asyncrat | ae55dc186e2373b964f1d84fd51aa7692fdb2994cc163128b97631c3ba7f7066

Analysis

max time kernel
118s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47e6542e234e5ffed88732519f19008c.bin.exe
Size

680KB
MD5

47e6542e234e5ffed88732519f19008c
SHA1

b3dd01bf81d5b4b9595c13032d0fc8006dbc7e64
SHA256

ae55dc186e2373b964f1d84fd51aa7692fdb2994cc163128b97631c3ba7f7066
SHA512

98e4ddd035c81623ba2dcc5fc4ca58da3aa6ba10c7bce25ab0a00e7737c11152d6a77507c859f7f369be8fc456189acb5fe90a55064a5bf790e06662f3b589ce
SSDEEP

12288:+Xplx92r2O9Ycny57ohEDGtnXCkgybsySO+TbQnpNwMfgriFg3ikzA6pVPbi81kR:oFTCy5XityUWXUNwMfgrV3ikz8

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

198.55.115.39:6606

198.55.115.39:7707

198.55.115.39:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Wndfnder.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

888 powershell.exe
1700 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Wndfnder.exeWndfnder.exe

pid process

2728 Wndfnder.exe
1312 Wndfnder.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1628 cmd.exe

pid	process
888	powershell.exe
1700	powershell.exe

pid	process
2728	Wndfnder.exe
1312	Wndfnder.exe

pid	process
1628	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

47e6542e234e5ffed88732519f19008c.bin.exeWndfnder.exe

description	pid	process	target process
PID 2240 set thread context of 1488	2240	47e6542e234e5ffed88732519f19008c.bin.exe	47e6542e234e5ffed88732519f19008c.bin.exe
PID 2728 set thread context of 1312	2728	Wndfnder.exe	Wndfnder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2568 schtasks.exe
2948 schtasks.exe
2008 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2812 timeout.exe

pid	process
2568	schtasks.exe
2948	schtasks.exe
2008	schtasks.exe

pid	process
2812	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Wndfnder.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	Wndfnder.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	Wndfnder.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	Wndfnder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	Wndfnder.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

47e6542e234e5ffed88732519f19008c.bin.exepowershell.exe47e6542e234e5ffed88732519f19008c.bin.exeWndfnder.exepowershell.exe

pid	process
2240	47e6542e234e5ffed88732519f19008c.bin.exe
2240	47e6542e234e5ffed88732519f19008c.bin.exe
2240	47e6542e234e5ffed88732519f19008c.bin.exe
888	powershell.exe
1488	47e6542e234e5ffed88732519f19008c.bin.exe
1488	47e6542e234e5ffed88732519f19008c.bin.exe
2728	Wndfnder.exe
2728	Wndfnder.exe
2728	Wndfnder.exe
1700	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

47e6542e234e5ffed88732519f19008c.bin.exepowershell.exe47e6542e234e5ffed88732519f19008c.bin.exeWndfnder.exepowershell.exeWndfnder.exe

description	pid	process
Token: SeDebugPrivilege	2240	47e6542e234e5ffed88732519f19008c.bin.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1488	47e6542e234e5ffed88732519f19008c.bin.exe
Token: SeDebugPrivilege	2728	Wndfnder.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1312	Wndfnder.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

47e6542e234e5ffed88732519f19008c.bin.exe47e6542e234e5ffed88732519f19008c.bin.execmd.execmd.exeWndfnder.exe

description	pid	process	target process
PID 2240 wrote to memory of 888	2240	47e6542e234e5ffed88732519f19008c.bin.exe	powershell.exe
PID 2240 wrote to memory of 888	2240	47e6542e234e5ffed88732519f19008c.bin.exe	powershell.exe
PID 2240 wrote to memory of 888	2240	47e6542e234e5ffed88732519f19008c.bin.exe	powershell.exe
PID 2240 wrote to memory of 888	2240	47e6542e234e5ffed88732519f19008c.bin.exe	powershell.exe
PID 2240 wrote to memory of 2568	2240	47e6542e234e5ffed88732519f19008c.bin.exe	schtasks.exe
PID 2240 wrote to memory of 2568	2240	47e6542e234e5ffed88732519f19008c.bin.exe	schtasks.exe
PID 2240 wrote to memory of 2568	2240	47e6542e234e5ffed88732519f19008c.bin.exe	schtasks.exe
PID 2240 wrote to memory of 2568	2240	47e6542e234e5ffed88732519f19008c.bin.exe	schtasks.exe
PID 2240 wrote to memory of 1488	2240	47e6542e234e5ffed88732519f19008c.bin.exe	47e6542e234e5ffed88732519f19008c.bin.exe
PID 2240 wrote to memory of 1488	2240	47e6542e234e5ffed88732519f19008c.bin.exe	47e6542e234e5ffed88732519f19008c.bin.exe
PID 2240 wrote to memory of 1488	2240	47e6542e234e5ffed88732519f19008c.bin.exe	47e6542e234e5ffed88732519f19008c.bin.exe
PID 2240 wrote to memory of 1488	2240	47e6542e234e5ffed88732519f19008c.bin.exe	47e6542e234e5ffed88732519f19008c.bin.exe
PID 2240 wrote to memory of 1488	2240	47e6542e234e5ffed88732519f19008c.bin.exe	47e6542e234e5ffed88732519f19008c.bin.exe
PID 2240 wrote to memory of 1488	2240	47e6542e234e5ffed88732519f19008c.bin.exe	47e6542e234e5ffed88732519f19008c.bin.exe
PID 2240 wrote to memory of 1488	2240	47e6542e234e5ffed88732519f19008c.bin.exe	47e6542e234e5ffed88732519f19008c.bin.exe
PID 2240 wrote to memory of 1488	2240	47e6542e234e5ffed88732519f19008c.bin.exe	47e6542e234e5ffed88732519f19008c.bin.exe
PID 2240 wrote to memory of 1488	2240	47e6542e234e5ffed88732519f19008c.bin.exe	47e6542e234e5ffed88732519f19008c.bin.exe
PID 1488 wrote to memory of 1768	1488	47e6542e234e5ffed88732519f19008c.bin.exe	cmd.exe
PID 1488 wrote to memory of 1768	1488	47e6542e234e5ffed88732519f19008c.bin.exe	cmd.exe
PID 1488 wrote to memory of 1768	1488	47e6542e234e5ffed88732519f19008c.bin.exe	cmd.exe
PID 1488 wrote to memory of 1768	1488	47e6542e234e5ffed88732519f19008c.bin.exe	cmd.exe
PID 1488 wrote to memory of 1628	1488	47e6542e234e5ffed88732519f19008c.bin.exe	cmd.exe
PID 1488 wrote to memory of 1628	1488	47e6542e234e5ffed88732519f19008c.bin.exe	cmd.exe
PID 1488 wrote to memory of 1628	1488	47e6542e234e5ffed88732519f19008c.bin.exe	cmd.exe
PID 1488 wrote to memory of 1628	1488	47e6542e234e5ffed88732519f19008c.bin.exe	cmd.exe
PID 1768 wrote to memory of 2948	1768	cmd.exe	schtasks.exe
PID 1768 wrote to memory of 2948	1768	cmd.exe	schtasks.exe
PID 1768 wrote to memory of 2948	1768	cmd.exe	schtasks.exe
PID 1768 wrote to memory of 2948	1768	cmd.exe	schtasks.exe
PID 1628 wrote to memory of 2812	1628	cmd.exe	timeout.exe
PID 1628 wrote to memory of 2812	1628	cmd.exe	timeout.exe
PID 1628 wrote to memory of 2812	1628	cmd.exe	timeout.exe
PID 1628 wrote to memory of 2812	1628	cmd.exe	timeout.exe
PID 1628 wrote to memory of 2728	1628	cmd.exe	Wndfnder.exe
PID 1628 wrote to memory of 2728	1628	cmd.exe	Wndfnder.exe
PID 1628 wrote to memory of 2728	1628	cmd.exe	Wndfnder.exe
PID 1628 wrote to memory of 2728	1628	cmd.exe	Wndfnder.exe
PID 2728 wrote to memory of 1700	2728	Wndfnder.exe	powershell.exe
PID 2728 wrote to memory of 1700	2728	Wndfnder.exe	powershell.exe
PID 2728 wrote to memory of 1700	2728	Wndfnder.exe	powershell.exe
PID 2728 wrote to memory of 1700	2728	Wndfnder.exe	powershell.exe
PID 2728 wrote to memory of 2008	2728	Wndfnder.exe	schtasks.exe
PID 2728 wrote to memory of 2008	2728	Wndfnder.exe	schtasks.exe
PID 2728 wrote to memory of 2008	2728	Wndfnder.exe	schtasks.exe
PID 2728 wrote to memory of 2008	2728	Wndfnder.exe	schtasks.exe
PID 2728 wrote to memory of 1312	2728	Wndfnder.exe	Wndfnder.exe
PID 2728 wrote to memory of 1312	2728	Wndfnder.exe	Wndfnder.exe
PID 2728 wrote to memory of 1312	2728	Wndfnder.exe	Wndfnder.exe
PID 2728 wrote to memory of 1312	2728	Wndfnder.exe	Wndfnder.exe
PID 2728 wrote to memory of 1312	2728	Wndfnder.exe	Wndfnder.exe
PID 2728 wrote to memory of 1312	2728	Wndfnder.exe	Wndfnder.exe
PID 2728 wrote to memory of 1312	2728	Wndfnder.exe	Wndfnder.exe
PID 2728 wrote to memory of 1312	2728	Wndfnder.exe	Wndfnder.exe
PID 2728 wrote to memory of 1312	2728	Wndfnder.exe	Wndfnder.exe

C:\Users\Admin\AppData\Local\Temp\47e6542e234e5ffed88732519f19008c.bin.exe
"C:\Users\Admin\AppData\Local\Temp\47e6542e234e5ffed88732519f19008c.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GGyIJkQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GGyIJkQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC382.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\47e6542e234e5ffed88732519f19008c.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\47e6542e234e5ffed88732519f19008c.bin.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wndfnder" /tr '"C:\Users\Admin\AppData\Roaming\Wndfnder.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Wndfnder" /tr '"C:\Users\Admin\AppData\Roaming\Wndfnder.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD74C.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2812
  - - C:\Users\Admin\AppData\Roaming\Wndfnder.exe
      "C:\Users\Admin\AppData\Roaming\Wndfnder.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GGyIJkQ.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GGyIJkQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1AF0.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:2008
    - - C:\Users\Admin\AppData\Roaming\Wndfnder.exe
        
        "C:\Users\Admin\AppData\Roaming\Wndfnder.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a9cd597678a7aa0f83199db58775948

SHA1
8cf16906ba9c2f2b56e4f3179102f25a5e7d1556

SHA256
56b2391e72a3b217f12a2da5142f5350326d38ab516ed115e0d11593262d30a1

SHA512
a0d8c71054f67ff8febbf05ebae05508b18927b80822185052be20151413761540a775db14cca0b678a0b6899a281a93f0dc29c203af8c92dd5fb4766cde8929

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a95888ca3363a1f587588b7beb03369e

SHA1
b18421e30ed1ea2fb89c257f3a568de9962e96bb

SHA256
602509151a81e75dd2f62daac14d6436a76ac7f23b0898838ac8db4457377e1f

SHA512
81f615db1bf3d67363884a92168d20b34746a46437054424c3a749fcd62b222b9fafac3cf52eb85a14263317fe1ae5da490d0d4fafa5c3a09c551dc1668205b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar87FC.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC382.tmp

Filesize
1KB

MD5
618f7119402a79c83e3562f7832d19d9

SHA1
f2bb01ecdf133ea122654676ae6110c8c33790d0

SHA256
1f22e570e2acd39d6924697188d7f8bdacca49294af1a2a4c48e17eb64f316db

SHA512
191a058b7013967b62b0e1365cdaf57b6aeb7b24155708fcb7ddf401fba71788a94472a0bf2bdadd652ee42a9189676beb0a5c6e37741d14e4b1242509283013

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD74C.tmp.bat

Filesize
152B

MD5
2edb820866461db6ba6a7ec775c82a08

SHA1
0497edd26a6ddd6161ae2b9d49a97e4bc66320f2

SHA256
451e170ec973b79e7255da184e69e487c185d5ff667ed7ea9e69fefabbde7cc1

SHA512
c72c4af40d6c48728e8e47d2aa0a8c7f69c6bc6aa525e5a7b3b825c902674a1229d0cb58a5b022cfc9c2d8697907a3dd6a15290162684896a564f3fd5de58683

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\97PXKFUSXQAWL1PXXTI6.temp

Filesize
7KB

MD5
ff850e53e968aadc602dd2c55bcad54a

SHA1
309d8f751d7d0ad4bb467ea414bc46e214b3ded0

SHA256
ee8beb8dca4d781ff595acc8fb0bcdfc25718999c2f6b7e29ceddc912b9959d8

SHA512
7782f163369eb95e873156c581f345e7d557532d2b88817e9f30d8d4effc97ad76fee8a3659e4123eca249e0126fec88ba807c528715000473d473325ac99dfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
89cdc4434c0b904c5f5375a709a66bac

SHA1
b8c5a263cde79cd67259ee641779dc4695467152

SHA256
67676d2b51041455a06cfad121f4e04e6d3381ba5109cbafd51496861117fc51

SHA512
cf92f61acb03ac7a35059ba67a5db0f995a3a462b3fb1004edc06ff8eb1f5626a78011eda020e9efc6010cd19a042a67f0a94850be273a7fc0338f84f793b9a5

Download Submit
C:\Users\Admin\AppData\Roaming\Wndfnder.exe

Filesize
680KB

MD5
47e6542e234e5ffed88732519f19008c

SHA1
b3dd01bf81d5b4b9595c13032d0fc8006dbc7e64

SHA256
ae55dc186e2373b964f1d84fd51aa7692fdb2994cc163128b97631c3ba7f7066

SHA512
98e4ddd035c81623ba2dcc5fc4ca58da3aa6ba10c7bce25ab0a00e7737c11152d6a77507c859f7f369be8fc456189acb5fe90a55064a5bf790e06662f3b589ce

Download Submit
memory/1312-218-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1312-221-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1312-224-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1488-114-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1488-118-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1488-108-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1488-112-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1488-110-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1488-119-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1488-117-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1488-116-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2240-122-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/2240-102-0x0000000008A30000-0x0000000008AA4000-memory.dmp

Filesize
464KB

Download
memory/2240-101-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/2240-100-0x0000000000A50000-0x0000000000A6A000-memory.dmp

Filesize
104KB

Download
memory/2240-9-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-1-0x00000000013A0000-0x000000000144C000-memory.dmp

Filesize
688KB

Download
memory/2728-135-0x0000000001380000-0x000000000142C000-memory.dmp

Filesize
688KB

Download