asyncrat | 2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d

General

Target

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
Size

679KB
MD5

170ed51ddb22cd75bf0fa4fa2a1bb6c4
SHA1

2e74fd6be27a77a883208db0d09524f15dfa7d00
SHA256

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d
SHA512

ac43b87484e0158b24c5c2a65ca6ab394b0b1bae62b03fb28588749066f04520ac10c6307bb45bf334d18a81c3a2b6ae68107b330e134a273f60e12d1c612865
SSDEEP

12288:ijWQ4W3K9jGCN0TPsnAH7UA51BlkOUCIV/VKMSiyyjK:7AK96jXQA51BCObIVNKMd8

Score

10^/10

asyncrat 2024 rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

2024

C2

rat.loseyourip.com:6606

rat.loseyourip.com:7707

rat.loseyourip.com:8808

Mutex

Async_2024

Attributes

delay
3
install
true
install_file
csrss.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/524-23-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/524-31-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/524-28-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/524-26-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/524-22-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2424-3-0x0000000000600000-0x000000000061C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Detects file containing reversed ASEP Autorun registry keys 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/524-23-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/524-31-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/524-28-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/524-26-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/524-22-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/2800-35-0x0000000002250000-0x0000000002290000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

2888 csrss.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.execsrss.exe

pid process

1764 cmd.exe
2888 csrss.exe

pid	process
2888	csrss.exe

pid	process
1764	cmd.exe
2888	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.execsrss.exe

description	pid	process	target process
PID 2424 set thread context of 524	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 2888 set thread context of 1104	2888	csrss.exe	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2608 schtasks.exe
2828 schtasks.exe
1264 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2788 timeout.exe

pid	process
2608	schtasks.exe
2828	schtasks.exe
1264	schtasks.exe

pid	process
2788	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exepowershell.exepowershell.exe2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.execsrss.exepowershell.exepowershell.exe

pid	process
2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2800	powershell.exe
2796	powershell.exe
524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
1464	powershell.exe
2760	powershell.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe
2888	csrss.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exepowershell.exepowershell.exe2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.execsrss.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
Token: SeDebugPrivilege	2888	csrss.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.execmd.execmd.execsrss.exe

description	pid	process	target process
PID 2424 wrote to memory of 2800	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 2424 wrote to memory of 2800	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 2424 wrote to memory of 2800	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 2424 wrote to memory of 2800	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 2424 wrote to memory of 2796	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 2424 wrote to memory of 2796	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 2424 wrote to memory of 2796	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 2424 wrote to memory of 2796	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 2424 wrote to memory of 2608	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	schtasks.exe
PID 2424 wrote to memory of 2608	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	schtasks.exe
PID 2424 wrote to memory of 2608	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	schtasks.exe
PID 2424 wrote to memory of 2608	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	schtasks.exe
PID 2424 wrote to memory of 524	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 2424 wrote to memory of 524	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 2424 wrote to memory of 524	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 2424 wrote to memory of 524	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 2424 wrote to memory of 524	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 2424 wrote to memory of 524	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 2424 wrote to memory of 524	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 2424 wrote to memory of 524	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 2424 wrote to memory of 524	2424	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 524 wrote to memory of 1072	524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 524 wrote to memory of 1072	524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 524 wrote to memory of 1072	524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 524 wrote to memory of 1072	524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 524 wrote to memory of 1764	524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 524 wrote to memory of 1764	524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 524 wrote to memory of 1764	524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 524 wrote to memory of 1764	524	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 1072 wrote to memory of 2828	1072	cmd.exe	schtasks.exe
PID 1072 wrote to memory of 2828	1072	cmd.exe	schtasks.exe
PID 1072 wrote to memory of 2828	1072	cmd.exe	schtasks.exe
PID 1072 wrote to memory of 2828	1072	cmd.exe	schtasks.exe
PID 1764 wrote to memory of 2788	1764	cmd.exe	timeout.exe
PID 1764 wrote to memory of 2788	1764	cmd.exe	timeout.exe
PID 1764 wrote to memory of 2788	1764	cmd.exe	timeout.exe
PID 1764 wrote to memory of 2788	1764	cmd.exe	timeout.exe
PID 1764 wrote to memory of 2888	1764	cmd.exe	csrss.exe
PID 1764 wrote to memory of 2888	1764	cmd.exe	csrss.exe
PID 1764 wrote to memory of 2888	1764	cmd.exe	csrss.exe
PID 1764 wrote to memory of 2888	1764	cmd.exe	csrss.exe
PID 2888 wrote to memory of 1464	2888	csrss.exe	powershell.exe
PID 2888 wrote to memory of 1464	2888	csrss.exe	powershell.exe
PID 2888 wrote to memory of 1464	2888	csrss.exe	powershell.exe
PID 2888 wrote to memory of 1464	2888	csrss.exe	powershell.exe
PID 2888 wrote to memory of 2760	2888	csrss.exe	powershell.exe
PID 2888 wrote to memory of 2760	2888	csrss.exe	powershell.exe
PID 2888 wrote to memory of 2760	2888	csrss.exe	powershell.exe
PID 2888 wrote to memory of 2760	2888	csrss.exe	powershell.exe
PID 2888 wrote to memory of 1264	2888	csrss.exe	schtasks.exe
PID 2888 wrote to memory of 1264	2888	csrss.exe	schtasks.exe
PID 2888 wrote to memory of 1264	2888	csrss.exe	schtasks.exe
PID 2888 wrote to memory of 1264	2888	csrss.exe	schtasks.exe
PID 2888 wrote to memory of 1104	2888	csrss.exe	csrss.exe
PID 2888 wrote to memory of 1104	2888	csrss.exe	csrss.exe
PID 2888 wrote to memory of 1104	2888	csrss.exe	csrss.exe
PID 2888 wrote to memory of 1104	2888	csrss.exe	csrss.exe
PID 2888 wrote to memory of 1104	2888	csrss.exe	csrss.exe
PID 2888 wrote to memory of 1104	2888	csrss.exe	csrss.exe
PID 2888 wrote to memory of 1104	2888	csrss.exe	csrss.exe
PID 2888 wrote to memory of 1104	2888	csrss.exe	csrss.exe
PID 2888 wrote to memory of 1104	2888	csrss.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
"C:\Users\Admin\AppData\Local\Temp\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eOmdWxIgIyhoBN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOmdWxIgIyhoBN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD98D.tmp"
2⤵
- Creates scheduled task(s)
PID:2608

C:\Users\Admin\AppData\Local\Temp\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
"C:\Users\Admin\AppData\Local\Temp\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEEB2.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2788

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eOmdWxIgIyhoBN.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOmdWxIgIyhoBN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp673B.tmp"
5⤵
- Creates scheduled task(s)
PID:1264

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
5⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Local\Temp\csrss.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Local\Temp\csrss.exe"'
1⤵
- Creates scheduled task(s)
PID:2828

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
679KB

MD5
170ed51ddb22cd75bf0fa4fa2a1bb6c4

SHA1
2e74fd6be27a77a883208db0d09524f15dfa7d00

SHA256
2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d

SHA512
ac43b87484e0158b24c5c2a65ca6ab394b0b1bae62b03fb28588749066f04520ac10c6307bb45bf334d18a81c3a2b6ae68107b330e134a273f60e12d1c612865

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD98D.tmp
Filesize
1KB

MD5
299a30f0e59fb2788226c6f49d27d752

SHA1
66706d2ebc0abe8b5f2ac094c96401d3e5c16841

SHA256
928faf3baf5051f37187a286a5721f0f6cb452fc6b67f2b65202e41750581620

SHA512
dcff461e53e3ca047bc35ac236795f866f128ee85f613e234cc5b08050032e0b06bea04693d0282513b22fc6729c136a49496d6e1aae2e4dec3d635e0baf7b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEEB2.tmp.bat
Filesize
152B

MD5
6b20abc43519859c3e4ae50a72d19419

SHA1
b30834ff3b8e04c424e0a4a8252eb91413e049fc

SHA256
b4fc80b4bab41b970cdac43746488f48a58033b5d25d9a4c90e267ac46111b74

SHA512
53c38471a69343d8febf315c3531211041299fbdb088321753e87c9b6c9a000c8c7d345a292b56aad562ce2f85812e9527b9212791aefbf7e86818026ff35dc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FQWJ6GLBRRHD4117EV71.temp
Filesize
7KB

MD5
6c4cc926094fcddbaf178cda68743500

SHA1
c56b3cb3fe3376344eb0254361efd2b59e3558b5

SHA256
c6ce0d7d4d8f93389f21f28a527ac9e271e9b95427dbd531798862c5d19ec446

SHA512
ab2ccb7658e82087d34230fb3080b2757ba1f686f833315c18d023bb787c5d1db43cc0f75a647a9ca231134ea566e3ff0c9f7081e83364f4273682ff2e1ffe98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
6383b8cc0b355516e9402828622a985d

SHA1
1e2bd8647668066fb196e24afd5d63ee80571014

SHA256
9aa7841f86940021b00536eeff89b9fbc1ea04c5d65108f2f1bb6e6084d54e36

SHA512
6dd892b12025c781e0974af8a35d6a28526d2bdd545e9e1aa5c723df3ceb103982b7383d0396822083463e9af7fae85f4674cbd0821ae3004dc19b784edbf262

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
479KB

MD5
a40f9fcfcfb8b4ea2d446bac3372bfd9

SHA1
8cd08af6b02eed9655baa86c7c2d9d3781c82f64

SHA256
bd44918ce384f7343c8b61d831b626ef8fc41018bd42826092849162f0ce5ddd

SHA512
4cfe31be4d986ac96c028e5342597f834090ee1a55d91dc825bd27eaf6fafd1c1a8005d520d83ddc50ed82b33373e970acc80e59f937fa02178a226a101562d6

Download Submit
memory/524-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/524-34-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/524-52-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/524-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/524-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/524-43-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/524-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/524-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/524-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/524-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/524-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1104-91-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1464-87-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1464-80-0x000000006E7C0000-0x000000006ED6B000-memory.dmp

Filesize
5.7MB

Download
memory/1464-82-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1464-97-0x000000006E7C0000-0x000000006ED6B000-memory.dmp

Filesize
5.7MB

Download
memory/1464-84-0x000000006E7C0000-0x000000006ED6B000-memory.dmp

Filesize
5.7MB

Download
memory/1464-86-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2424-4-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2424-0-0x00000000001B0000-0x0000000000260000-memory.dmp

Filesize
704KB

Download
memory/2424-29-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-7-0x0000000001FD0000-0x0000000002010000-memory.dmp

Filesize
256KB

Download
memory/2424-6-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-3-0x0000000000600000-0x000000000061C000-memory.dmp

Filesize
112KB

Download
memory/2424-2-0x0000000001FD0000-0x0000000002010000-memory.dmp

Filesize
256KB

Download
memory/2424-5-0x0000000005140000-0x0000000005198000-memory.dmp

Filesize
352KB

Download
memory/2424-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-89-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2760-92-0x000000006E7C0000-0x000000006ED6B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-93-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2760-96-0x000000006E7C0000-0x000000006ED6B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-40-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/2796-38-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/2796-32-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-36-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-41-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-42-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-39-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/2800-37-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-35-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/2800-33-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-58-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-57-0x0000000000890000-0x0000000000940000-memory.dmp

Filesize
704KB

Download
memory/2888-59-0x00000000007F0000-0x0000000000830000-memory.dmp

Filesize
256KB

Download
memory/2888-61-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-60-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2888-62-0x00000000007F0000-0x0000000000830000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads