asyncrat | af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8

General

Target

af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe
Size

32KB
MD5

cc1b6971441d2ec84c14247d4f014912
SHA1

a786dcb3bffe527a6954d3c242138d34707e21d3
SHA256

af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8
SHA512

a91cf7ebd024a5431ee8e2202740809fb6dace5d4965be107b6f83bbed34f21bde21d45a79e08401791cd204db8d9c23b00d791f8bc5714a6e33022f8aada77b

Score

10^/10

asyncrat 1 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

1

C2

212.193.30.54:8755

Mutex

gyQ12!.,=FD7trew

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2596-135-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zdrqamx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Txdlljii\\Zdrqamx.exe\""	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe

description	pid	process	target process
PID 3312 set thread context of 2596	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	MSBuild.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4328"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.425126"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4132"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.882309"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132898329887021448"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

672 PING.EXE
2088 PING.EXE
3348 PING.EXE
3628 PING.EXE
3724 PING.EXE
2088 PING.EXE
2472 PING.EXE
1284 PING.EXE
3604 PING.EXE
1944 PING.EXE

pid	process
672	PING.EXE
2088	PING.EXE
3348	PING.EXE
3628	PING.EXE
3724	PING.EXE
2088	PING.EXE
2472	PING.EXE
1284	PING.EXE
3604	PING.EXE
1944	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe

pid	process
3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe
3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exe

description	pid	process
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe
Token: SeRestorePrivilege	1416	TiWorker.exe
Token: SeSecurityPrivilege	1416	TiWorker.exe
Token: SeBackupPrivilege	1416	TiWorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3312 wrote to memory of 3956	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 3956	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 3956	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3956 wrote to memory of 1284	3956	cmd.exe	PING.EXE
PID 3956 wrote to memory of 1284	3956	cmd.exe	PING.EXE
PID 3956 wrote to memory of 1284	3956	cmd.exe	PING.EXE
PID 3312 wrote to memory of 2880	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 2880	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 2880	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 2880 wrote to memory of 672	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 672	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 672	2880	cmd.exe	PING.EXE
PID 3312 wrote to memory of 2680	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 2680	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 2680	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 2680 wrote to memory of 2088	2680	cmd.exe	PING.EXE
PID 2680 wrote to memory of 2088	2680	cmd.exe	PING.EXE
PID 2680 wrote to memory of 2088	2680	cmd.exe	PING.EXE
PID 3312 wrote to memory of 1788	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 1788	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 1788	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 1788 wrote to memory of 3348	1788	cmd.exe	PING.EXE
PID 1788 wrote to memory of 3348	1788	cmd.exe	PING.EXE
PID 1788 wrote to memory of 3348	1788	cmd.exe	PING.EXE
PID 3312 wrote to memory of 2636	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 2636	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 2636	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 2636 wrote to memory of 1944	2636	cmd.exe	PING.EXE
PID 2636 wrote to memory of 1944	2636	cmd.exe	PING.EXE
PID 2636 wrote to memory of 1944	2636	cmd.exe	PING.EXE
PID 3312 wrote to memory of 1948	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 1948	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 1948	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 1948 wrote to memory of 3604	1948	cmd.exe	PING.EXE
PID 1948 wrote to memory of 3604	1948	cmd.exe	PING.EXE
PID 1948 wrote to memory of 3604	1948	cmd.exe	PING.EXE
PID 3312 wrote to memory of 492	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 492	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 492	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 492 wrote to memory of 3628	492	cmd.exe	PING.EXE
PID 492 wrote to memory of 3628	492	cmd.exe	PING.EXE
PID 492 wrote to memory of 3628	492	cmd.exe	PING.EXE
PID 3312 wrote to memory of 3068	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 3068	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 3068	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3068 wrote to memory of 3724	3068	cmd.exe	PING.EXE
PID 3068 wrote to memory of 3724	3068	cmd.exe	PING.EXE
PID 3068 wrote to memory of 3724	3068	cmd.exe	PING.EXE
PID 3312 wrote to memory of 1280	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 1280	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 1280	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 1280 wrote to memory of 2088	1280	cmd.exe	PING.EXE
PID 1280 wrote to memory of 2088	1280	cmd.exe	PING.EXE
PID 1280 wrote to memory of 2088	1280	cmd.exe	PING.EXE
PID 3312 wrote to memory of 1940	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 1940	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 3312 wrote to memory of 1940	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	cmd.exe
PID 1940 wrote to memory of 2472	1940	cmd.exe	PING.EXE
PID 1940 wrote to memory of 2472	1940	cmd.exe	PING.EXE
PID 1940 wrote to memory of 2472	1940	cmd.exe	PING.EXE
PID 3312 wrote to memory of 2596	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	MSBuild.exe
PID 3312 wrote to memory of 2596	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	MSBuild.exe
PID 3312 wrote to memory of 2596	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	MSBuild.exe
PID 3312 wrote to memory of 2596	3312	af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe
"C:\Users\Admin\AppData\Local\Temp\af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:2088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:3348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:3604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:3628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:3724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:2088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2⤵
PID:2596

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3464

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2596-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2596-136-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/2596-137-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2596-138-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/2596-139-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/3312-130-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/3312-131-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/3312-132-0x000000000C500000-0x000000000CAA4000-memory.dmp

Filesize
5.6MB

Download
memory/3312-133-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3312-134-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads