asyncrat | 61cb3345fb32835c6be148fbcd92812c80cc168affea782936055ff62ca4dd4b

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e04e60efc406faefb13b0fd319e2251f.exe
Size

632KB
MD5

e04e60efc406faefb13b0fd319e2251f
SHA1

9e0f221915f81e639a52eeaf76dc96f95ab05e4d
SHA256

61cb3345fb32835c6be148fbcd92812c80cc168affea782936055ff62ca4dd4b
SHA512

07b848691b0976b40411672b98030de36b4f10f1181f248f3150600a336cf3461ba1a2af2484399d2c43faeb5c474146edb206430990ca90f36684444cb77485
SSDEEP

12288:0pacPt3R/dbmXv4k8OIpLaNrv/TFUVo6QyPa+DAB3YWLSiRw3K:K1KXL8hYFv/TmnibBzdp

Score

10^/10

asyncrat nanocore zgrat evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.2

sys2021.linkpc.net:6606

Mutex

cd6-c2e0e3fbeef6

Attributes

delay
0
install
true
install_file
notepad.exe
install_folder
%AppData%

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

sys2021.linkpc.net:11940

23.94.82.41:11940

Mutex

de7e01ad-963b-4e14-81aa-08dfb351f0fe

Attributes

activate_away_mode
false
backup_connection_host
23.94.82.41
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-04-24T08:14:59.254967636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
11940
default_group
Do
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
de7e01ad-963b-4e14-81aa-08dfb351f0fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sys2021.linkpc.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Edthlzkghxuafibmavvextdclient startup.exe	disable_win_def
behavioral1/memory/604-1973-0x0000000000FE0000-0x0000000001004000-memory.dmp	disable_win_def
behavioral1/memory/2844-1978-0x0000000000260000-0x00000000002A0000-memory.dmp	disable_win_def
behavioral1/memory/2996-1991-0x0000000000860000-0x0000000000884000-memory.dmp	disable_win_def

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2848-22-0x0000000005250000-0x00000000052C4000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-23-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-24-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-26-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-28-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-30-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-32-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-34-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-36-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-38-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-40-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-42-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-44-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-50-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-52-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-48-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-46-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-58-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-66-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-74-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-78-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-80-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-82-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-76-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-84-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-72-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-86-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-70-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-68-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-64-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-62-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-60-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-56-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2848-54-0x0000000005250000-0x00000000052BE000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

e04e60efc406faefb13b0fd319e2251f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\google\\chrome.exe\","	e04e60efc406faefb13b0fd319e2251f.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Edthlzkghxuafibmavvextdclient startup.exe	family_asyncrat

Executes dropped EXE 2 IoCs

Processes:

Edthlzkghxuafibmavvextdclient startup.exenotepad.exe

pid process

604 Edthlzkghxuafibmavvextdclient startup.exe
2996 notepad.exe
Loads dropped DLL 1 IoCs

Processes:

WScript.exe

pid process

2024 WScript.exe

pid	process
604	Edthlzkghxuafibmavvextdclient startup.exe
2996	notepad.exe

pid	process
2024	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e04e60efc406faefb13b0fd319e2251f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe"	e04e60efc406faefb13b0fd319e2251f.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e04e60efc406faefb13b0fd319e2251f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e04e60efc406faefb13b0fd319e2251f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e04e60efc406faefb13b0fd319e2251f.exe

description pid process target process

PID 2848 set thread context of 2844 2848 e04e60efc406faefb13b0fd319e2251f.exe e04e60efc406faefb13b0fd319e2251f.exe

description	pid	process	target process
PID 2848 set thread context of 2844	2848	e04e60efc406faefb13b0fd319e2251f.exe	e04e60efc406faefb13b0fd319e2251f.exe

Drops file in Program Files directory 2 IoCs

Processes:

e04e60efc406faefb13b0fd319e2251f.exe

description	ioc	process
File created	C:\Program Files (x86)\TCP Service\tcpsv.exe	e04e60efc406faefb13b0fd319e2251f.exe
File opened for modification	C:\Program Files (x86)\TCP Service\tcpsv.exe	e04e60efc406faefb13b0fd319e2251f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1640 schtasks.exe

pid	process
1640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.exee04e60efc406faefb13b0fd319e2251f.exee04e60efc406faefb13b0fd319e2251f.exeEdthlzkghxuafibmavvextdclient startup.exenotepad.exe

pid	process
2436	powershell.exe
2496	powershell.exe
2848	e04e60efc406faefb13b0fd319e2251f.exe
2848	e04e60efc406faefb13b0fd319e2251f.exe
2844	e04e60efc406faefb13b0fd319e2251f.exe
2844	e04e60efc406faefb13b0fd319e2251f.exe
2844	e04e60efc406faefb13b0fd319e2251f.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
604	Edthlzkghxuafibmavvextdclient startup.exe
2996	notepad.exe
2996	notepad.exe
2996	notepad.exe
2996	notepad.exe
2996	notepad.exe
2996	notepad.exe
2996	notepad.exe
2996	notepad.exe
2996	notepad.exe
2996	notepad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e04e60efc406faefb13b0fd319e2251f.exe

pid process

2844 e04e60efc406faefb13b0fd319e2251f.exe

pid	process
2844	e04e60efc406faefb13b0fd319e2251f.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

powershell.exepowershell.exee04e60efc406faefb13b0fd319e2251f.exee04e60efc406faefb13b0fd319e2251f.exeEdthlzkghxuafibmavvextdclient startup.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeIncreaseQuotaPrivilege	2436	powershell.exe
Token: SeSecurityPrivilege	2436	powershell.exe
Token: SeTakeOwnershipPrivilege	2436	powershell.exe
Token: SeLoadDriverPrivilege	2436	powershell.exe
Token: SeSystemProfilePrivilege	2436	powershell.exe
Token: SeSystemtimePrivilege	2436	powershell.exe
Token: SeProfSingleProcessPrivilege	2436	powershell.exe
Token: SeIncBasePriorityPrivilege	2436	powershell.exe
Token: SeCreatePagefilePrivilege	2436	powershell.exe
Token: SeBackupPrivilege	2436	powershell.exe
Token: SeRestorePrivilege	2436	powershell.exe
Token: SeShutdownPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeSystemEnvironmentPrivilege	2436	powershell.exe
Token: SeRemoteShutdownPrivilege	2436	powershell.exe
Token: SeUndockPrivilege	2436	powershell.exe
Token: SeManageVolumePrivilege	2436	powershell.exe
Token: 33	2436	powershell.exe
Token: 34	2436	powershell.exe
Token: 35	2436	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeIncreaseQuotaPrivilege	2496	powershell.exe
Token: SeSecurityPrivilege	2496	powershell.exe
Token: SeTakeOwnershipPrivilege	2496	powershell.exe
Token: SeLoadDriverPrivilege	2496	powershell.exe
Token: SeSystemProfilePrivilege	2496	powershell.exe
Token: SeSystemtimePrivilege	2496	powershell.exe
Token: SeProfSingleProcessPrivilege	2496	powershell.exe
Token: SeIncBasePriorityPrivilege	2496	powershell.exe
Token: SeCreatePagefilePrivilege	2496	powershell.exe
Token: SeBackupPrivilege	2496	powershell.exe
Token: SeRestorePrivilege	2496	powershell.exe
Token: SeShutdownPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeSystemEnvironmentPrivilege	2496	powershell.exe
Token: SeRemoteShutdownPrivilege	2496	powershell.exe
Token: SeUndockPrivilege	2496	powershell.exe
Token: SeManageVolumePrivilege	2496	powershell.exe
Token: 33	2496	powershell.exe
Token: 34	2496	powershell.exe
Token: 35	2496	powershell.exe
Token: SeDebugPrivilege	2848	e04e60efc406faefb13b0fd319e2251f.exe
Token: SeDebugPrivilege	2844	e04e60efc406faefb13b0fd319e2251f.exe
Token: SeDebugPrivilege	604	Edthlzkghxuafibmavvextdclient startup.exe
Token: SeDebugPrivilege	2996	notepad.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

e04e60efc406faefb13b0fd319e2251f.exeWScript.exeEdthlzkghxuafibmavvextdclient startup.exeWScript.exe

description	pid	process	target process
PID 2848 wrote to memory of 2436	2848	e04e60efc406faefb13b0fd319e2251f.exe	powershell.exe
PID 2848 wrote to memory of 2436	2848	e04e60efc406faefb13b0fd319e2251f.exe	powershell.exe
PID 2848 wrote to memory of 2436	2848	e04e60efc406faefb13b0fd319e2251f.exe	powershell.exe
PID 2848 wrote to memory of 2436	2848	e04e60efc406faefb13b0fd319e2251f.exe	powershell.exe
PID 2848 wrote to memory of 2496	2848	e04e60efc406faefb13b0fd319e2251f.exe	powershell.exe
PID 2848 wrote to memory of 2496	2848	e04e60efc406faefb13b0fd319e2251f.exe	powershell.exe
PID 2848 wrote to memory of 2496	2848	e04e60efc406faefb13b0fd319e2251f.exe	powershell.exe
PID 2848 wrote to memory of 2496	2848	e04e60efc406faefb13b0fd319e2251f.exe	powershell.exe
PID 2848 wrote to memory of 2024	2848	e04e60efc406faefb13b0fd319e2251f.exe	WScript.exe
PID 2848 wrote to memory of 2024	2848	e04e60efc406faefb13b0fd319e2251f.exe	WScript.exe
PID 2848 wrote to memory of 2024	2848	e04e60efc406faefb13b0fd319e2251f.exe	WScript.exe
PID 2848 wrote to memory of 2024	2848	e04e60efc406faefb13b0fd319e2251f.exe	WScript.exe
PID 2848 wrote to memory of 2844	2848	e04e60efc406faefb13b0fd319e2251f.exe	e04e60efc406faefb13b0fd319e2251f.exe
PID 2848 wrote to memory of 2844	2848	e04e60efc406faefb13b0fd319e2251f.exe	e04e60efc406faefb13b0fd319e2251f.exe
PID 2848 wrote to memory of 2844	2848	e04e60efc406faefb13b0fd319e2251f.exe	e04e60efc406faefb13b0fd319e2251f.exe
PID 2848 wrote to memory of 2844	2848	e04e60efc406faefb13b0fd319e2251f.exe	e04e60efc406faefb13b0fd319e2251f.exe
PID 2848 wrote to memory of 2844	2848	e04e60efc406faefb13b0fd319e2251f.exe	e04e60efc406faefb13b0fd319e2251f.exe
PID 2848 wrote to memory of 2844	2848	e04e60efc406faefb13b0fd319e2251f.exe	e04e60efc406faefb13b0fd319e2251f.exe
PID 2848 wrote to memory of 2844	2848	e04e60efc406faefb13b0fd319e2251f.exe	e04e60efc406faefb13b0fd319e2251f.exe
PID 2848 wrote to memory of 2844	2848	e04e60efc406faefb13b0fd319e2251f.exe	e04e60efc406faefb13b0fd319e2251f.exe
PID 2848 wrote to memory of 2844	2848	e04e60efc406faefb13b0fd319e2251f.exe	e04e60efc406faefb13b0fd319e2251f.exe
PID 2024 wrote to memory of 604	2024	WScript.exe	Edthlzkghxuafibmavvextdclient startup.exe
PID 2024 wrote to memory of 604	2024	WScript.exe	Edthlzkghxuafibmavvextdclient startup.exe
PID 2024 wrote to memory of 604	2024	WScript.exe	Edthlzkghxuafibmavvextdclient startup.exe
PID 2024 wrote to memory of 604	2024	WScript.exe	Edthlzkghxuafibmavvextdclient startup.exe
PID 604 wrote to memory of 1212	604	Edthlzkghxuafibmavvextdclient startup.exe	WScript.exe
PID 604 wrote to memory of 1212	604	Edthlzkghxuafibmavvextdclient startup.exe	WScript.exe
PID 604 wrote to memory of 1212	604	Edthlzkghxuafibmavvextdclient startup.exe	WScript.exe
PID 1212 wrote to memory of 1640	1212	WScript.exe	schtasks.exe
PID 1212 wrote to memory of 1640	1212	WScript.exe	schtasks.exe
PID 1212 wrote to memory of 1640	1212	WScript.exe	schtasks.exe
PID 604 wrote to memory of 2996	604	Edthlzkghxuafibmavvextdclient startup.exe	notepad.exe
PID 604 wrote to memory of 2996	604	Edthlzkghxuafibmavvextdclient startup.exe	notepad.exe
PID 604 wrote to memory of 2996	604	Edthlzkghxuafibmavvextdclient startup.exe	notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e04e60efc406faefb13b0fd319e2251f.exe
"C:\Users\Admin\AppData\Local\Temp\e04e60efc406faefb13b0fd319e2251f.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Vzvcyragywwvopuhbwi.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\Edthlzkghxuafibmavvextdclient startup.exe
"C:\Users\Admin\AppData\Local\Temp\Edthlzkghxuafibmavvextdclient startup.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp1F4.tmp.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc onlogon /rl highest /tn notepad.exe /tr "C:\Users\Admin\AppData\Roaming\notepad.exe
5⤵
- Creates scheduled task(s)
PID:1640

C:\Users\Admin\AppData\Roaming\notepad.exe
"C:\Users\Admin\AppData\Roaming\notepad.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Users\Admin\AppData\Local\Temp\e04e60efc406faefb13b0fd319e2251f.exe
C:\Users\Admin\AppData\Local\Temp\e04e60efc406faefb13b0fd319e2251f.exe
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Edthlzkghxuafibmavvextdclient startup.exe
Filesize
119KB

MD5
7c065aaedcccc8330d30dd098e2d080a

SHA1
d8e1a9251e02062264229d2b92366b33cba3615e

SHA256
8892f38077963d30d807e405177ca889e327e447473066ba7dbddacc58a5562c

SHA512
a193e0f337a16965726b0481324eda249e9f53ab0d24b48d63d736be35ff7208cab29fb6a5a6fc7c31dc34ddbba5423a2d4d4c1ecaf1f50c29f336c1fcb12469

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vzvcyragywwvopuhbwi.vbs
Filesize
125B

MD5
e43caabb477eff9358b404c0658ea4b8

SHA1
ff9530a0a971b26d85323abe290427a32f135fe4

SHA256
796965acba70efdb0bc8d6633f5d35e745ce49d09f6600d8ff151545563c9430

SHA512
7eb32002d2a08d9342020bb0f073d21772f9569b9133a0f36334f3acaaefab2aab8c52f3b27ee4fc23148bab3ebd8cbdc15f7a1656ae9bf67997e3cc891383a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F4.tmp.vbs
Filesize
216B

MD5
3fd8d047dc23e8fe24f9cf58c7cd2b55

SHA1
57cf93639c8ed34f5bc06c4a7d795d712d3b8648

SHA256
4b207de241dc5c2ae5904d574fcccfbd2a85153c7b13f667055e96d15ad9eaec

SHA512
5d36a0ac43f312f8a6fc51e290aa56c687b1ff9a813f87a3f019452fc4db2a25ecb7596eda917db2748257c6d814eb14668b8ba16a1f630f0ae36723a6a35d8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
40d34c61ebde28c27db043dcac33091c

SHA1
c606f3720f79c8891fee9a7af6ee2826da71f9c7

SHA256
f475e1204935c444694eae904fb9329167e94029628687e021342c79ee80bbc0

SHA512
4599f387638db332be5a74657e7903085f0f2a83b9e06a010660c18b7afbdafc44766c40d7a1375c19769a38517f838e13a1ebdb1b84b560d14f8668d817b9e8

Download Submit
memory/604-1973-0x0000000000FE0000-0x0000000001004000-memory.dmp

Filesize
144KB

Download
memory/604-1992-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/604-1976-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/604-1981-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/2436-5-0x000000006FA20000-0x000000006FFCB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-6-0x000000006FA20000-0x000000006FFCB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-7-0x0000000002870000-0x00000000028B0000-memory.dmp

Filesize
256KB

Download
memory/2436-8-0x000000006FA20000-0x000000006FFCB000-memory.dmp

Filesize
5.7MB

Download
memory/2496-18-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/2496-17-0x000000006F770000-0x000000006FD1B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-20-0x000000006F770000-0x000000006FD1B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-16-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/2496-15-0x000000006F770000-0x000000006FD1B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-1980-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2844-1979-0x0000000000450000-0x000000000046E000-memory.dmp

Filesize
120KB

Download
memory/2844-1978-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2844-1977-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2844-1995-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-1972-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-1971-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-1996-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2848-23-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-56-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-42-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-44-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-50-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-52-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-48-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-46-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-58-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-66-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-74-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-78-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-80-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-82-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-76-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-84-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-72-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-86-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-70-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-68-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-64-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-62-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-60-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-40-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-54-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-38-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-36-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-34-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-32-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-1970-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2848-30-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-28-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-26-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-24-0x0000000005250000-0x00000000052BE000-memory.dmp

Filesize
440KB

Download
memory/2848-0-0x00000000011B0000-0x0000000001254000-memory.dmp

Filesize
656KB

Download
memory/2848-22-0x0000000005250000-0x00000000052C4000-memory.dmp

Filesize
464KB

Download
memory/2848-21-0x0000000005150000-0x00000000051C4000-memory.dmp

Filesize
464KB

Download
memory/2848-19-0x0000000001030000-0x0000000001070000-memory.dmp

Filesize
256KB

Download
memory/2848-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2848-2-0x0000000001030000-0x0000000001070000-memory.dmp

Filesize
256KB

Download
memory/2848-14-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-1994-0x00000000004C0000-0x0000000000540000-memory.dmp

Filesize
512KB

Download
memory/2996-1993-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-1991-0x0000000000860000-0x0000000000884000-memory.dmp

Filesize
144KB

Download
memory/2996-1997-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-1998-0x00000000004C0000-0x0000000000540000-memory.dmp

Filesize
512KB

Download