Malware Analysis Report

2025-08-10 22:50

Sample ID 240108-etjqaaahcj
Target 4a68fda291581b91ef1b75893087dd08
SHA256 86519701b3ca3206d80200bd34376b6a8571cc630fdc6812d7ed0adee8679b45
Tags
rat asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86519701b3ca3206d80200bd34376b6a8571cc630fdc6812d7ed0adee8679b45

Threat Level: Known bad

The file 4a68fda291581b91ef1b75893087dd08 was found to be: Known bad.

Malicious Activity Summary

rat asyncrat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Executes dropped EXE

Deletes itself

Loads dropped DLL

Unsigned PE

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 04:13

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 04:13

Reported

2024-01-08 04:16

Platform

win7-20231215-en

Max time kernel

105s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
PID 1816 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
PID 1816 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
PID 1816 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
PID 1816 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1816 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1816 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1816 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe

"C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDriveStandaloneAPIMethod /tr "C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe" /st 04:19 /du 23:59 /sc daily /ri 1 /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7DF6.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe

"C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe"

Network

Country Destination Domain Proto
N/A 192.168.50.195:8808 tcp
N/A 192.168.50.195:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/1656-1-0x0000000074340000-0x0000000074A2E000-memory.dmp

memory/1656-0-0x0000000000BF0000-0x0000000000C76000-memory.dmp

memory/1656-2-0x00000000046F0000-0x0000000004730000-memory.dmp

memory/1656-3-0x00000000046F0000-0x0000000004730000-memory.dmp

memory/1656-4-0x00000000046F0000-0x0000000004730000-memory.dmp

memory/1656-5-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-6-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-7-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-8-0x0000000074340000-0x0000000074A2E000-memory.dmp

memory/1656-9-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-10-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-11-0x00000000046F0000-0x0000000004730000-memory.dmp

memory/1656-12-0x00000000046F0000-0x0000000004730000-memory.dmp

memory/1656-13-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-14-0x00000000046F0000-0x0000000004730000-memory.dmp

memory/1656-15-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-16-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-17-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-18-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-19-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-20-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-21-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-22-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-23-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-24-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-25-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-26-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-27-0x0000000005150000-0x0000000005250000-memory.dmp

memory/1656-36-0x00000000046F0000-0x0000000004730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7DF6.tmp.bat

MD5 cb35875d3d49c494749f608f47da1bf1
SHA1 9b4e639846585e18f4e2c05a5908c2715aa821cc
SHA256 574fe40c0b16f2a7d8d6443a8c5ff2041f4301c2dc38c77799a07b10f351acc2
SHA512 1609c69e4e0467352220195775dc950a485a0c96d01bf49367b3c212cca1ed6892874bc857b9012dbf520a3a0b606943835a0bc77f51acf7a247cd7ffdf82702

C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe

MD5 f2b7c86c43e9c59111495b8eb32b4814
SHA1 acd449da5b483e81085235d1bf241d91bc176f3c
SHA256 0624fda5f1c610ee12fd2283945ab37429a9d9231786e80a690cb34f015d0bba
SHA512 c2714080b8431eb748418cc90375c67726056559e909330718a830ac0aeb9a600cd309508ad3796b93119407a258600cbec993993ad6e5745fbec10167bc9d90

memory/2596-42-0x0000000074340000-0x0000000074A2E000-memory.dmp

memory/1656-38-0x0000000074340000-0x0000000074A2E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe

MD5 9bf60399eb6ada763a09879fe0e1ac0b
SHA1 55b70806e9351f717bd3c1db17de8cc3d53d9197
SHA256 441c8b2f9a3d9b3357842aee281987fae602ee1608f71636cf1e0631190bdb07
SHA512 ad54d64d8c516c6079ccf4eb5d6e860a1a73a30b55952990a6cc8117bd0847408db824edb3755d499880d50685ae568a3596ddc51ed2ad55c7a6c4978f5ceb9d

\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe

MD5 5e164d85341071c0a70af45a457448db
SHA1 bf12ba1e64e15861f7f703ca5ab2479ffe61b87e
SHA256 787a33c6062ef21a4ba06781848e98de5851ca9466387ddefd93d194426a2b43
SHA512 59759db62bc8267530ff8912e831870ca5c034f197dc9ec7bde0eb75555730d688ca5488fd6e701ceca3675fa1efe8f41625baa24d0153295254f13b082b5ae9

memory/2596-43-0x0000000000F60000-0x0000000000FE6000-memory.dmp

memory/2596-44-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2596-45-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2596-46-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2596-47-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-48-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-49-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-50-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-51-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-52-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-53-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-55-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-54-0x0000000074340000-0x0000000074A2E000-memory.dmp

memory/2596-56-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2596-57-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2596-58-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-59-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-60-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-61-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-62-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-63-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-64-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-65-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-67-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-66-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-69-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-68-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-71-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-70-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-72-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-73-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-75-0x00000000053D0000-0x00000000054D0000-memory.dmp

memory/2596-74-0x00000000053D0000-0x00000000054D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 04:13

Reported

2024-01-08 04:16

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4304 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
PID 4708 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
PID 4708 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
PID 4708 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4708 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4708 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe

"C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn OneDriveStandaloneAPIMethod /tr "C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe" /st 04:19 /du 23:59 /sc daily /ri 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7947.tmp.bat""

C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe

"C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 4

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 192.168.50.195:7707 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
N/A 192.168.50.195:8808 tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp

Files

memory/4304-0-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/4304-1-0x0000000000410000-0x0000000000496000-memory.dmp

memory/4304-2-0x00000000054A0000-0x0000000005A44000-memory.dmp

memory/4304-3-0x0000000004EF0000-0x0000000004F82000-memory.dmp

memory/4304-4-0x0000000005250000-0x0000000005260000-memory.dmp

memory/4304-5-0x0000000005250000-0x0000000005260000-memory.dmp

memory/4304-6-0x0000000005250000-0x0000000005260000-memory.dmp

memory/4304-7-0x0000000005250000-0x0000000005260000-memory.dmp

memory/4304-8-0x0000000005250000-0x0000000005260000-memory.dmp

memory/4304-9-0x0000000074910000-0x00000000750C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7947.tmp.bat

MD5 5646ffca9010fadeea65508fc0557edd
SHA1 a4325bc8b7ca669d83a0173a750643125541d834
SHA256 68b44af97ee56aee4140dfdbbead2be90ac79578fe9d7576d5b4a0ca34143891
SHA512 30488a46bde56da0195de8b07d832d206ef6fd9b06565680a62ad723c87b43eb876888b73f59a16e3a8da688d11275ef9311ff7b40a67df13feb19f4a838d8b9

memory/4304-15-0x0000000074910000-0x00000000750C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe

MD5 5bad497a650b57df343a8cc83d8d57d7
SHA1 99771baf8d1fb0b0240e9ffcf12072c86e9ae8fd
SHA256 2b0d55b46ce45dc7dd72e4fd2b8b865631176287d61e4a2605dc639fd094e38d
SHA512 0e5cc01aa02c25beddd1e8539052bb23ea858654157a56c5edc6301be8b8569b0040e70d57e1a108ce3b85b2ef2d22691992a4198b9d884b30cf1aa17bf2d536

C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe

MD5 cb01007b07d95b1afe254e4d3accea10
SHA1 d451fe4bb32783bbe3f0f3d265785e580fc76b98
SHA256 ee7934efa11464f331c0af599a0d758ca773432183c38cc0ac5a4b4a56c536ac
SHA512 935808305b980b4c41e3cdd51631cd1f44964dd3b0709716f956b75f39604193029bfc8443579eb426ba66c5f053e10b69d45f66e15ee69088431c6c535dd2f4

memory/1616-19-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/1616-21-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-20-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-22-0x00000000060A0000-0x00000000060AA000-memory.dmp

memory/1616-23-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-24-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-25-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-26-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-27-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/1616-28-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-29-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-30-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-31-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-32-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-33-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-34-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1616-35-0x0000000006AA0000-0x0000000006BA0000-memory.dmp

memory/1616-36-0x0000000006AA0000-0x0000000006BA0000-memory.dmp