asyncrat | 5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0

Analysis

max time kernel
106s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release_lava.exe
Size

5.5MB
MD5

de557c3360f872d88f7a807b8cc0aabb
SHA1

8beb7bbb77e52d4076924791afacd50475d0c0d0
SHA256

5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0
SHA512

d2cf879e061403c03fc61a797308fef01e9ecad4052fa674878d24c63bfd7af919b2ecb0229f4ba83bc78d3793e585d85f9a6f868b18d47ccaf48138d5d9b823
SSDEEP

98304:2+5NpZB2er+PqXfcGJy+P0gNiQIO0cpKmjDBhBtYlhW6mf9i3/n4d4:BpZBrHkkFJipRqKmZhYDW6+ivn

Score

10^/10

asyncrat stormkitty default evasion execution persistence rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6471941882:AAHasaNCecS7ngmuNpsLq1sIjTyBjQRkZ8U/sendMessage?chat_id=5383408154

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_stormkitty
behavioral2/memory/2248-37-0x0000000000AB0000-0x0000000000AE2000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2840 powershell.exe
5168 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Drops file in Drivers directory 1 IoCs

Processes:

release.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts release.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2840	powershell.exe
5168	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	release.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

release_lava.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	release_lava.exe

Executes dropped EXE 3 IoCs

Processes:

release.exeServer.exeupdater.exe

pid process

4972 release.exe
2248 Server.exe
1232 updater.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

68 pastebin.com
69 pastebin.com

flow	ioc
68	pastebin.com
69	pastebin.com

Drops file in System32 directory 2 IoCs

Processes:

svchost.exerelease.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	release.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

release.exe

description pid process target process

PID 4972 set thread context of 3368 4972 release.exe dialer.exe

description	pid	process	target process
PID 4972 set thread context of 3368	4972	release.exe	dialer.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
432	sc.exe
2424	sc.exe
6004	sc.exe
3180	sc.exe
5844	sc.exe
4324	sc.exe
5088	sc.exe
4596	sc.exe
1588	sc.exe
4752	sc.exe
5692	sc.exe
6072	sc.exe
2256	sc.exe
4996	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

release.exepowershell.exedialer.exeupdater.exe

pid	process
4972	release.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
4972	release.exe
4972	release.exe
4972	release.exe
4972	release.exe
4972	release.exe
4972	release.exe
4972	release.exe
4972	release.exe
4972	release.exe
4972	release.exe
4972	release.exe
4972	release.exe
3368	dialer.exe
3368	dialer.exe
4972	release.exe
4972	release.exe
4972	release.exe
3368	dialer.exe
3368	dialer.exe
1232	updater.exe
3368	dialer.exe
3368	dialer.exe
3368	dialer.exe
3368	dialer.exe
3368	dialer.exe
3368	dialer.exe
3368	dialer.exe
3368	dialer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	3368	dialer.exe
Token: SeShutdownPrivilege	2836	powercfg.exe
Token: SeCreatePagefilePrivilege	2836	powercfg.exe
Token: SeShutdownPrivilege	2412	powercfg.exe
Token: SeCreatePagefilePrivilege	2412	powercfg.exe
Token: SeShutdownPrivilege	4968	powercfg.exe
Token: SeCreatePagefilePrivilege	4968	powercfg.exe
Token: SeShutdownPrivilege	908	powercfg.exe
Token: SeCreatePagefilePrivilege	908	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

release_lava.execmd.exerelease.exedialer.exe

description	pid	process	target process
PID 1432 wrote to memory of 4972	1432	release_lava.exe	release.exe
PID 1432 wrote to memory of 4972	1432	release_lava.exe	release.exe
PID 1432 wrote to memory of 2248	1432	release_lava.exe	Server.exe
PID 1432 wrote to memory of 2248	1432	release_lava.exe	Server.exe
PID 1432 wrote to memory of 2248	1432	release_lava.exe	Server.exe
PID 2292 wrote to memory of 1488	2292	cmd.exe	wusa.exe
PID 2292 wrote to memory of 1488	2292	cmd.exe	wusa.exe
PID 4972 wrote to memory of 3368	4972	release.exe	dialer.exe
PID 4972 wrote to memory of 3368	4972	release.exe	dialer.exe
PID 4972 wrote to memory of 3368	4972	release.exe	dialer.exe
PID 4972 wrote to memory of 3368	4972	release.exe	dialer.exe
PID 4972 wrote to memory of 3368	4972	release.exe	dialer.exe
PID 4972 wrote to memory of 3368	4972	release.exe	dialer.exe
PID 4972 wrote to memory of 3368	4972	release.exe	dialer.exe
PID 3368 wrote to memory of 612	3368	dialer.exe	winlogon.exe
PID 3368 wrote to memory of 668	3368	dialer.exe	lsass.exe
PID 3368 wrote to memory of 948	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1020	3368	dialer.exe	dwm.exe
PID 3368 wrote to memory of 1028	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1048	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1056	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1192	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1204	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1256	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1312	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1388	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1412	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1464	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1500	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1512	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1644	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1696	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1724	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1796	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1824	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1872	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1888	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1976	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1984	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1372	3368	dialer.exe	spoolsv.exe
PID 3368 wrote to memory of 2056	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2132	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2340	3368	dialer.exe	sihost.exe
PID 3368 wrote to memory of 2360	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2488	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2496	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2508	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2536	3368	dialer.exe	taskhostw.exe
PID 3368 wrote to memory of 2564	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2640	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2660	3368	dialer.exe	sysmon.exe
PID 3368 wrote to memory of 2688	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2696	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2712	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 2648	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 3080	3368	dialer.exe	unsecapp.exe
PID 3368 wrote to memory of 3348	3368	dialer.exe	Explorer.EXE
PID 3368 wrote to memory of 3496	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 3732	3368	dialer.exe	DllHost.exe
PID 3368 wrote to memory of 3924	3368	dialer.exe	RuntimeBroker.exe
PID 3368 wrote to memory of 4124	3368	dialer.exe	RuntimeBroker.exe
PID 3368 wrote to memory of 2040	3368	dialer.exe	RuntimeBroker.exe
PID 3368 wrote to memory of 4872	3368	dialer.exe	svchost.exe
PID 3368 wrote to memory of 1228	3368	dialer.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1192
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1412
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1984

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2640

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2648

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\release_lava.exe
  "C:\Users\Admin\AppData\Local\Temp\release_lava.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\release.exe
    "C:\Users\Admin\AppData\Local\Temp\release.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1488
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3180
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1588
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4752
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:4996
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5088
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2836
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:908
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2412
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4968
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3368
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:432
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4596
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2424
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:4324
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4160
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      PID:228
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4324
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:3580
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3732

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4124

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1228

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3440

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2296

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1292

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f0,0x7ff980c42e98,0x7ff980c42ea4,0x7ff980c42eb0
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3208 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4944 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2804

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4392

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2284

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3320

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1232
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5168
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5684
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5852
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5692
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5844
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6004
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:6072
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2256
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4232
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:808
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:3336
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2348
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4732
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2376
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
175KB

MD5
df96a0997b631e96c050382b96804ebb

SHA1
9d3b7dfd52eb72bf1c124f0cf1574dc0ba174d90

SHA256
4408d454808a4e3ca0361423f310c3e6b4754c2d0c2be4973d39dea722409430

SHA512
6954f887f1a0d8224503c9585274aef3bf510b41f8f133a4dfc133e147c4a65a819b4fd35e3d78d8ac70397679fa6299bf441d9a9016ab6ac29b837887ce41cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0gfophqs.tpm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\release.exe

Filesize
5.3MB

MD5
f0c677d565a3299f693a68cdea0a4998

SHA1
4cd1ee7321e4c64bad5cabb01a7d56efccd4e058

SHA256
be9a43dffd8fa5ca2e10ef5493cbb1c647d8fefa829866f00c99162c45ccf456

SHA512
87986f5a4a2342cbf147c665e3f625ed44ea8e775fb770e2801fbdbac0d0b4817bfb08fdb76fdcb62724b7ab915673cb8f795c803a7525dfea3689b2c134337d

Download Submit
C:\Users\Admin\AppData\Local\f9f38ed25bb74d569ff07fd0fb2a1e6d\Admin@OAILVCNY_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\f9f38ed25bb74d569ff07fd0fb2a1e6d\Admin@OAILVCNY_en-US\System\Process.txt

Filesize
4KB

MD5
0571cef225f4b24c216ba356d5f21de5

SHA1
97ece6e2a62494692dcea085633335e1aee18450

SHA256
d1182ac8e18dda8d78dfac030cd6e852608ba2a56e2da4ea35855340ff7a67b0

SHA512
2e9714e0b37e7300114ce51aec1e3e8ad6b7ed9d87133837f821df7ea8d4703adf84e784344203f44b53a6b56b9809ccf1831aba185189eddb92eb2766d3af5a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
1037913c0ac0cdd12d88da683f572ab4

SHA1
2fcce1293ad221e9bbbe9fdcf7af7b33e30f875a

SHA256
09ad2308b6b73066b1266b28ae6c8160d48f6d389897a009ab195c1d8efae725

SHA512
c361caf82da6f692c6f91319f58a30393af7256c3a8e7907cd01b35c93a788d78953235a21f8e055667328aaf17949e91366da46f3e9657a69e1c343b1ed178b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/612-55-0x000001F1130F0000-0x000001F11311B000-memory.dmp

Filesize
172KB

Download
memory/612-56-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/612-54-0x000001F1130C0000-0x000001F1130E4000-memory.dmp

Filesize
144KB

Download
memory/668-68-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/668-66-0x000001C6F8920000-0x000001C6F894B000-memory.dmp

Filesize
172KB

Download
memory/1020-63-0x00000208A8060000-0x00000208A808B000-memory.dmp

Filesize
172KB

Download
memory/1020-64-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/1048-92-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/1048-91-0x0000018BE0C90000-0x0000018BE0CBB000-memory.dmp

Filesize
172KB

Download
memory/1204-95-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/1204-94-0x0000024416150000-0x000002441617B000-memory.dmp

Filesize
172KB

Download
memory/1256-98-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/1256-97-0x0000015927770000-0x000001592779B000-memory.dmp

Filesize
172KB

Download
memory/1312-101-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/1312-100-0x00000261DDDD0000-0x00000261DDDFB000-memory.dmp

Filesize
172KB

Download
memory/1464-103-0x000001167DB90000-0x000001167DBBB000-memory.dmp

Filesize
172KB

Download
memory/1464-104-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/1512-107-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/1512-106-0x000001F4B3E90000-0x000001F4B3EBB000-memory.dmp

Filesize
172KB

Download
memory/2248-770-0x0000000006400000-0x0000000006492000-memory.dmp

Filesize
584KB

Download
memory/2248-700-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/2248-771-0x0000000006A50000-0x0000000006FF4000-memory.dmp

Filesize
5.6MB

Download
memory/2248-37-0x0000000000AB0000-0x0000000000AE2000-memory.dmp

Filesize
200KB

Download
memory/2248-35-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/2248-613-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/2840-40-0x00007FF986450000-0x00007FF986F11000-memory.dmp

Filesize
10.8MB

Download
memory/2840-36-0x000001536B190000-0x000001536B1A0000-memory.dmp

Filesize
64KB

Download
memory/2840-34-0x00007FF986450000-0x00007FF986F11000-memory.dmp

Filesize
10.8MB

Download
memory/2840-33-0x00007FF986450000-0x00007FF986F11000-memory.dmp

Filesize
10.8MB

Download
memory/2840-32-0x000001536AC10000-0x000001536AC32000-memory.dmp

Filesize
136KB

Download
memory/2840-22-0x00007FF986453000-0x00007FF986455000-memory.dmp

Filesize
8KB

Download
memory/3368-48-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/3368-45-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3368-44-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3368-43-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3368-49-0x00007FF9A6630000-0x00007FF9A66EE000-memory.dmp

Filesize
760KB

Download
memory/3368-47-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3368-42-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3368-51-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5168-347-0x0000020635600000-0x000002063561A000-memory.dmp

Filesize
104KB

Download
memory/5168-334-0x0000020635370000-0x000002063538C000-memory.dmp

Filesize
112KB

Download
memory/5168-350-0x00000206355F0000-0x00000206355FA000-memory.dmp

Filesize
40KB

Download
memory/5168-349-0x00000206355E0000-0x00000206355E6000-memory.dmp

Filesize
24KB

Download
memory/5168-348-0x00000206355B0000-0x00000206355B8000-memory.dmp

Filesize
32KB

Download
memory/5168-335-0x0000020635390000-0x0000020635445000-memory.dmp

Filesize
724KB

Download
memory/5168-346-0x00000206355A0000-0x00000206355AA000-memory.dmp

Filesize
40KB

Download
memory/5168-345-0x00000206355C0000-0x00000206355DC000-memory.dmp

Filesize
112KB

Download
memory/5168-336-0x0000020635450000-0x000002063545A000-memory.dmp

Filesize
40KB

Download