740 wrote to memory of 2636	3740	svchost.exe	svchost.exe
PID 3740 wrote to memory of 2636	3740	svchost.exe	svchost.exe
PID 2744 wrote to memory of 1368	2744	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe	Host.exe
PID 2744 wrote to memory of 1368	2744	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe	Host.exe
PID 2744 wrote to memory of 1368	2744	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe	Host.exe
PID 1368 wrote to memory of 2428	1368	Host.exe	PowerShell.exe
PID 1368 wrote to memory of 2428	1368	Host.exe	PowerShell.exe
PID 1368 wrote to memory of 2428	1368	Host.exe	PowerShell.exe
PID 1368 wrote to memory of 1928	1368	Host.exe	Host.exe
PID 1368 wrote to memory of 1928	1368	Host.exe	Host.exe
PID 1368 wrote to memory of 1928	1368	Host.exe	Host.exe
PID 1368 wrote to memory of 1928	1368	Host.exe	Host.exe
PID 1368 wrote to memory of 1928	1368	Host.exe	Host.exe
PID 1368 wrote to memory of 1928	1368	Host.exe	Host.exe
PID 1368 wrote to memory of 1928	1368	Host.exe	Host.exe
PID 1368 wrote to memory of 1928	1368	Host.exe	Host.exe
PID 2744 wrote to memory of 3488	2744	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe	Set-up.exe
PID 2744 wrote to memory of 3488	2744	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe	Set-up.exe
PID 2744 wrote to memory of 3488	2744	05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe	Set-up.exe

C:\Users\Admin\AppData\Local\Temp\05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe
"C:\Users\Admin\AppData\Local\Temp\05D8A8BF79967E16AA9CF2901D0B51727C5F85414D94E9A1285145ABF3398982.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell" copy-item 'C:\Users\Admin\AppData\Roaming\svchost.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe'
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Users\Admin\AppData\Roaming\Host.exe
"C:\Users\Admin\AppData\Roaming\Host.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell" copy-item 'C:\Users\Admin\AppData\Roaming\Host.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe'
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Users\Admin\AppData\Roaming\Host.exe
"C:\Users\Admin\AppData\Roaming\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
"C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:3488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
MD5
41f159509017d234e08eb4f820bab935

SHA1
1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

SHA256
4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

SHA512
0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

Download Submit
C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
MD5
41f159509017d234e08eb4f820bab935

SHA1
1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

SHA256
4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

SHA512
0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Host.exe.log
MD5
31f89a37dd1c6602132edf73d8fd1cb3

SHA1
8599db27f10e8b4201efbfebd42d3f3890a4b0b1

SHA256
32165692323f0947ef81fea90865ed18e79ab0ec185ace6647ce15731de3f40e

SHA512
09bce426d25500895ea274f054609cf6606deece3170911d0c875dd6ca0c3e61cebb02b32bda7ed07258a806f72e72c23d08a10ddcf36b1011742d4248362112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerShell.exe.log
MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
MD5
31f89a37dd1c6602132edf73d8fd1cb3

SHA1
8599db27f10e8b4201efbfebd42d3f3890a4b0b1

SHA256
32165692323f0947ef81fea90865ed18e79ab0ec185ace6647ce15731de3f40e

SHA512
09bce426d25500895ea274f054609cf6606deece3170911d0c875dd6ca0c3e61cebb02b32bda7ed07258a806f72e72c23d08a10ddcf36b1011742d4248362112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9796dee16c27bc49f2ca75308b73353b

SHA1
4b12afadf59be39d63b65691cefb4fd4191994ff

SHA256
1024f79d9d83dc92386f8fb3fae47f4068b48235ccdf622e7cd88198ffa065f7

SHA512
6d98614009cbaef3577e263089e2046de4c2e847e1a779236257e0e7bcfc0468a7b7d969b899ff3af7a5b50724c63da52e9e1fade35cd88ec4505a0f74217cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Host.exe
MD5
82d476c05f94eb8fad06b57f4899823e

SHA1
2739b763058cd8aae8efd0ff4e9cfa51b4c2c750

SHA256
abb9f1457f48fb9219e3b5b3360ec892828db320230b24e21b87cdbc9be99658

SHA512
9856a5b9bc6e0fa7562efd4de0ed0e0c11157ac4391d663fc15f13ebc1d2c9988a42c69c41ef1858697806f05a1f93754cf580213d14bb3b4e287fb08985b75f

Download Submit
C:\Users\Admin\AppData\Roaming\Host.exe
MD5
82d476c05f94eb8fad06b57f4899823e

SHA1
2739b763058cd8aae8efd0ff4e9cfa51b4c2c750

SHA256
abb9f1457f48fb9219e3b5b3360ec892828db320230b24e21b87cdbc9be99658

SHA512
9856a5b9bc6e0fa7562efd4de0ed0e0c11157ac4391d663fc15f13ebc1d2c9988a42c69c41ef1858697806f05a1f93754cf580213d14bb3b4e287fb08985b75f

Download Submit
C:\Users\Admin\AppData\Roaming\Host.exe
MD5
82d476c05f94eb8fad06b57f4899823e

SHA1
2739b763058cd8aae8efd0ff4e9cfa51b4c2c750

SHA256
abb9f1457f48fb9219e3b5b3360ec892828db320230b24e21b87cdbc9be99658

SHA512
9856a5b9bc6e0fa7562efd4de0ed0e0c11157ac4391d663fc15f13ebc1d2c9988a42c69c41ef1858697806f05a1f93754cf580213d14bb3b4e287fb08985b75f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe
MD5
17348c1d08adf588f96565fed074ceb2

SHA1
e8836e8e3df1fa93d53428d497aef14b5c5ce058

SHA256
49299ae3361dc7868151abacda1a1250c0bb6cd48a1beea7262871b28a68c33c

SHA512
dc77dc6408a052ecc20806b5437da4c4243b135639226e1d37cb951456cf916111ec5da38802dfafe56e48d9a0f9c83f2d79e6d1ccb0b42618c3edb0ffd4967f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe
MD5
82d476c05f94eb8fad06b57f4899823e

SHA1
2739b763058cd8aae8efd0ff4e9cfa51b4c2c750

SHA256
abb9f1457f48fb9219e3b5b3360ec892828db320230b24e21b87cdbc9be99658

SHA512
9856a5b9bc6e0fa7562efd4de0ed0e0c11157ac4391d663fc15f13ebc1d2c9988a42c69c41ef1858697806f05a1f93754cf580213d14bb3b4e287fb08985b75f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
38039e921eb17d1806f8f87bc318ad99

SHA1
9d407a9625317a56f8b777c1da4dec9c2f7e4e34

SHA256
d27759d0225a1e39557bb7a460b9fdae16f6126adabbc06e4ab27ece6b84a437

SHA512
ece169f7cc92a2d42b460a7c8cc30d1979a3acbdd02278c02a2a79f72ec478ce89b1191a859fd21409e9d68d2e000178a7375f9305b74695c2a874062079bbd3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
38039e921eb17d1806f8f87bc318ad99

SHA1
9d407a9625317a56f8b777c1da4dec9c2f7e4e34

SHA256
d27759d0225a1e39557bb7a460b9fdae16f6126adabbc06e4ab27ece6b84a437

SHA512
ece169f7cc92a2d42b460a7c8cc30d1979a3acbdd02278c02a2a79f72ec478ce89b1191a859fd21409e9d68d2e000178a7375f9305b74695c2a874062079bbd3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
38039e921eb17d1806f8f87bc318ad99

SHA1
9d407a9625317a56f8b777c1da4dec9c2f7e4e34

SHA256
d27759d0225a1e39557bb7a460b9fdae16f6126adabbc06e4ab27ece6b84a437

SHA512
ece169f7cc92a2d42b460a7c8cc30d1979a3acbdd02278c02a2a79f72ec478ce89b1191a859fd21409e9d68d2e000178a7375f9305b74695c2a874062079bbd3

Download Submit
memory/636-132-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/636-128-0x00000000071B2000-0x00000000071B3000-memory.dmp

Filesize
4KB

Download
memory/636-122-0x0000000000000000-mapping.dmp

Download
memory/636-133-0x0000000008490000-0x0000000008491000-memory.dmp

Filesize
4KB

Download
memory/636-134-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/636-135-0x00000000088C0000-0x00000000088C1000-memory.dmp

Filesize
4KB

Download
memory/636-136-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/636-140-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/636-141-0x0000000008BA0000-0x0000000008BA1000-memory.dmp

Filesize
4KB

Download
memory/636-142-0x00000000095A0000-0x00000000095A1000-memory.dmp

Filesize
4KB

Download
memory/636-144-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/636-145-0x00000000071B3000-0x00000000071B4000-memory.dmp

Filesize
4KB

Download
memory/636-123-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/636-131-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/636-124-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/636-130-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/636-129-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/636-125-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/636-127-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/636-126-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/1368-207-0x0000000005030000-0x000000000552E000-memory.dmp

Filesize
5.0MB

Download
memory/1368-156-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1368-153-0x0000000000000000-mapping.dmp

Download
memory/1368-206-0x0000000005030000-0x000000000552E000-memory.dmp

Filesize
5.0MB

Download
memory/1928-209-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/1928-196-0x000000000047E7CE-mapping.dmp

Download
memory/1928-204-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1928-211-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1928-195-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1928-208-0x00000000051E0000-0x00000000056DE000-memory.dmp

Filesize
5.0MB

Download
memory/1928-210-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/2428-169-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/2428-187-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2428-188-0x0000000005123000-0x0000000005124000-memory.dmp

Filesize
4KB

Download
memory/2428-178-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2428-170-0x0000000005122000-0x0000000005123000-memory.dmp

Filesize
4KB

Download
memory/2428-163-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2428-162-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2428-160-0x0000000000000000-mapping.dmp

Download
memory/2636-148-0x000000000040C73E-mapping.dmp

Download
memory/2636-189-0x0000000005C01000-0x0000000005C02000-memory.dmp

Filesize
4KB

Download
memory/2636-147-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3488-200-0x0000000000000000-mapping.dmp

Download
memory/3740-120-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3740-121-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/3740-118-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/3740-168-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/3740-167-0x00000000057A0000-0x0000000005C9E000-memory.dmp

Filesize
5.0MB

Download
memory/3740-146-0x0000000005540000-0x0000000005555000-memory.dmp

Filesize
84KB

Download
memory/3740-115-0x0000000000000000-mapping.dmp

Download