asyncrat | 78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda

Analysis

max time kernel
138s
max time network
121s
platform
windows10_x64
resource
win10-en-20211014
submitted
08-11-2021 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
Size

1.2MB
MD5

93f2ef7ece667948d903fd81a9c93dae
SHA1

33a83a4a6d582c20c44719df67815455ec4f789c
SHA256

78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda
SHA512

793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a

Score

10^/10

asyncrat agilenet persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1300-146-0x0000000002C30000-0x0000000002C50000-memory.dmp	asyncrat
behavioral1/memory/1300-148-0x0000000003040000-0x000000000305E000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

rtcupdater.exertcupdater.exe

pid process

2832 rtcupdater.exe
1300 rtcupdater.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2832	rtcupdater.exe
1300	rtcupdater.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2640-121-0x0000000006790000-0x00000000067B1000-memory.dmp	agile_net
behavioral1/memory/2640-126-0x00000000055E0000-0x0000000005ADE000-memory.dmp	agile_net
behavioral1/memory/2832-135-0x0000000004FE0000-0x00000000054DE000-memory.dmp	agile_net
behavioral1/memory/2832-139-0x0000000004FE0000-0x00000000054DE000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\rtcupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Root\\rtcupdater.exe"	reg.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rtcupdater.exe

description pid process target process

PID 2832 set thread context of 1300 2832 rtcupdater.exe rtcupdater.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

description	pid	process	target process
PID 2832 set thread context of 1300	2832	rtcupdater.exe	rtcupdater.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exeSearchUI.exeShellExperienceHost.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies registry class 29 IoCs

Processes:

SearchUI.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070b004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000051aa4b5dd2d4d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070b004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000001b38d95cd2d4d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e5070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000033cd62c606c1d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132786946600896572"	explorer.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exertcupdater.exertcupdater.exe

pid	process
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
2832	rtcupdater.exe
2832	rtcupdater.exe
1300	rtcupdater.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exertcupdater.exertcupdater.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
Token: SeDebugPrivilege	2832	rtcupdater.exe
Token: SeDebugPrivilege	1300	rtcupdater.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe
Token: SeShutdownPrivilege	1144	explorer.exe
Token: SeCreatePagefilePrivilege	1144	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

explorer.exe

pid	process
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

explorer.exe

pid	process
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SearchUI.exeShellExperienceHost.exe

pid process

1916 SearchUI.exe
3276 ShellExperienceHost.exe
3276 ShellExperienceHost.exe

pid	process
1916	SearchUI.exe
3276	ShellExperienceHost.exe
3276	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.execmd.exertcupdater.exertcupdater.exeexplorer.exe

description	pid	process	target process
PID 2640 wrote to memory of 1184	2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe	cmd.exe
PID 2640 wrote to memory of 1184	2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe	cmd.exe
PID 2640 wrote to memory of 1184	2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe	cmd.exe
PID 1184 wrote to memory of 1008	1184	cmd.exe	reg.exe
PID 1184 wrote to memory of 1008	1184	cmd.exe	reg.exe
PID 1184 wrote to memory of 1008	1184	cmd.exe	reg.exe
PID 2640 wrote to memory of 2832	2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe	rtcupdater.exe
PID 2640 wrote to memory of 2832	2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe	rtcupdater.exe
PID 2640 wrote to memory of 2832	2640	78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe	rtcupdater.exe
PID 2832 wrote to memory of 1300	2832	rtcupdater.exe	rtcupdater.exe
PID 2832 wrote to memory of 1300	2832	rtcupdater.exe	rtcupdater.exe
PID 2832 wrote to memory of 1300	2832	rtcupdater.exe	rtcupdater.exe
PID 2832 wrote to memory of 1300	2832	rtcupdater.exe	rtcupdater.exe
PID 2832 wrote to memory of 1300	2832	rtcupdater.exe	rtcupdater.exe
PID 2832 wrote to memory of 1300	2832	rtcupdater.exe	rtcupdater.exe
PID 2832 wrote to memory of 1300	2832	rtcupdater.exe	rtcupdater.exe
PID 2832 wrote to memory of 1300	2832	rtcupdater.exe	rtcupdater.exe
PID 2832 wrote to memory of 1300	2832	rtcupdater.exe	rtcupdater.exe
PID 1300 wrote to memory of 1144	1300	rtcupdater.exe	explorer.exe
PID 1300 wrote to memory of 1144	1300	rtcupdater.exe	explorer.exe
PID 1144 wrote to memory of 1516	1144	explorer.exe	ctfmon.exe
PID 1144 wrote to memory of 1516	1144	explorer.exe	ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe
"C:\Users\Admin\AppData\Local\Temp\78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "rtcupdater" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "rtcupdater" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe"
3⤵
- Adds Run key to start application
PID:1008

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\ctfmon.exe
ctfmon.exe
5⤵
PID:1516

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rtcupdater.exe.log
MD5
7648e852b0157b362b07766e0b5b355e

SHA1
6f9ac6e9d89842d38345fb83930d8c927cb44c69

SHA256
8dd14eb336757d783e47f36a98a4fe5c1314d93782907f538417265037819896

SHA512
849e5e18a2439b9a228395c5f92d1ff8111b84ca7e56f9c2ace3580d21ceee0f78f7e9836668970a401fcf2fa2d88ff9aa89935595f45302b6af88a4069138d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe
MD5
93f2ef7ece667948d903fd81a9c93dae

SHA1
33a83a4a6d582c20c44719df67815455ec4f789c

SHA256
78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda

SHA512
793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe
MD5
93f2ef7ece667948d903fd81a9c93dae

SHA1
33a83a4a6d582c20c44719df67815455ec4f789c

SHA256
78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda

SHA512
793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe
MD5
93f2ef7ece667948d903fd81a9c93dae

SHA1
33a83a4a6d582c20c44719df67815455ec4f789c

SHA256
78b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda

SHA512
793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a

Download Submit
memory/1008-125-0x0000000000000000-mapping.dmp

Download
memory/1144-156-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/1144-154-0x0000000000000000-mapping.dmp

Download
memory/1184-124-0x0000000000000000-mapping.dmp

Download
memory/1300-142-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1300-150-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1300-148-0x0000000003040000-0x000000000305E000-memory.dmp

Filesize
120KB

Download
memory/1300-146-0x0000000002C30000-0x0000000002C50000-memory.dmp

Filesize
128KB

Download
memory/1300-149-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1300-151-0x0000000005702000-0x0000000005703000-memory.dmp

Filesize
4KB

Download
memory/1300-152-0x0000000005703000-0x0000000005704000-memory.dmp

Filesize
4KB

Download
memory/1300-143-0x000000000040CD2F-mapping.dmp

Download
memory/1516-155-0x0000000000000000-mapping.dmp

Download
memory/2640-123-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/2640-120-0x00000000055E0000-0x0000000005ADE000-memory.dmp

Filesize
5.0MB

Download
memory/2640-117-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/2640-118-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/2640-119-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/2640-121-0x0000000006790000-0x00000000067B1000-memory.dmp

Filesize
132KB

Download
memory/2640-126-0x00000000055E0000-0x0000000005ADE000-memory.dmp

Filesize
5.0MB

Download
memory/2640-115-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2640-122-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/2832-127-0x0000000000000000-mapping.dmp

Download
memory/2832-141-0x0000000009320000-0x0000000009321000-memory.dmp

Filesize
4KB

Download
memory/2832-135-0x0000000004FE0000-0x00000000054DE000-memory.dmp

Filesize
5.0MB

Download
memory/2832-139-0x0000000004FE0000-0x00000000054DE000-memory.dmp

Filesize
5.0MB

Download
memory/2832-140-0x0000000006D40000-0x0000000006D4B000-memory.dmp

Filesize
44KB

Download