asyncrat | 373834225a126abde8256049e073b8e07bd06c7563f929783f441a1a63a88d1b

General

Target

Image_Of_Victim.exe
Size

1.9MB
MD5

f1878e41af327064496e57f50d35395d
SHA1

b426d39e6928556a2b58d9147c3254b8fa6009a4
SHA256

373834225a126abde8256049e073b8e07bd06c7563f929783f441a1a63a88d1b
SHA512

ff28bbd0f3c7b04ba93f024d356cee092f14c3040b968ebae31bdd9116ed8762aadcec3ac3af3e06238a787ef87b5031d29acf708640c52ac80f55fdfcd89fdd
SSDEEP

49152:C5IoVKMQfTCFbMmHI6jduMG+XtbNztOsrStQ0pDWa:C5IoAMQfIr++dpztpStFJ

Score

10^/10

asyncrat venom clients collection rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

tienMonkey-40774.portmap.io:40774

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Client.exe	asyncrat
C:\Client.exe	asyncrat
behavioral1/memory/1804-64-0x0000000000DC0000-0x0000000000DD6000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

nonono.exeClient.exe

pid process

1344 nonono.exe
1804 Client.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

nonono.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nonono.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nonono.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nonono.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
11 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
7	ip-api.com
11	icanhazip.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nonono.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	nonono.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	nonono.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

nonono.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	nonono.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	nonono.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	nonono.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	nonono.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	nonono.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	nonono.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

nonono.exe

pid	process
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe
1344	nonono.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Client.exenonono.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1804	Client.exe
Token: SeDebugPrivilege	1344	nonono.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	1680	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1080 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nonono.exe

pid process

1344 nonono.exe

pid	process
1080	DllHost.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Image_Of_Victim.exenonono.execmd.execmd.exe

description	pid	process	target process
PID 1720 wrote to memory of 1344	1720	Image_Of_Victim.exe	nonono.exe
PID 1720 wrote to memory of 1344	1720	Image_Of_Victim.exe	nonono.exe
PID 1720 wrote to memory of 1344	1720	Image_Of_Victim.exe	nonono.exe
PID 1720 wrote to memory of 1344	1720	Image_Of_Victim.exe	nonono.exe
PID 1720 wrote to memory of 1804	1720	Image_Of_Victim.exe	Client.exe
PID 1720 wrote to memory of 1804	1720	Image_Of_Victim.exe	Client.exe
PID 1720 wrote to memory of 1804	1720	Image_Of_Victim.exe	Client.exe
PID 1720 wrote to memory of 1804	1720	Image_Of_Victim.exe	Client.exe
PID 1344 wrote to memory of 1992	1344	nonono.exe	cmd.exe
PID 1344 wrote to memory of 1992	1344	nonono.exe	cmd.exe
PID 1344 wrote to memory of 1992	1344	nonono.exe	cmd.exe
PID 1344 wrote to memory of 1992	1344	nonono.exe	cmd.exe
PID 1992 wrote to memory of 1792	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1792	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1792	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1792	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1148	1992	cmd.exe	netsh.exe
PID 1992 wrote to memory of 1148	1992	cmd.exe	netsh.exe
PID 1992 wrote to memory of 1148	1992	cmd.exe	netsh.exe
PID 1992 wrote to memory of 1148	1992	cmd.exe	netsh.exe
PID 1992 wrote to memory of 1048	1992	cmd.exe	findstr.exe
PID 1992 wrote to memory of 1048	1992	cmd.exe	findstr.exe
PID 1992 wrote to memory of 1048	1992	cmd.exe	findstr.exe
PID 1992 wrote to memory of 1048	1992	cmd.exe	findstr.exe
PID 1344 wrote to memory of 1132	1344	nonono.exe	cmd.exe
PID 1344 wrote to memory of 1132	1344	nonono.exe	cmd.exe
PID 1344 wrote to memory of 1132	1344	nonono.exe	cmd.exe
PID 1344 wrote to memory of 1132	1344	nonono.exe	cmd.exe
PID 1132 wrote to memory of 1016	1132	cmd.exe	chcp.com
PID 1132 wrote to memory of 1016	1132	cmd.exe	chcp.com
PID 1132 wrote to memory of 1016	1132	cmd.exe	chcp.com
PID 1132 wrote to memory of 1016	1132	cmd.exe	chcp.com
PID 1132 wrote to memory of 660	1132	cmd.exe	netsh.exe
PID 1132 wrote to memory of 660	1132	cmd.exe	netsh.exe
PID 1132 wrote to memory of 660	1132	cmd.exe	netsh.exe
PID 1132 wrote to memory of 660	1132	cmd.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

nonono.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nonono.exe

outlook_win_path 1 IoCs

Processes:

nonono.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nonono.exe

C:\Users\Admin\AppData\Local\Temp\Image_Of_Victim.exe
"C:\Users\Admin\AppData\Local\Temp\Image_Of_Victim.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\nonono.exe
"C:\nonono.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1344

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1792

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
4⤵
PID:1148

C:\Windows\SysWOW64\findstr.exe
findstr All
4⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
3⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1016

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:660

C:\Client.exe
"C:\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Client.exe
Filesize
63KB

MD5
bf1e0b700f4955c1bf6ff3d5cd010658

SHA1
6919b4a8c0443b02846717e0764e7052b34c00c2

SHA256
ce44ab513606e6ba64fee7a9f5d5cd236b57dc856374578dca043d84e00d8541

SHA512
c6168ee1ceb98c3eca66b6aa1f5503849dc94e357da016dd5a1a6697337a68fc57bc3d4cc83dbdb74b4ed2b959a0b1099c18e93470db53d339bfbe0858b20844

Download Submit
C:\Client.exe
Filesize
63KB

MD5
bf1e0b700f4955c1bf6ff3d5cd010658

SHA1
6919b4a8c0443b02846717e0764e7052b34c00c2

SHA256
ce44ab513606e6ba64fee7a9f5d5cd236b57dc856374578dca043d84e00d8541

SHA512
c6168ee1ceb98c3eca66b6aa1f5503849dc94e357da016dd5a1a6697337a68fc57bc3d4cc83dbdb74b4ed2b959a0b1099c18e93470db53d339bfbe0858b20844

Download Submit
C:\Desktop.jpg
Filesize
162KB

MD5
773ecd18678795d7378e760fee974ca3

SHA1
1fc418f98c9b4c1757c593bc51fc8c6b45bf6d95

SHA256
72a84e420b0db282102471c1a6fff6e87073ed7a4dcc0a83501a91d9eacbf9c9

SHA512
1d58295b00d3e25432f3a9306c214fed927f8da78a5f047fefe054fd21b7fba4eee51f0d526eb543b6f08c1cd080c73e4d9ef56379c7c320a3b69187557d35f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
01600f12daf868030f79edba1d3c0c85

SHA1
28019f2fe28cc034e1243fc21d866692b30eb89e

SHA256
ab54827c76de0f1290a48bc7451cd1fde68e6724e21d4d9fae2a0eb4692b7704

SHA512
f791bd06571ee089299022d19cb82e99b836b237d24d5150c66750db1f9aa3452315594fe4909dbc2bb30164f567f6a9d95cd16d0bc4168e4756b1a575cc59a2

Download Submit
C:\nonono.exe
Filesize
1.5MB

MD5
174800448060da1f551c0e234d0337f6

SHA1
5c395ac0840c2abba7e18afa1080b22a8bfc5d12

SHA256
6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690

SHA512
0ff91582a3d89ba03f76ca845aec9dfd540d17d9f34a5935b71a947e89e716f9cb3af2e8302bad68be48a6644b7ac4812945759134fcf17bc3d196b70d83ca2a

Download Submit
C:\nonono.exe
Filesize
1.5MB

MD5
174800448060da1f551c0e234d0337f6

SHA1
5c395ac0840c2abba7e18afa1080b22a8bfc5d12

SHA256
6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690

SHA512
0ff91582a3d89ba03f76ca845aec9dfd540d17d9f34a5935b71a947e89e716f9cb3af2e8302bad68be48a6644b7ac4812945759134fcf17bc3d196b70d83ca2a

Download Submit
memory/660-73-0x0000000000000000-mapping.dmp

Download
memory/1016-72-0x0000000000000000-mapping.dmp

Download
memory/1048-69-0x0000000000000000-mapping.dmp

Download
memory/1132-71-0x0000000000000000-mapping.dmp

Download
memory/1148-68-0x0000000000000000-mapping.dmp

Download
memory/1344-59-0x0000000001210000-0x0000000001394000-memory.dmp

Filesize
1.5MB

Download
memory/1344-76-0x0000000004DA5000-0x0000000004DB6000-memory.dmp

Filesize
68KB

Download
memory/1344-77-0x0000000005FE0000-0x000000000605A000-memory.dmp

Filesize
488KB

Download
memory/1344-78-0x0000000005AD0000-0x0000000005B80000-memory.dmp

Filesize
704KB

Download
memory/1344-55-0x0000000000000000-mapping.dmp

Download
memory/1344-81-0x0000000006380000-0x0000000006402000-memory.dmp

Filesize
520KB

Download
memory/1344-82-0x0000000004DA5000-0x0000000004DB6000-memory.dmp

Filesize
68KB

Download
memory/1680-75-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/1720-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1792-67-0x0000000000000000-mapping.dmp

Download
memory/1804-64-0x0000000000DC0000-0x0000000000DD6000-memory.dmp

Filesize
88KB

Download
memory/1804-60-0x0000000000000000-mapping.dmp

Download
memory/1992-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads