asyncrat | bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-07-2022 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0009000000008527-56.exe
Size

64KB
MD5

c75c0d8d46633692c979eb6fbd26094e
SHA1

b3945681b32a90f00ef2fd2af2eb4f5d4208c75d
SHA256

bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393
SHA512

5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Score

10^/10

asyncrat xmrig linkvertise a miner rat suricata

Malware Config

Extracted

Family

asyncrat

Version

true

Botnet

Linkvertise A

Mutex

RRAT_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
Explorer.exe

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2388-130-0x0000000000570000-0x0000000000586000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\Explorer.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Explorer.exe	asyncrat

XMRig Miner Payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3136-184-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3136-185-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/3136-188-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3136-190-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3136-192-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/3136-195-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

uufani.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	uufani.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 3 IoCs

Processes:

Explorer.exeuufani.exeupdater.exe

pid process

2668 Explorer.exe
1572 uufani.exe
4692 updater.exe

pid	process
2668	Explorer.exe
1572	uufani.exe
4692	updater.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exe0x0009000000008527-56.exeExplorer.exeuufani.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	0x0009000000008527-56.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	uufani.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

updater.exe

description pid process target process

PID 4692 set thread context of 3136 4692 updater.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3956 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1100 timeout.exe

description	pid	process	target process
PID 4692 set thread context of 3136	4692	updater.exe	explorer.exe

pid	process
3956	schtasks.exe

pid	process
1100	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0x0009000000008527-56.exepowershell.exeExplorer.exeuufani.exepowershell.exeupdater.exeexplorer.exe

pid	process
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
2388	0x0009000000008527-56.exe
3872	powershell.exe
2668	Explorer.exe
3872	powershell.exe
1572	uufani.exe
116	powershell.exe
116	powershell.exe
4692	updater.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0x0009000000008527-56.exeExplorer.exepowershell.exeuufani.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2388	0x0009000000008527-56.exe
Token: SeDebugPrivilege	2668	Explorer.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	1572	uufani.exe
Token: SeShutdownPrivilege	2512	powercfg.exe
Token: SeCreatePagefilePrivilege	2512	powercfg.exe
Token: SeShutdownPrivilege	3304	powercfg.exe
Token: SeCreatePagefilePrivilege	3304	powercfg.exe
Token: SeShutdownPrivilege	2748	powercfg.exe
Token: SeCreatePagefilePrivilege	2748	powercfg.exe
Token: SeShutdownPrivilege	4448	powercfg.exe
Token: SeCreatePagefilePrivilege	4448	powercfg.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeIncreaseQuotaPrivilege	116	powershell.exe
Token: SeSecurityPrivilege	116	powershell.exe
Token: SeTakeOwnershipPrivilege	116	powershell.exe
Token: SeLoadDriverPrivilege	116	powershell.exe
Token: SeSystemProfilePrivilege	116	powershell.exe
Token: SeSystemtimePrivilege	116	powershell.exe
Token: SeProfSingleProcessPrivilege	116	powershell.exe
Token: SeIncBasePriorityPrivilege	116	powershell.exe
Token: SeCreatePagefilePrivilege	116	powershell.exe
Token: SeBackupPrivilege	116	powershell.exe
Token: SeRestorePrivilege	116	powershell.exe
Token: SeShutdownPrivilege	116	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeSystemEnvironmentPrivilege	116	powershell.exe
Token: SeRemoteShutdownPrivilege	116	powershell.exe
Token: SeUndockPrivilege	116	powershell.exe
Token: SeManageVolumePrivilege	116	powershell.exe
Token: 33	116	powershell.exe
Token: 34	116	powershell.exe
Token: 35	116	powershell.exe
Token: 36	116	powershell.exe
Token: SeIncreaseQuotaPrivilege	116	powershell.exe
Token: SeSecurityPrivilege	116	powershell.exe
Token: SeTakeOwnershipPrivilege	116	powershell.exe
Token: SeLoadDriverPrivilege	116	powershell.exe
Token: SeSystemProfilePrivilege	116	powershell.exe
Token: SeSystemtimePrivilege	116	powershell.exe
Token: SeProfSingleProcessPrivilege	116	powershell.exe
Token: SeIncBasePriorityPrivilege	116	powershell.exe
Token: SeCreatePagefilePrivilege	116	powershell.exe
Token: SeBackupPrivilege	116	powershell.exe
Token: SeRestorePrivilege	116	powershell.exe
Token: SeShutdownPrivilege	116	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeSystemEnvironmentPrivilege	116	powershell.exe
Token: SeRemoteShutdownPrivilege	116	powershell.exe
Token: SeUndockPrivilege	116	powershell.exe
Token: SeManageVolumePrivilege	116	powershell.exe
Token: 33	116	powershell.exe
Token: 34	116	powershell.exe
Token: 35	116	powershell.exe
Token: 36	116	powershell.exe
Token: SeIncreaseQuotaPrivilege	116	powershell.exe
Token: SeSecurityPrivilege	116	powershell.exe
Token: SeTakeOwnershipPrivilege	116	powershell.exe
Token: SeLoadDriverPrivilege	116	powershell.exe
Token: SeSystemProfilePrivilege	116	powershell.exe
Token: SeSystemtimePrivilege	116	powershell.exe
Token: SeProfSingleProcessPrivilege	116	powershell.exe
Token: SeIncBasePriorityPrivilege	116	powershell.exe
Token: SeCreatePagefilePrivilege	116	powershell.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

explorer.exe

pid	process
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe

Suspicious use of SendNotifyMessage 52 IoCs

Processes:

explorer.exe

pid	process
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe
3136	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0x0009000000008527-56.execmd.execmd.exeExplorer.execmd.exepowershell.exeuufani.execmd.execmd.exeupdater.execmd.exe

description	pid	process	target process
PID 2388 wrote to memory of 808	2388	0x0009000000008527-56.exe	cmd.exe
PID 2388 wrote to memory of 808	2388	0x0009000000008527-56.exe	cmd.exe
PID 2388 wrote to memory of 808	2388	0x0009000000008527-56.exe	cmd.exe
PID 2388 wrote to memory of 3388	2388	0x0009000000008527-56.exe	cmd.exe
PID 2388 wrote to memory of 3388	2388	0x0009000000008527-56.exe	cmd.exe
PID 2388 wrote to memory of 3388	2388	0x0009000000008527-56.exe	cmd.exe
PID 808 wrote to memory of 3956	808	cmd.exe	schtasks.exe
PID 808 wrote to memory of 3956	808	cmd.exe	schtasks.exe
PID 808 wrote to memory of 3956	808	cmd.exe	schtasks.exe
PID 3388 wrote to memory of 1100	3388	cmd.exe	timeout.exe
PID 3388 wrote to memory of 1100	3388	cmd.exe	timeout.exe
PID 3388 wrote to memory of 1100	3388	cmd.exe	timeout.exe
PID 3388 wrote to memory of 2668	3388	cmd.exe	Explorer.exe
PID 3388 wrote to memory of 2668	3388	cmd.exe	Explorer.exe
PID 3388 wrote to memory of 2668	3388	cmd.exe	Explorer.exe
PID 2668 wrote to memory of 5068	2668	Explorer.exe	cmd.exe
PID 2668 wrote to memory of 5068	2668	Explorer.exe	cmd.exe
PID 2668 wrote to memory of 5068	2668	Explorer.exe	cmd.exe
PID 5068 wrote to memory of 3872	5068	cmd.exe	powershell.exe
PID 5068 wrote to memory of 3872	5068	cmd.exe	powershell.exe
PID 5068 wrote to memory of 3872	5068	cmd.exe	powershell.exe
PID 3872 wrote to memory of 1572	3872	powershell.exe	uufani.exe
PID 3872 wrote to memory of 1572	3872	powershell.exe	uufani.exe
PID 1572 wrote to memory of 2296	1572	uufani.exe	cmd.exe
PID 1572 wrote to memory of 2296	1572	uufani.exe	cmd.exe
PID 2296 wrote to memory of 2512	2296	cmd.exe	powercfg.exe
PID 2296 wrote to memory of 2512	2296	cmd.exe	powercfg.exe
PID 2296 wrote to memory of 3304	2296	cmd.exe	powercfg.exe
PID 2296 wrote to memory of 3304	2296	cmd.exe	powercfg.exe
PID 2296 wrote to memory of 2748	2296	cmd.exe	powercfg.exe
PID 2296 wrote to memory of 2748	2296	cmd.exe	powercfg.exe
PID 2296 wrote to memory of 4448	2296	cmd.exe	powercfg.exe
PID 2296 wrote to memory of 4448	2296	cmd.exe	powercfg.exe
PID 1572 wrote to memory of 116	1572	uufani.exe	powershell.exe
PID 1572 wrote to memory of 116	1572	uufani.exe	powershell.exe
PID 1572 wrote to memory of 2596	1572	uufani.exe	cmd.exe
PID 1572 wrote to memory of 2596	1572	uufani.exe	cmd.exe
PID 2596 wrote to memory of 4616	2596	cmd.exe	choice.exe
PID 2596 wrote to memory of 4616	2596	cmd.exe	choice.exe
PID 4692 wrote to memory of 2720	4692	updater.exe	cmd.exe
PID 4692 wrote to memory of 2720	4692	updater.exe	cmd.exe
PID 2720 wrote to memory of 2356	2720	cmd.exe	powercfg.exe
PID 2720 wrote to memory of 2356	2720	cmd.exe	powercfg.exe
PID 2720 wrote to memory of 1440	2720	cmd.exe	powercfg.exe
PID 2720 wrote to memory of 1440	2720	cmd.exe	powercfg.exe
PID 4692 wrote to memory of 3324	4692	updater.exe	conhost.exe
PID 4692 wrote to memory of 3324	4692	updater.exe	conhost.exe
PID 4692 wrote to memory of 3324	4692	updater.exe	conhost.exe
PID 2720 wrote to memory of 3392	2720	cmd.exe	powercfg.exe
PID 2720 wrote to memory of 3392	2720	cmd.exe	powercfg.exe
PID 2720 wrote to memory of 2664	2720	cmd.exe	powercfg.exe
PID 2720 wrote to memory of 2664	2720	cmd.exe	powercfg.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe
PID 4692 wrote to memory of 3136	4692	updater.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\0x0009000000008527-56.exe
"C:\Users\Admin\AppData\Local\Temp\0x0009000000008527-56.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Explorer" /tr '"C:\Users\Admin\AppData\Roaming\Explorer.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Explorer" /tr '"C:\Users\Admin\AppData\Roaming\Explorer.exe"'
3⤵
- Creates scheduled task(s)
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8830.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1100

C:\Users\Admin\AppData\Roaming\Explorer.exe
"C:\Users\Admin\AppData\Roaming\Explorer.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\uufani.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\uufani.exe"'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Local\Temp\uufani.exe
"C:\Users\Admin\AppData\Local\Temp\uufani.exe"
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
7⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AawBuACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACIAJwApACAAPAAjAHUAYgAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuACkAIAA8ACMAYQBuACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAcABjAHAAYQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnACAAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAaQBvAGkAbgAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHUAdQBmAGEAbgBpAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAHQAdwAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAcgBnACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\uufani.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:4616

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:2356

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:1440

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3392

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2664

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "dggflaynvupj"
2⤵
PID:3324

C:\Windows\explorer.exe
C:\Windows\explorer.exe iaksldfjay0 6E3sjfZq2rJQaxvLPmXgsAaJL0DB0Mzj1hMFCmTULB1n9LKJbqR3eVDuPucevfH0b+OPIvkK2Xyez82evvYGdcDpLl7Y66K6fxf6jfs4VGo3ULwYEVRHZvjLiXSITyhyphzcH9wfrjUtJScs0gscUFkeL2zRe6Hgg/WeyJqRunq35vECVFMq1WYi79T7a9OKv63MNmu8FG6+Qpuz7I3zqyU+nSC30poDPmP3SJI4wTieDZbNX+dDx0QqoemoKQ27N096XA8oSOcO03I8W7hX3u14mAeQMpwlIsC/foEE1yBwV8MTK1Bm0vfU6+F+pfHyf+iW+tYbh1ONx0STw3ukkWeroVrIDCya/y2xfhhQkYEw7xdcDGf0vUV5cXTufNNT4Cv4AHxLbFhgUAu3s4CbmsDvAR1Ajz4q35X12QfsaFwLTXsjStOYGEmlponKU4ml
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
cc814b12d3cb3a2870ae6987400e9e01

SHA1
66c10257fe425aff694b55b580c526f8f18401ba

SHA256
f032422597fc2b53bd5aacbb7ab1e270281743e649eff91c867f7db023c257b9

SHA512
f0daf377e7867ff4db342be917de2c8a03eea22933182c7ac60d2c3620f1ff6b794c92bc9b0d0322fbc0fec97f88f0f423bcc7f25e53e4074da681e7539f69ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8830.tmp.bat
Filesize
152B

MD5
ed2ecae4e488c6e62947d45068e62505

SHA1
2981fcdcabdae9df37384cf35fa432cb7993d9a1

SHA256
fef1a5a552667a7a52591fac1a0bf91afa1ca8509c0d9e25135f028989212081

SHA512
1c9ff343436620d64d2d0b9c92494b77e07c416d1c59e78d49ba229ee706c91f14092c675e15948b962c2c56fddff7312e60a1211c9b843d01e6e1ad2dd5d82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uufani.exe
Filesize
4.1MB

MD5
85003917e913d597b23b45905f42834e

SHA1
62182aa2983dbc8653d7dd8639daf40f2e381c30

SHA256
427c9eb0e789ed6175fb3127d61a551785f2e09b3d2672f253600b66e3b76a4e

SHA512
ebdb5f9a819adea1c29057930ca47187120e207d155831dcab7ab9f816e1c992a14698f4e068d57edf23d66ed746eeb1e60fc623ed2174c116ba1fde2ef9dd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\uufani.exe
Filesize
4.1MB

MD5
85003917e913d597b23b45905f42834e

SHA1
62182aa2983dbc8653d7dd8639daf40f2e381c30

SHA256
427c9eb0e789ed6175fb3127d61a551785f2e09b3d2672f253600b66e3b76a4e

SHA512
ebdb5f9a819adea1c29057930ca47187120e207d155831dcab7ab9f816e1c992a14698f4e068d57edf23d66ed746eeb1e60fc623ed2174c116ba1fde2ef9dd48

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer.exe
Filesize
64KB

MD5
c75c0d8d46633692c979eb6fbd26094e

SHA1
b3945681b32a90f00ef2fd2af2eb4f5d4208c75d

SHA256
bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

SHA512
5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer.exe
Filesize
64KB

MD5
c75c0d8d46633692c979eb6fbd26094e

SHA1
b3945681b32a90f00ef2fd2af2eb4f5d4208c75d

SHA256
bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

SHA512
5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.1MB

MD5
85003917e913d597b23b45905f42834e

SHA1
62182aa2983dbc8653d7dd8639daf40f2e381c30

SHA256
427c9eb0e789ed6175fb3127d61a551785f2e09b3d2672f253600b66e3b76a4e

SHA512
ebdb5f9a819adea1c29057930ca47187120e207d155831dcab7ab9f816e1c992a14698f4e068d57edf23d66ed746eeb1e60fc623ed2174c116ba1fde2ef9dd48

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.1MB

MD5
85003917e913d597b23b45905f42834e

SHA1
62182aa2983dbc8653d7dd8639daf40f2e381c30

SHA256
427c9eb0e789ed6175fb3127d61a551785f2e09b3d2672f253600b66e3b76a4e

SHA512
ebdb5f9a819adea1c29057930ca47187120e207d155831dcab7ab9f816e1c992a14698f4e068d57edf23d66ed746eeb1e60fc623ed2174c116ba1fde2ef9dd48

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
892B

MD5
ffe7c3baa6bda096898ad55fc2274b4f

SHA1
810e398f090b4536d46e397c85548eea39f37f10

SHA256
6f22705db77b5bbe26ad059bc3ba99f3837e18ed53b8dadbe32fbbabdf9337f1

SHA512
81af4ce85a0f9f483ca43c5ca2d73cbd714f4a6716ddd8dba25c6a01b2310710bf131e7650f6a9785bef83497c7994ea29d907c47627d6c776e7e5e108f9c34a

Download Submit
memory/116-171-0x00007FFB0FDC0000-0x00007FFB10881000-memory.dmp

Filesize
10.8MB

Download
memory/116-168-0x00007FFB0FDC0000-0x00007FFB10881000-memory.dmp

Filesize
10.8MB

Download
memory/116-166-0x0000023945C80000-0x0000023945CA2000-memory.dmp

Filesize
136KB

Download
memory/116-165-0x0000000000000000-mapping.dmp

Download
memory/808-132-0x0000000000000000-mapping.dmp

Download
memory/1100-136-0x0000000000000000-mapping.dmp

Download
memory/1440-180-0x0000000000000000-mapping.dmp

Download
memory/1572-155-0x0000000000000000-mapping.dmp

Download
memory/1572-174-0x00007FFB0FDC0000-0x00007FFB10881000-memory.dmp

Filesize
10.8MB

Download
memory/1572-159-0x00007FFB0FDC0000-0x00007FFB10881000-memory.dmp

Filesize
10.8MB

Download
memory/1572-158-0x00007FFB0FDC0000-0x00007FFB10881000-memory.dmp

Filesize
10.8MB

Download
memory/1572-157-0x0000000000590000-0x00000000009AC000-memory.dmp

Filesize
4.1MB

Download
memory/2296-160-0x0000000000000000-mapping.dmp

Download
memory/2356-179-0x0000000000000000-mapping.dmp

Download
memory/2388-130-0x0000000000570000-0x0000000000586000-memory.dmp

Filesize
88KB

Download
memory/2388-131-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/2512-161-0x0000000000000000-mapping.dmp

Download
memory/2596-172-0x0000000000000000-mapping.dmp

Download
memory/2664-183-0x0000000000000000-mapping.dmp

Download
memory/2668-137-0x0000000000000000-mapping.dmp

Download
memory/2668-140-0x00000000064B0000-0x0000000006A54000-memory.dmp

Filesize
5.6MB

Download
memory/2668-143-0x0000000007C00000-0x0000000007C1E000-memory.dmp

Filesize
120KB

Download
memory/2668-141-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/2668-142-0x0000000007C60000-0x0000000007CD6000-memory.dmp

Filesize
472KB

Download
memory/2720-177-0x0000000000000000-mapping.dmp

Download
memory/2748-163-0x0000000000000000-mapping.dmp

Download
memory/3136-195-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3136-188-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3136-196-0x00000000027D0000-0x00000000027F0000-memory.dmp

Filesize
128KB

Download
memory/3136-193-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/3136-197-0x00000000027D0000-0x00000000027F0000-memory.dmp

Filesize
128KB

Download
memory/3136-192-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3136-185-0x000000014036EAC4-mapping.dmp

Download
memory/3136-184-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3136-191-0x00000000008E0000-0x0000000000900000-memory.dmp

Filesize
128KB

Download
memory/3136-190-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3304-162-0x0000000000000000-mapping.dmp

Download
memory/3324-194-0x00007FFB0FDC0000-0x00007FFB10881000-memory.dmp

Filesize
10.8MB

Download
memory/3324-189-0x00007FFB0FDC0000-0x00007FFB10881000-memory.dmp

Filesize
10.8MB

Download
memory/3324-187-0x00000170D5FA0000-0x00000170D5FA7000-memory.dmp

Filesize
28KB

Download
memory/3388-133-0x0000000000000000-mapping.dmp

Download
memory/3392-182-0x0000000000000000-mapping.dmp

Download
memory/3872-147-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/3872-152-0x0000000006AE0000-0x0000000006AFA000-memory.dmp

Filesize
104KB

Download
memory/3872-151-0x0000000006B60000-0x0000000006BF6000-memory.dmp

Filesize
600KB

Download
memory/3872-150-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/3872-145-0x0000000000000000-mapping.dmp

Download
memory/3872-153-0x0000000006B30000-0x0000000006B52000-memory.dmp

Filesize
136KB

Download
memory/3872-149-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/3872-146-0x0000000002CD0000-0x0000000002D06000-memory.dmp

Filesize
216KB

Download
memory/3872-148-0x0000000005E90000-0x0000000005EB2000-memory.dmp

Filesize
136KB

Download
memory/3956-134-0x0000000000000000-mapping.dmp

Download
memory/4448-164-0x0000000000000000-mapping.dmp

Download
memory/4616-173-0x0000000000000000-mapping.dmp

Download
memory/4692-176-0x00007FFB0FDC0000-0x00007FFB10881000-memory.dmp

Filesize
10.8MB

Download
memory/4692-181-0x0000000000E60000-0x0000000000E72000-memory.dmp

Filesize
72KB

Download
memory/4692-175-0x00007FFB0FDC0000-0x00007FFB10881000-memory.dmp

Filesize
10.8MB

Download
memory/4692-186-0x00007FFB0FDC0000-0x00007FFB10881000-memory.dmp

Filesize
10.8MB

Download
memory/5068-144-0x0000000000000000-mapping.dmp

Download