Malware Analysis Report

2024-09-22 07:47

Sample ID 240602-qp2abaec43
Target a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243
SHA256 a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243

Threat Level: Known bad

The file a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243 was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Asyncrat family

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-02 13:26

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 13:26

Reported

2024-06-02 13:29

Platform

win7-20240221-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe C:\Windows\system32\cmd.exe
PID 2608 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2608 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2608 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2668 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2668 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2668 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2668 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\IDUX.exe
PID 2668 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\IDUX.exe
PID 2668 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\IDUX.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe

"C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "IDUX" /tr '"C:\Users\Admin\AppData\Roaming\IDUX.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2DF3.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "IDUX" /tr '"C:\Users\Admin\AppData\Roaming\IDUX.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\IDUX.exe

"C:\Users\Admin\AppData\Roaming\IDUX.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 true-foot.gl.at.ply.gg udp
US 147.185.221.20:7416 true-foot.gl.at.ply.gg tcp
US 147.185.221.20:7416 true-foot.gl.at.ply.gg tcp

Files

memory/2868-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

memory/2868-1-0x0000000000960000-0x0000000000976000-memory.dmp

memory/2868-2-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

memory/2868-3-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2DF3.tmp.bat

MD5 d02d07d586bb233473ba9b3d8e12372a
SHA1 246772e4b9b9ef18d862015d09fd1f26b626cfdb
SHA256 0c56f2b3c9a1557ae874b90a80c630bfeb3d6b2f61e9f93cbee8b9837fde406a
SHA512 7f9dcf6f016657bb1c0daf6dbf3220aef230bff3a095558f3dd5d484c57d3243a9e9acea4b7a11d56b232f744622f38dbd3b1cd58d6538a18a8f3edbc1361444

memory/2868-13-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

C:\Users\Admin\AppData\Roaming\IDUX.exe

MD5 0ee060baaff3a8bca5b128a48c7fae05
SHA1 6469a7119a4a675a0ff228a76a59c9125a19f6a9
SHA256 a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243
SHA512 cceef179d14892af12e8e53b6b8ed2569c6486a8b5447d17add393e1341bff698d1cc8a01f773e6f36369aaee7492ac8967242fa4fb0c2e9564102726db6caf0

memory/2508-17-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

memory/2508-35-0x0000000000560000-0x0000000000594000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar8138.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 13:26

Reported

2024-06-02 13:29

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\IDUX.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe

"C:\Users\Admin\AppData\Local\Temp\a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "IDUX" /tr '"C:\Users\Admin\AppData\Roaming\IDUX.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4798.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "IDUX" /tr '"C:\Users\Admin\AppData\Roaming\IDUX.exe"'

C:\Users\Admin\AppData\Roaming\IDUX.exe

"C:\Users\Admin\AppData\Roaming\IDUX.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 true-foot.gl.at.ply.gg udp
US 147.185.221.20:7416 true-foot.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 147.185.221.20:7416 true-foot.gl.at.ply.gg tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/3948-0-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/3948-1-0x00000000008F0000-0x0000000000906000-memory.dmp

memory/3948-2-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/3948-7-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/3948-8-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4798.tmp.bat

MD5 f1dcc7a61377e4d2e6919fd8e9617832
SHA1 53e614694e4ebcfeaeca518d9c4e93e11a8a3e78
SHA256 6f65d59828f02ef8ced1c64b44d59a474269cf659dffd554d08dca8b532183cd
SHA512 b3caec4feaa1209970601a832a795f1ee449629d43df1fa6a8449d06c29c960598ffd1a6c01b2507f96ba6f3ecf2eeba36e43a90e0f47d7a210c77ca0bb3da8a

C:\Users\Admin\AppData\Roaming\IDUX.exe

MD5 0ee060baaff3a8bca5b128a48c7fae05
SHA1 6469a7119a4a675a0ff228a76a59c9125a19f6a9
SHA256 a2295f8724805d78c537dd0750a0e777534013d5aad7472923e56e2b63135243
SHA512 cceef179d14892af12e8e53b6b8ed2569c6486a8b5447d17add393e1341bff698d1cc8a01f773e6f36369aaee7492ac8967242fa4fb0c2e9564102726db6caf0

memory/2704-16-0x000000001C110000-0x000000001C144000-memory.dmp

memory/2704-15-0x000000001D6D0000-0x000000001D746000-memory.dmp

memory/2704-17-0x000000001D670000-0x000000001D68E000-memory.dmp