asyncrat | 7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6

Analysis

max time kernel
130s
max time network
154s
platform
windows10_x64
resource
win10-en-20211208
submitted
20-01-2022 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
Size

41KB
MD5

45a4b5682899474927c9184aaeeed2a0
SHA1

07106912a9aff461a3b4e8201474e0a70c0c4afa
SHA256

7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6
SHA512

4b7206bb343e9bf0694f732a282a71bf24fbf3520656bb186323091762b64d8dbf4c4cd580e6f93ef5a1478ab6af47fef1a6264f51d380d23f40792478a1b161

Score

10^/10

asyncrat venom clients persistence rat

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT_HVNC 5.0.4

Botnet

Venom Clients

188.119.112.140:4449

Mutex

Venom_RAT_Mutex_Venom_RAT

Attributes

anti_vm
false
bsod
false
delay
0
install
true
install_file
CvkjdhfWr.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2312-139-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

CvkjdhfWr.exeCvkjdhfWr.exe

pid process

832 CvkjdhfWr.exe
2352 CvkjdhfWr.exe

pid	process
832	CvkjdhfWr.exe
2352	CvkjdhfWr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exeCvkjdhfWr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDH = "\"C:\\Users\\Admin\\AppData\\Roaming\\HDH\\HDH.exe\""	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDH = "\"C:\\Users\\Admin\\AppData\\Roaming\\HDH\\HDH.exe\""	CvkjdhfWr.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exeCvkjdhfWr.exe

description	pid	process	target process
PID 3608 set thread context of 2312	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 832 set thread context of 2352	832	CvkjdhfWr.exe	CvkjdhfWr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3372 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3104 timeout.exe
Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3496 PING.EXE
3756 PING.EXE
1140 PING.EXE
1092 PING.EXE
1412 PING.EXE
3904 PING.EXE
3088 PING.EXE
3152 PING.EXE
3776 PING.EXE
3880 PING.EXE

pid	process
3372	schtasks.exe

pid	process
3104	timeout.exe

pid	process
3496	PING.EXE
3756	PING.EXE
1140	PING.EXE
1092	PING.EXE
1412	PING.EXE
3904	PING.EXE
3088	PING.EXE
3152	PING.EXE
3776	PING.EXE
3880	PING.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

powershell.exe7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exepowershell.exeCvkjdhfWr.exe

pid	process
768	powershell.exe
768	powershell.exe
768	powershell.exe
3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
832	CvkjdhfWr.exe
832	CvkjdhfWr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exepowershell.exe7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exeCvkjdhfWr.exepowershell.exeCvkjdhfWr.exe

description	pid	process
Token: SeDebugPrivilege	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
Token: SeDebugPrivilege	832	CvkjdhfWr.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2352	CvkjdhfWr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exepowershell.exe7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.execmd.execmd.exeCvkjdhfWr.exepowershell.exe

description	pid	process	target process
PID 3608 wrote to memory of 768	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	powershell.exe
PID 3608 wrote to memory of 768	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	powershell.exe
PID 3608 wrote to memory of 768	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	powershell.exe
PID 768 wrote to memory of 1140	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 1140	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 1140	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 1092	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 1092	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 1092	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 3496	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 3496	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 3496	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 1412	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 1412	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 1412	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 3904	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 3904	768	powershell.exe	PING.EXE
PID 768 wrote to memory of 3904	768	powershell.exe	PING.EXE
PID 3608 wrote to memory of 1516	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 1516	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 1516	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 1444	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 1444	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 1444	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 2312	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 2312	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 2312	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 2312	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 2312	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 2312	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 2312	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 3608 wrote to memory of 2312	3608	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
PID 2312 wrote to memory of 1968	2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	cmd.exe
PID 2312 wrote to memory of 1968	2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	cmd.exe
PID 2312 wrote to memory of 1968	2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	cmd.exe
PID 2312 wrote to memory of 1392	2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	cmd.exe
PID 2312 wrote to memory of 1392	2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	cmd.exe
PID 2312 wrote to memory of 1392	2312	7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe	cmd.exe
PID 1968 wrote to memory of 3372	1968	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 3372	1968	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 3372	1968	cmd.exe	schtasks.exe
PID 1392 wrote to memory of 3104	1392	cmd.exe	timeout.exe
PID 1392 wrote to memory of 3104	1392	cmd.exe	timeout.exe
PID 1392 wrote to memory of 3104	1392	cmd.exe	timeout.exe
PID 1392 wrote to memory of 832	1392	cmd.exe	CvkjdhfWr.exe
PID 1392 wrote to memory of 832	1392	cmd.exe	CvkjdhfWr.exe
PID 1392 wrote to memory of 832	1392	cmd.exe	CvkjdhfWr.exe
PID 832 wrote to memory of 1972	832	CvkjdhfWr.exe	powershell.exe
PID 832 wrote to memory of 1972	832	CvkjdhfWr.exe	powershell.exe
PID 832 wrote to memory of 1972	832	CvkjdhfWr.exe	powershell.exe
PID 1972 wrote to memory of 3088	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3088	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3088	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3756	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3756	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3756	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3152	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3152	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3152	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3776	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3776	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3776	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3880	1972	powershell.exe	PING.EXE
PID 1972 wrote to memory of 3880	1972	powershell.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
"C:\Users\Admin\AppData\Local\Temp\7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABpAG4AZwAgAHkAYQBoAG8AbwAuAGMAbwBtADsAIABwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" yahoo.com
3⤵
- Runs ping.exe
PID:1140

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" yahoo.com
3⤵
- Runs ping.exe
PID:1092

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" yahoo.com
3⤵
- Runs ping.exe
PID:3496

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" yahoo.com
3⤵
- Runs ping.exe
PID:1412

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" yahoo.com
3⤵
- Runs ping.exe
PID:3904

C:\Users\Admin\AppData\Local\Temp\7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
C:\Users\Admin\AppData\Local\Temp\7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
C:\Users\Admin\AppData\Local\Temp\7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
C:\Users\Admin\AppData\Local\Temp\7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "CvkjdhfWr" /tr '"C:\Users\Admin\AppData\Roaming\CvkjdhfWr.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "CvkjdhfWr" /tr '"C:\Users\Admin\AppData\Roaming\CvkjdhfWr.exe"'
4⤵
- Creates scheduled task(s)
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp383D.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3104

C:\Users\Admin\AppData\Roaming\CvkjdhfWr.exe
"C:\Users\Admin\AppData\Roaming\CvkjdhfWr.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABpAG4AZwAgAHkAYQBoAG8AbwAuAGMAbwBtADsAIABwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwA=
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" yahoo.com
6⤵
- Runs ping.exe
PID:3088

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" yahoo.com
6⤵
- Runs ping.exe
PID:3756

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" yahoo.com
6⤵
- Runs ping.exe
PID:3152

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" yahoo.com
6⤵
- Runs ping.exe
PID:3776

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" yahoo.com
6⤵
- Runs ping.exe
PID:3880

C:\Users\Admin\AppData\Roaming\CvkjdhfWr.exe
C:\Users\Admin\AppData\Roaming\CvkjdhfWr.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6.exe.log
MD5
6571746e30cbf8ff5acc662f7b50fee8

SHA1
ad84b0b04fed1d584b515f20b89b82a4d0f620fd

SHA256
6e431a0b11ce0e35297431ed7b829539024535f04510b80a5d2109aabe3dc437

SHA512
7e25c241f22d65631362e5228222dcfb7ee3b033354cf9397aaa4ff745e0793b19085072b11f937d5192ae946fdaa5487ec973247839b15079b1a77b96196ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CvkjdhfWr.exe.log
MD5
6571746e30cbf8ff5acc662f7b50fee8

SHA1
ad84b0b04fed1d584b515f20b89b82a4d0f620fd

SHA256
6e431a0b11ce0e35297431ed7b829539024535f04510b80a5d2109aabe3dc437

SHA512
7e25c241f22d65631362e5228222dcfb7ee3b033354cf9397aaa4ff745e0793b19085072b11f937d5192ae946fdaa5487ec973247839b15079b1a77b96196ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
973c3c3f3a59661e80bdd35ec3448283

SHA1
89c92d7e6607b1e3658fc406a2f9523eb6e23092

SHA256
ad931510e2da7beeeb516efcb0fb64ece2165e38bc7abef31b06f964df4b8e7f

SHA512
3fb1eb961c7d14bba8fa4a67f3647727ec887553bd2aa43d247e96970ffeff270c9eff802ed44246f3ce1fa78d0567b1dccab3ddb7137738fe0aa2bfaaab9786

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp383D.tmp.bat
MD5
01072a2b21284a4e480af8ad12e778d2

SHA1
dbb5d56e119755c38a95e2adc1284d4f7867688c

SHA256
daf7be0aef7f3eda91064471d3cf1c700126cbf074a32a0cd961dc394014f5f7

SHA512
f7fa0d3af1e20e8b5cfc71f64564a1e0de14e3c749e19e44b7db1de0c1b520c19414782670172064c7ddf02d95068bf5bb6dd0644d39257085c6694f7324864c

Download Submit
C:\Users\Admin\AppData\Roaming\CvkjdhfWr.exe
MD5
45a4b5682899474927c9184aaeeed2a0

SHA1
07106912a9aff461a3b4e8201474e0a70c0c4afa

SHA256
7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6

SHA512
4b7206bb343e9bf0694f732a282a71bf24fbf3520656bb186323091762b64d8dbf4c4cd580e6f93ef5a1478ab6af47fef1a6264f51d380d23f40792478a1b161

Download Submit
C:\Users\Admin\AppData\Roaming\CvkjdhfWr.exe
MD5
45a4b5682899474927c9184aaeeed2a0

SHA1
07106912a9aff461a3b4e8201474e0a70c0c4afa

SHA256
7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6

SHA512
4b7206bb343e9bf0694f732a282a71bf24fbf3520656bb186323091762b64d8dbf4c4cd580e6f93ef5a1478ab6af47fef1a6264f51d380d23f40792478a1b161

Download Submit
C:\Users\Admin\AppData\Roaming\CvkjdhfWr.exe
MD5
45a4b5682899474927c9184aaeeed2a0

SHA1
07106912a9aff461a3b4e8201474e0a70c0c4afa

SHA256
7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6

SHA512
4b7206bb343e9bf0694f732a282a71bf24fbf3520656bb186323091762b64d8dbf4c4cd580e6f93ef5a1478ab6af47fef1a6264f51d380d23f40792478a1b161

Download Submit
C:\Users\Admin\AppData\Roaming\HDH\HDH.exe
MD5
45a4b5682899474927c9184aaeeed2a0

SHA1
07106912a9aff461a3b4e8201474e0a70c0c4afa

SHA256
7edb2695de8a294a93f6ad48edb3b1e8199fbfbed4a6dd78c180e3c29e7eaae6

SHA512
4b7206bb343e9bf0694f732a282a71bf24fbf3520656bb186323091762b64d8dbf4c4cd580e6f93ef5a1478ab6af47fef1a6264f51d380d23f40792478a1b161

Download Submit
memory/768-125-0x0000000007840000-0x00000000078A6000-memory.dmp

Filesize
408KB

Download
memory/768-126-0x00000000078B0000-0x0000000007C00000-memory.dmp

Filesize
3.3MB

Download
memory/768-128-0x0000000007E00000-0x0000000007E4B000-memory.dmp

Filesize
300KB

Download
memory/768-129-0x00000000080D0000-0x0000000008146000-memory.dmp

Filesize
472KB

Download
memory/768-121-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/768-122-0x0000000001152000-0x0000000001153000-memory.dmp

Filesize
4KB

Download
memory/768-119-0x0000000001160000-0x0000000001196000-memory.dmp

Filesize
216KB

Download
memory/768-127-0x0000000006C20000-0x0000000006C3C000-memory.dmp

Filesize
112KB

Download
memory/768-120-0x0000000007030000-0x0000000007658000-memory.dmp

Filesize
6.2MB

Download
memory/768-123-0x0000000006FF0000-0x0000000007012000-memory.dmp

Filesize
136KB

Download
memory/768-124-0x00000000076D0000-0x0000000007736000-memory.dmp

Filesize
408KB

Download
memory/832-154-0x0000000005470000-0x000000000596E000-memory.dmp

Filesize
5.0MB

Download
memory/1972-150-0x0000000000DC2000-0x0000000000DC3000-memory.dmp

Filesize
4KB

Download
memory/1972-149-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2312-140-0x0000000005300000-0x0000000005321000-memory.dmp

Filesize
132KB

Download
memory/2312-139-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2352-159-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2352-160-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/3608-136-0x0000000006110000-0x00000000061A2000-memory.dmp

Filesize
584KB

Download
memory/3608-115-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/3608-138-0x0000000006320000-0x000000000636C000-memory.dmp

Filesize
304KB

Download
memory/3608-137-0x00000000060C0000-0x00000000060F2000-memory.dmp

Filesize
200KB

Download
memory/3608-135-0x0000000004E80000-0x0000000004E8A000-memory.dmp

Filesize
40KB

Download
memory/3608-116-0x0000000005270000-0x000000000576E000-memory.dmp

Filesize
5.0MB

Download
memory/3608-134-0x0000000004E20000-0x0000000004E6A000-memory.dmp

Filesize
296KB

Download
memory/3608-133-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download