asyncrat | 0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b

General

Target

0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe
Size

753KB
MD5

093bc49ab25cc6a20d95155db80f1fa8
SHA1

b1ed1ffa34d4e909e30e8a3a299a22d5101380e1
SHA256

0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b
SHA512

bec9a628e91f16cd4bdfcda85f30a447ab2e817acdfcee307187cb2d5aaff32eb3fa3b659f810aca40290f97ff59122873d60e3fe9988d2195da0b6cb0870722
SSDEEP

12288:mUvKFtlyYqn58iP23JOcXYkrCQNkfCVvd487NYe3VqiYT6K3ifW+Janl:glyY058i0OuIQNkfCb4IV2iW+Janl

Score

10^/10

asyncrat darkcomet 2024+may3333-newcrt persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

2024+May3333-newcrt

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-M4P4YFY

Attributes

InstallPath
rar.exe
gencode
jSEma97mAgP2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
winrar

Extracted

Family

asyncrat

Version

0.5.6A

C2

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc4rc3ex778899

Attributes

delay
5
install
true
install_file
audiodrvs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

sms4B80.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\rar.exe"	sms4B80.tmp

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	family_asyncrat

Detects executables packed with eXPressor 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3144-0-0x0000000000400000-0x00000000007956B4-memory.dmp	INDICATOR_EXE_Packed_eXPressor
behavioral2/memory/3144-2-0x0000000000400000-0x00000000007956B4-memory.dmp	INDICATOR_EXE_Packed_eXPressor
behavioral2/memory/3144-4-0x0000000000400000-0x00000000007956B4-memory.dmp	INDICATOR_EXE_Packed_eXPressor
behavioral2/memory/3144-3-0x0000000000400000-0x00000000007956B4-memory.dmp	INDICATOR_EXE_Packed_eXPressor
behavioral2/memory/3144-5-0x0000000000400000-0x00000000007956B4-memory.dmp	INDICATOR_EXE_Packed_eXPressor
behavioral2/memory/3144-6-0x0000000000400000-0x00000000007956B4-memory.dmp	INDICATOR_EXE_Packed_eXPressor
C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE	INDICATOR_EXE_Packed_eXPressor
behavioral2/memory/1376-32-0x0000000000400000-0x00000000004E05B0-memory.dmp	INDICATOR_EXE_Packed_eXPressor
behavioral2/memory/3144-119-0x0000000000400000-0x00000000007956B4-memory.dmp	INDICATOR_EXE_Packed_eXPressor
behavioral2/memory/1376-124-0x0000000000400000-0x00000000004E05B0-memory.dmp	INDICATOR_EXE_Packed_eXPressor

Detects file containing reversed ASEP Autorun registry keys 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral2/memory/1888-43-0x0000000000A30000-0x0000000000A42000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

UPX dump on OEP (original entry point) 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms4B80.tmp	UPX
behavioral2/memory/1700-11-0x0000000000400000-0x000000000055B000-memory.dmp	UPX
behavioral2/memory/1700-12-0x0000000000400000-0x000000000055B000-memory.dmp	UPX
behavioral2/memory/1700-117-0x0000000000400000-0x000000000055B000-memory.dmp	UPX
behavioral2/memory/1764-125-0x0000000000400000-0x000000000055B000-memory.dmp	UPX
behavioral2/memory/1764-135-0x0000000000400000-0x000000000055B000-memory.dmp	UPX

Drops file in Drivers directory 1 IoCs

Processes:

sms4B80.tmp

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts sms4B80.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms4B80.tmp

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sms4B80.tmpPRINTSERV.EXEsms4DF1.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	sms4B80.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	PRINTSERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	sms4DF1.tmp

Executes dropped EXE 7 IoCs

Processes:

sms4B80.tmpCHROMEL.EXEPRINTSERV.EXEsms4DF1.tmpPRINTSERV.EXErar.exeaudiodrvs.exe

pid process

1700 sms4B80.tmp
1376 CHROMEL.EXE
1008 PRINTSERV.EXE
1888 sms4DF1.tmp
2860 PRINTSERV.EXE
1764 rar.exe
4288 audiodrvs.exe

pid	process
1700	sms4B80.tmp
1376	CHROMEL.EXE
1008	PRINTSERV.EXE
1888	sms4DF1.tmp
2860	PRINTSERV.EXE
1764	rar.exe
4288	audiodrvs.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms4B80.tmp	upx
behavioral2/memory/1700-11-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/1700-12-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/1700-117-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/1764-125-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/1764-135-0x0000000000400000-0x000000000055B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sms4B80.tmprar.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\rar.exe"	sms4B80.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\rar.exe"	rar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3568 schtasks.exe
1284 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2688 timeout.exe
Modifies registry class 1 IoCs

Processes:

sms4B80.tmp

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ sms4B80.tmp

pid	process
3568	schtasks.exe
1284	schtasks.exe

pid	process
2688	timeout.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sms4B80.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PRINTSERV.EXEsms4DF1.tmpaudiodrvs.exe

pid	process
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
1888	sms4DF1.tmp
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
4288	audiodrvs.exe
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE
2860	PRINTSERV.EXE

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

sms4B80.tmprar.exesms4DF1.tmpPRINTSERV.EXEaudiodrvs.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1700	sms4B80.tmp
Token: SeSecurityPrivilege	1700	sms4B80.tmp
Token: SeTakeOwnershipPrivilege	1700	sms4B80.tmp
Token: SeLoadDriverPrivilege	1700	sms4B80.tmp
Token: SeSystemProfilePrivilege	1700	sms4B80.tmp
Token: SeSystemtimePrivilege	1700	sms4B80.tmp
Token: SeProfSingleProcessPrivilege	1700	sms4B80.tmp
Token: SeIncBasePriorityPrivilege	1700	sms4B80.tmp
Token: SeCreatePagefilePrivilege	1700	sms4B80.tmp
Token: SeBackupPrivilege	1700	sms4B80.tmp
Token: SeRestorePrivilege	1700	sms4B80.tmp
Token: SeShutdownPrivilege	1700	sms4B80.tmp
Token: SeDebugPrivilege	1700	sms4B80.tmp
Token: SeSystemEnvironmentPrivilege	1700	sms4B80.tmp
Token: SeChangeNotifyPrivilege	1700	sms4B80.tmp
Token: SeRemoteShutdownPrivilege	1700	sms4B80.tmp
Token: SeUndockPrivilege	1700	sms4B80.tmp
Token: SeManageVolumePrivilege	1700	sms4B80.tmp
Token: SeImpersonatePrivilege	1700	sms4B80.tmp
Token: SeCreateGlobalPrivilege	1700	sms4B80.tmp
Token: 33	1700	sms4B80.tmp
Token: 34	1700	sms4B80.tmp
Token: 35	1700	sms4B80.tmp
Token: 36	1700	sms4B80.tmp
Token: SeIncreaseQuotaPrivilege	1764	rar.exe
Token: SeSecurityPrivilege	1764	rar.exe
Token: SeTakeOwnershipPrivilege	1764	rar.exe
Token: SeLoadDriverPrivilege	1764	rar.exe
Token: SeSystemProfilePrivilege	1764	rar.exe
Token: SeSystemtimePrivilege	1764	rar.exe
Token: SeProfSingleProcessPrivilege	1764	rar.exe
Token: SeIncBasePriorityPrivilege	1764	rar.exe
Token: SeCreatePagefilePrivilege	1764	rar.exe
Token: SeBackupPrivilege	1764	rar.exe
Token: SeRestorePrivilege	1764	rar.exe
Token: SeShutdownPrivilege	1764	rar.exe
Token: SeDebugPrivilege	1764	rar.exe
Token: SeSystemEnvironmentPrivilege	1764	rar.exe
Token: SeChangeNotifyPrivilege	1764	rar.exe
Token: SeRemoteShutdownPrivilege	1764	rar.exe
Token: SeUndockPrivilege	1764	rar.exe
Token: SeManageVolumePrivilege	1764	rar.exe
Token: SeImpersonatePrivilege	1764	rar.exe
Token: SeCreateGlobalPrivilege	1764	rar.exe
Token: 33	1764	rar.exe
Token: 34	1764	rar.exe
Token: 35	1764	rar.exe
Token: 36	1764	rar.exe
Token: SeDebugPrivilege	1888	sms4DF1.tmp
Token: SeDebugPrivilege	2860	PRINTSERV.EXE
Token: SeDebugPrivilege	4288	audiodrvs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rar.exe

pid process

1764 rar.exe

pid	process
1764	rar.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exesms4B80.tmpCHROMEL.EXEPRINTSERV.EXEPRINTSERV.EXEsms4DF1.tmpcmd.exe

description	pid	process	target process
PID 3144 wrote to memory of 1700	3144	0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe	sms4B80.tmp
PID 3144 wrote to memory of 1700	3144	0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe	sms4B80.tmp
PID 3144 wrote to memory of 1700	3144	0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe	sms4B80.tmp
PID 1700 wrote to memory of 1376	1700	sms4B80.tmp	CHROMEL.EXE
PID 1700 wrote to memory of 1376	1700	sms4B80.tmp	CHROMEL.EXE
PID 1700 wrote to memory of 1008	1700	sms4B80.tmp	PRINTSERV.EXE
PID 1700 wrote to memory of 1008	1700	sms4B80.tmp	PRINTSERV.EXE
PID 1700 wrote to memory of 1008	1700	sms4B80.tmp	PRINTSERV.EXE
PID 1376 wrote to memory of 1888	1376	CHROMEL.EXE	sms4DF1.tmp
PID 1376 wrote to memory of 1888	1376	CHROMEL.EXE	sms4DF1.tmp
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1700 wrote to memory of 4424	1700	sms4B80.tmp	notepad.exe
PID 1008 wrote to memory of 2860	1008	PRINTSERV.EXE	PRINTSERV.EXE
PID 1008 wrote to memory of 2860	1008	PRINTSERV.EXE	PRINTSERV.EXE
PID 1008 wrote to memory of 2860	1008	PRINTSERV.EXE	PRINTSERV.EXE
PID 1700 wrote to memory of 1764	1700	sms4B80.tmp	rar.exe
PID 1700 wrote to memory of 1764	1700	sms4B80.tmp	rar.exe
PID 1700 wrote to memory of 1764	1700	sms4B80.tmp	rar.exe
PID 2860 wrote to memory of 3568	2860	PRINTSERV.EXE	schtasks.exe
PID 2860 wrote to memory of 3568	2860	PRINTSERV.EXE	schtasks.exe
PID 2860 wrote to memory of 3568	2860	PRINTSERV.EXE	schtasks.exe
PID 1888 wrote to memory of 1284	1888	sms4DF1.tmp	schtasks.exe
PID 1888 wrote to memory of 1284	1888	sms4DF1.tmp	schtasks.exe
PID 1888 wrote to memory of 1856	1888	sms4DF1.tmp	cmd.exe
PID 1888 wrote to memory of 1856	1888	sms4DF1.tmp	cmd.exe
PID 1856 wrote to memory of 2688	1856	cmd.exe	timeout.exe
PID 1856 wrote to memory of 2688	1856	cmd.exe	timeout.exe
PID 1856 wrote to memory of 4288	1856	cmd.exe	audiodrvs.exe
PID 1856 wrote to memory of 4288	1856	cmd.exe	audiodrvs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe
"C:\Users\Admin\AppData\Local\Temp\0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Local\Temp\sms4B80.tmp
"C:\Users\Admin\AppData\Local\Temp\sms4B80.tmp"
2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp
"C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodrvs.exe"'
5⤵
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E36.tmp.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:2688

C:\Users\Admin\AppData\Roaming\audiodrvs.exe
"C:\Users\Admin\AppData\Roaming\audiodrvs.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE
"C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\XenoManager\PRINTSERV.EXE
"C:\Users\Admin\AppData\Local\Temp\XenoManager\PRINTSERV.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "logons" /XML "C:\Users\Admin\AppData\Local\Temp\tmp638C.tmp" /F
5⤵
- Creates scheduled task(s)
PID:3568

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:4424

C:\Users\Admin\Documents\rar.exe
"C:\Users\Admin\Documents\rar.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRINTSERV.EXE.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE
Filesize
184KB

MD5
f6062ddb9cc2fad6e403b8b9dbe02df7

SHA1
efebcabb3902cdcc7b789786d96db2a93156b81a

SHA256
61309415bb524bba3d6065cf5df5ce2031ddde239c7f7864d0d2eaf31597a96c

SHA512
3d2473fd09d5d0a4a0f463ed84522165254880a6f94491b5c9a21fbbd39df4579980184fd838f75b3ad6457065c818c536447ae18c97eac29146cd8be5883040

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE
Filesize
408KB

MD5
b8eaef2339ba6bfac3648df30d041a95

SHA1
0833419f0da847383c0031611c69a87baa8f2d6d

SHA256
6ce2b4a0e176126f0899223eace35c31b544e46a2067b0ecf0adf8d06f87309d

SHA512
c265a39039c9dd8237fb10c26066ff7247babc727a556919f7673311dee1d38c3a52a2cf83e54f148401b984495b4e5636b8254388376e96f0a4e9a40cba6613

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms4B80.tmp
Filesize
595KB

MD5
89feeb6ec82c704b1771bfa2536bd401

SHA1
2ae958b6e74986696e412e313b5f0aee3756ba19

SHA256
9765068707da158f492b48d5628b3b6cc93dc34dd402d57c0b4ced60701e0b9a

SHA512
9ef8c9c1c9795cf4451dd577c2292171c7dccb9aa24447dff72de9e886e604638b32f637ba8e19cfc86c377fed7a97c56336a62f7edd6130d4a8b928f5bf0484

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp
Filesize
46KB

MD5
194de251c043183099b2d6f7f5d1e09f

SHA1
dc477dfc0e090e8d7bd31fb808f59060dd2cf360

SHA256
12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6

SHA512
6a1433b9bc070f18f60c3f115a1173e8979d211f6e97daf3fc7fe13f05ab15123874919418fc014fdd8af62c82426cb091b867b36a49fe7fc8fe929709b3a433

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp638C.tmp
Filesize
1KB

MD5
db5e3f14b64ed69affa1389010cd445e

SHA1
752719617c787dbb741cfd4e8a608dd2f578d4c9

SHA256
eaeea05441cdf6ec90fd034de26b0108920f2d625f308497ebe7c05be8b69cc4

SHA512
8ee07a3e1684fb72852ad954b985db0d5a3931be5037a1fa8cb62677401d52042d80a80f27e1692edfef1d9f15b1d0cb8b8633b0414727cd775b04c4bb5e7fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E36.tmp.bat
Filesize
153B

MD5
d761a77ca0d4b7901be954c38c9ffdc5

SHA1
4103bc4cdea1c985e432c5afbddf140277530b37

SHA256
f4a22e6bccb1b4d54675f02f18124faa0542217d14bdd244b084fdd35aea8d1d

SHA512
522b31e8e2c08976f8d1d61beed300a478bfc3e7de4f7e3d08d7ccca3c699d8128f5a8dffd687cdd704968e2cfe53d59c4c4c8ed4f424e0e503e90d4fe6632d4

Download Submit
C:\Users\Admin\AppData\Roaming\audiodrvs.exe
Filesize
45.8MB

MD5
676bcf47a18318bbfd1ff20aaa69ca9e

SHA1
4508a3b28b87380c8d6f9645469ad8f78863db18

SHA256
ab5a77fa09a36d9b62391f75bb1d56b0bb58d434705b549d15956da94ce12b4d

SHA512
9715a7ed7d8668cf188870da36f313154918f1e268ac14b83bc48fea2bf857655773b8f6a48f8166de0c26a377bb8958b579bbc10a59fc7c42fc5220b99e3769

Download Submit
memory/1008-38-0x00000000005F0000-0x000000000065E000-memory.dmp

Filesize
440KB

Download
memory/1008-37-0x0000000072B4E000-0x0000000072B4F000-memory.dmp

Filesize
4KB

Download
memory/1008-44-0x0000000002A60000-0x0000000002A66000-memory.dmp

Filesize
24KB

Download
memory/1376-32-0x0000000000400000-0x00000000004E05B0-memory.dmp

Filesize
897KB

Download
memory/1376-124-0x0000000000400000-0x00000000004E05B0-memory.dmp

Filesize
897KB

Download
memory/1700-117-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1700-11-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1700-12-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1764-135-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1764-125-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1888-43-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/2860-123-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/3144-0-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3144-119-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3144-4-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3144-3-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3144-5-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3144-1-0x00000000006BB000-0x00000000006BC000-memory.dmp

Filesize
4KB

Download
memory/3144-2-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3144-6-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/4424-48-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads