Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
18-02-2022 11:16
Static task
static1
Behavioral task
behavioral1
Sample
af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe
Resource
win10v2004-en-20220112
General
-
Target
af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe
-
Size
32KB
-
MD5
cc1b6971441d2ec84c14247d4f014912
-
SHA1
a786dcb3bffe527a6954d3c242138d34707e21d3
-
SHA256
af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8
-
SHA512
a91cf7ebd024a5431ee8e2202740809fb6dace5d4965be107b6f83bbed34f21bde21d45a79e08401791cd204db8d9c23b00d791f8bc5714a6e33022f8aada77b
Malware Config
Extracted
asyncrat
0.5.7B
1
212.193.30.54:8755
gyQ12!.,=FD7trew
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2596-135-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zdrqamx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Txdlljii\\Zdrqamx.exe\"" af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exedescription pid process target process PID 3312 set thread context of 2596 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe MSBuild.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4328" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.425126" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4132" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.882309" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132898329887021448" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 10 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 672 PING.EXE 2088 PING.EXE 3348 PING.EXE 3628 PING.EXE 3724 PING.EXE 2088 PING.EXE 2472 PING.EXE 1284 PING.EXE 3604 PING.EXE 1944 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exepid process 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe Token: SeRestorePrivilege 1416 TiWorker.exe Token: SeSecurityPrivilege 1416 TiWorker.exe Token: SeBackupPrivilege 1416 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3312 wrote to memory of 3956 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 3956 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 3956 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3956 wrote to memory of 1284 3956 cmd.exe PING.EXE PID 3956 wrote to memory of 1284 3956 cmd.exe PING.EXE PID 3956 wrote to memory of 1284 3956 cmd.exe PING.EXE PID 3312 wrote to memory of 2880 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 2880 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 2880 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 2880 wrote to memory of 672 2880 cmd.exe PING.EXE PID 2880 wrote to memory of 672 2880 cmd.exe PING.EXE PID 2880 wrote to memory of 672 2880 cmd.exe PING.EXE PID 3312 wrote to memory of 2680 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 2680 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 2680 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 2680 wrote to memory of 2088 2680 cmd.exe PING.EXE PID 2680 wrote to memory of 2088 2680 cmd.exe PING.EXE PID 2680 wrote to memory of 2088 2680 cmd.exe PING.EXE PID 3312 wrote to memory of 1788 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 1788 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 1788 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 1788 wrote to memory of 3348 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 3348 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 3348 1788 cmd.exe PING.EXE PID 3312 wrote to memory of 2636 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 2636 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 2636 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 2636 wrote to memory of 1944 2636 cmd.exe PING.EXE PID 2636 wrote to memory of 1944 2636 cmd.exe PING.EXE PID 2636 wrote to memory of 1944 2636 cmd.exe PING.EXE PID 3312 wrote to memory of 1948 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 1948 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 1948 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 1948 wrote to memory of 3604 1948 cmd.exe PING.EXE PID 1948 wrote to memory of 3604 1948 cmd.exe PING.EXE PID 1948 wrote to memory of 3604 1948 cmd.exe PING.EXE PID 3312 wrote to memory of 492 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 492 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 492 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 492 wrote to memory of 3628 492 cmd.exe PING.EXE PID 492 wrote to memory of 3628 492 cmd.exe PING.EXE PID 492 wrote to memory of 3628 492 cmd.exe PING.EXE PID 3312 wrote to memory of 3068 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 3068 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 3068 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3068 wrote to memory of 3724 3068 cmd.exe PING.EXE PID 3068 wrote to memory of 3724 3068 cmd.exe PING.EXE PID 3068 wrote to memory of 3724 3068 cmd.exe PING.EXE PID 3312 wrote to memory of 1280 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 1280 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 1280 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 1280 wrote to memory of 2088 1280 cmd.exe PING.EXE PID 1280 wrote to memory of 2088 1280 cmd.exe PING.EXE PID 1280 wrote to memory of 2088 1280 cmd.exe PING.EXE PID 3312 wrote to memory of 1940 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 1940 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 3312 wrote to memory of 1940 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe cmd.exe PID 1940 wrote to memory of 2472 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 2472 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 2472 1940 cmd.exe PING.EXE PID 3312 wrote to memory of 2596 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe MSBuild.exe PID 3312 wrote to memory of 2596 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe MSBuild.exe PID 3312 wrote to memory of 2596 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe MSBuild.exe PID 3312 wrote to memory of 2596 3312 af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe"C:\Users\Admin\AppData\Local\Temp\af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2596-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2596-136-0x0000000074B9E000-0x0000000074B9F000-memory.dmpFilesize
4KB
-
memory/2596-137-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/2596-138-0x0000000005770000-0x000000000580C000-memory.dmpFilesize
624KB
-
memory/2596-139-0x0000000005810000-0x0000000005876000-memory.dmpFilesize
408KB
-
memory/3312-130-0x0000000074B9E000-0x0000000074B9F000-memory.dmpFilesize
4KB
-
memory/3312-131-0x00000000003C0000-0x00000000003CE000-memory.dmpFilesize
56KB
-
memory/3312-132-0x000000000C500000-0x000000000CAA4000-memory.dmpFilesize
5.6MB
-
memory/3312-133-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/3312-134-0x0000000005580000-0x0000000005612000-memory.dmpFilesize
584KB