Malware Analysis Report

2025-01-02 12:12

Sample ID 240417-wyr1wshh73
Target Clientfor triage.exe
SHA256 936d1f245521d1bb692693036b4a4e8f5942768fd0faecbe6fe0d288f0d6fd50
Tags
rat default asyncrat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

936d1f245521d1bb692693036b4a4e8f5942768fd0faecbe6fe0d288f0d6fd50

Threat Level: Known bad

The file Clientfor triage.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat discovery

Asyncrat family

AsyncRat

Async RAT payload

Async RAT payload

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 18:20

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 18:20

Reported

2024-04-17 18:22

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A

Checks installed software on the system

discovery

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 2564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2132 wrote to memory of 2564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2132 wrote to memory of 2564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2728 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2728 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2728 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2728 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\asd.exe
PID 2728 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\asd.exe
PID 2728 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\asd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe

"C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "asd" /tr '"C:\Users\Admin\AppData\Roaming\asd.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2607.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "asd" /tr '"C:\Users\Admin\AppData\Roaming\asd.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\asd.exe

"C:\Users\Admin\AppData\Roaming\asd.exe"

Network

Country Destination Domain Proto
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp
TR 94.156.8.65:8080 tcp

Files

memory/2960-0-0x0000000001140000-0x0000000001158000-memory.dmp

memory/2960-2-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

memory/2960-3-0x000000001ADC0000-0x000000001AE40000-memory.dmp

memory/2960-4-0x00000000778D0000-0x0000000077A79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2607.tmp.bat

MD5 720172873a8db00b9d2226917a285be2
SHA1 ecd11766e280b597dae93e2d31f240996ce9e3b8
SHA256 8e0285d23b4d215f6272e5d391ac9f4aab2b524d4a1a78cb98464d6f172843a1
SHA512 da5b02b8cfe0123f07517de1a12b7ea9e090d5df15f147ff520372a2e5204e03f4a95d1427d19f6735ecafc0bfae88c7357bf8277a5af524e37612432f9a8488

memory/2960-13-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

memory/2960-14-0x00000000778D0000-0x0000000077A79000-memory.dmp

C:\Users\Admin\AppData\Roaming\asd.exe

MD5 df7dfc7f1ca5217aa7fa6c5fa6de3d14
SHA1 2ba55b118b80361989f879bf85b83ef1beccba54
SHA256 936d1f245521d1bb692693036b4a4e8f5942768fd0faecbe6fe0d288f0d6fd50
SHA512 c989eca51d23f719875ad7a871ce4f037c01ab275dc9e1b83a11a83dcac71e4bd63d6c5fa884fbcc9fb18bdaa006376fb41310deffda7873f8c6726059924619

memory/2628-19-0x0000000000220000-0x0000000000238000-memory.dmp

memory/2628-21-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/2628-22-0x000000001B250000-0x000000001B2D0000-memory.dmp

memory/2628-23-0x00000000778D0000-0x0000000077A79000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar576A.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2628-81-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

memory/2628-102-0x000000001B250000-0x000000001B2D0000-memory.dmp

memory/2628-103-0x00000000778D0000-0x0000000077A79000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 18:20

Reported

2024-04-17 18:22

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\asd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\asd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe C:\Windows\System32\cmd.exe
PID 4948 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe C:\Windows\System32\cmd.exe
PID 4948 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe C:\Windows\system32\cmd.exe
PID 3640 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3640 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4348 wrote to memory of 2980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4348 wrote to memory of 2980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3640 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\asd.exe
PID 3640 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\asd.exe
PID 2180 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\asd.exe C:\Windows\System32\cmd.exe
PID 2180 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\asd.exe C:\Windows\System32\cmd.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\asd.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\asd.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 5024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2704 wrote to memory of 5024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1648 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1648 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe

"C:\Users\Admin\AppData\Local\Temp\Clientfor triage.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "asd" /tr '"C:\Users\Admin\AppData\Roaming\asd.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp941D.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "asd" /tr '"C:\Users\Admin\AppData\Roaming\asd.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\asd.exe

"C:\Users\Admin\AppData\Roaming\asd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "asd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3781.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn "asd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 224.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.58.22.2.in-addr.arpa udp
TR 94.156.8.65:8080 tcp
US 8.8.8.8:53 65.8.156.94.in-addr.arpa udp
TR 94.156.8.65:8080 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
TR 94.156.8.65:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/4948-0-0x0000000000D50000-0x0000000000D68000-memory.dmp

memory/4948-2-0x00007FFD392E0000-0x00007FFD39DA1000-memory.dmp

memory/4948-3-0x000000001BA80000-0x000000001BA90000-memory.dmp

memory/4948-8-0x00007FFD57BB0000-0x00007FFD57DA5000-memory.dmp

memory/4948-9-0x00007FFD392E0000-0x00007FFD39DA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp941D.tmp.bat

MD5 8081129a9fba2cc7def40085fd3c2515
SHA1 32cfca012e4b1a5f930129e723f81d2d41756eb2
SHA256 bfc60c20e858ca4c6dfcc3ad9854974999bf080dc7dd07e788a69103a2ab6c36
SHA512 5752a78146c34678b081e5f8f57a91f4699d580bd11431bd6c1d077674369fe4178aff2544695e8ab335d29d3930083a98a74794ef584b91a6a2fb92fe72b6f9

C:\Users\Admin\AppData\Roaming\asd.exe

MD5 df7dfc7f1ca5217aa7fa6c5fa6de3d14
SHA1 2ba55b118b80361989f879bf85b83ef1beccba54
SHA256 936d1f245521d1bb692693036b4a4e8f5942768fd0faecbe6fe0d288f0d6fd50
SHA512 c989eca51d23f719875ad7a871ce4f037c01ab275dc9e1b83a11a83dcac71e4bd63d6c5fa884fbcc9fb18bdaa006376fb41310deffda7873f8c6726059924619

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/2180-15-0x00007FFD392E0000-0x00007FFD39DA1000-memory.dmp

memory/2180-16-0x000000001BD10000-0x000000001BD20000-memory.dmp

memory/2180-17-0x000000001BD10000-0x000000001BD20000-memory.dmp

memory/2180-18-0x000000001C020000-0x000000001C096000-memory.dmp

memory/2180-19-0x000000001BB60000-0x000000001BB70000-memory.dmp

memory/2180-20-0x000000001BB90000-0x000000001BBAE000-memory.dmp

memory/2180-21-0x00007FFD392E0000-0x00007FFD39DA1000-memory.dmp

memory/2180-22-0x000000001BD10000-0x000000001BD20000-memory.dmp

memory/2180-23-0x000000001BD10000-0x000000001BD20000-memory.dmp

memory/2180-24-0x000000001BD10000-0x000000001BD20000-memory.dmp

memory/2180-25-0x000000001BD10000-0x000000001BD20000-memory.dmp

memory/2180-26-0x000000001CE20000-0x000000001CE86000-memory.dmp

memory/2180-27-0x000000001BD10000-0x000000001BD20000-memory.dmp

memory/2180-30-0x00007FFD57BB0000-0x00007FFD57DA5000-memory.dmp

memory/2180-32-0x00007FFD392E0000-0x00007FFD39DA1000-memory.dmp

memory/2180-33-0x00007FFD57BB0000-0x00007FFD57DA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3781.tmp.bat

MD5 15b07e3c4e3f6e45d95a8e4f2d5a1a03
SHA1 ced9297ad0bfd5ecbc6c3d396acf3cb867c4f3bd
SHA256 a5b89e6474b23a0dc442e32b72b8d69d73141787d44a183e26ca3a341a7e3eeb
SHA512 46ef5042914137fd5ccbc9afa5075d0332fdd4e3a38b2d713e7b26f906ac2d684d79e0e137749d8156d2d82b7453a4945638c9824889f7aec3c144e4703fa44e