asyncrat | 8018d4a6776fd432ea3d84c4c5cd576894362ef2212f66ec5c4ce6964a78016c

Resubmissions

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Flash-USDT-main/Flash USDT v2.exe
Size

918KB
MD5

e45aa1c8df8c2e551cbb12eb60d45862
SHA1

cb00e3e6bd28bbef0899c7e470e82f4e5f5dc13b
SHA256

5c9d92a9fc8a5399e2dc146af2c5dfbfdbbf94cd11ea331e9422626026470279
SHA512

ea77a19bc7d76c821082d9f2a14b6e818f28b98aaea9f923767d86d96e8db1a64ddcc56d7cfbcce41c06bd195b8afef4ed4f4dfc1e3543df0e5de4b6aa3af069
SSDEEP

24576:1Gz1TSpONGTQ9dokTpIG/2KPJ8r6oPNYY:1o1SpONZ9dokTpIG/Y+YN

Score

10^/10

asyncrat quasar stormkitty venomrat xworm default office04 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

xworm

146.70.34.130:7812

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

146.70.34.130:7812

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
xwXT4WCNnk3vInV5C8eN
install_name
Windows Security Health Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Health Service
subdirectory
Windows Security Health Service

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x000700000002340e-17.dat	disable_win_def
behavioral2/memory/1132-41-0x0000000000540000-0x00000000005CC000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c0000000233be-6.dat	family_xworm
behavioral2/memory/2512-33-0x0000000000850000-0x0000000000868000-memory.dmp	family_xworm

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Windows Security Health Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Windows Security Health Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Windows Security Health Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Windows Security Health Service.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002340e-17.dat	family_quasar
behavioral2/memory/1132-41-0x0000000000540000-0x00000000005CC000-memory.dmp	family_quasar

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4556-49-0x0000000000400000-0x0000000000430000-memory.dmp	family_stormkitty

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Flash USDT v2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Windows Security Health Service.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk	service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk	service.exe

Executes dropped EXE 6 IoCs

pid	Process
2512	service.exe
1132	Windows Security Health Service.exe
2376	Microsoft Edge.exe
4556	Microsoft Edge.exe
3036	Windows Security Health Service.exe
1432	Windows Security Health Service.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Windows Security Health Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Windows Security Health Service.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe"	Microsoft Edge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender SecurityService = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender SecurityService"	service.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	Microsoft Edge.exe
File created	C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Microsoft Edge.exe
File created	C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Microsoft Edge.exe
File created	C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Microsoft Edge.exe
File opened for modification	C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Microsoft Edge.exe
File created	C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Microsoft Edge.exe
File created	C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	Microsoft Edge.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
40	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 4556	2376	Microsoft Edge.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Microsoft Edge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Microsoft Edge.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
232	schtasks.exe
1648	schtasks.exe
2044	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
528	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2512	service.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3880	powershell.exe
3880	powershell.exe
2512	service.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
4556	Microsoft Edge.exe
1132	Windows Security Health Service.exe
1132	Windows Security Health Service.exe
1132	Windows Security Health Service.exe
1132	Windows Security Health Service.exe
1132	Windows Security Health Service.exe
1132	Windows Security Health Service.exe
1132	Windows Security Health Service.exe
1432	Windows Security Health Service.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	service.exe
Token: SeDebugPrivilege	4556	Microsoft Edge.exe
Token: SeDebugPrivilege	1132	Windows Security Health Service.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	3036	Windows Security Health Service.exe
Token: SeDebugPrivilege	3036	Windows Security Health Service.exe
Token: SeDebugPrivilege	1432	Windows Security Health Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3036	Windows Security Health Service.exe
2512	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2512	3452	Flash USDT v2.exe	82
PID 3452 wrote to memory of 2512	3452	Flash USDT v2.exe	82
PID 3452 wrote to memory of 1132	3452	Flash USDT v2.exe	83
PID 3452 wrote to memory of 1132	3452	Flash USDT v2.exe	83
PID 3452 wrote to memory of 1132	3452	Flash USDT v2.exe	83
PID 3452 wrote to memory of 2376	3452	Flash USDT v2.exe	84
PID 3452 wrote to memory of 2376	3452	Flash USDT v2.exe	84
PID 3452 wrote to memory of 2376	3452	Flash USDT v2.exe	84
PID 2376 wrote to memory of 4556	2376	Microsoft Edge.exe	85
PID 2376 wrote to memory of 4556	2376	Microsoft Edge.exe	85
PID 2376 wrote to memory of 4556	2376	Microsoft Edge.exe	85
PID 2376 wrote to memory of 4556	2376	Microsoft Edge.exe	85
PID 2376 wrote to memory of 4556	2376	Microsoft Edge.exe	85
PID 2376 wrote to memory of 4556	2376	Microsoft Edge.exe	85
PID 2376 wrote to memory of 4556	2376	Microsoft Edge.exe	85
PID 2376 wrote to memory of 4556	2376	Microsoft Edge.exe	85
PID 1132 wrote to memory of 232	1132	Windows Security Health Service.exe	90
PID 1132 wrote to memory of 232	1132	Windows Security Health Service.exe	90
PID 1132 wrote to memory of 232	1132	Windows Security Health Service.exe	90
PID 1132 wrote to memory of 3036	1132	Windows Security Health Service.exe	92
PID 1132 wrote to memory of 3036	1132	Windows Security Health Service.exe	92
PID 1132 wrote to memory of 3036	1132	Windows Security Health Service.exe	92
PID 1132 wrote to memory of 3880	1132	Windows Security Health Service.exe	93
PID 1132 wrote to memory of 3880	1132	Windows Security Health Service.exe	93
PID 1132 wrote to memory of 3880	1132	Windows Security Health Service.exe	93
PID 3036 wrote to memory of 1648	3036	Windows Security Health Service.exe	95
PID 3036 wrote to memory of 1648	3036	Windows Security Health Service.exe	95
PID 3036 wrote to memory of 1648	3036	Windows Security Health Service.exe	95
PID 2512 wrote to memory of 2044	2512	service.exe	99
PID 2512 wrote to memory of 2044	2512	service.exe	99
PID 4556 wrote to memory of 4336	4556	Microsoft Edge.exe	107
PID 4556 wrote to memory of 4336	4556	Microsoft Edge.exe	107
PID 4556 wrote to memory of 4336	4556	Microsoft Edge.exe	107
PID 4336 wrote to memory of 3016	4336	cmd.exe	109
PID 4336 wrote to memory of 3016	4336	cmd.exe	109
PID 4336 wrote to memory of 3016	4336	cmd.exe	109
PID 4336 wrote to memory of 3232	4336	cmd.exe	110
PID 4336 wrote to memory of 3232	4336	cmd.exe	110
PID 4336 wrote to memory of 3232	4336	cmd.exe	110
PID 4336 wrote to memory of 1152	4336	cmd.exe	111
PID 4336 wrote to memory of 1152	4336	cmd.exe	111
PID 4336 wrote to memory of 1152	4336	cmd.exe	111
PID 4556 wrote to memory of 1852	4556	Microsoft Edge.exe	112
PID 4556 wrote to memory of 1852	4556	Microsoft Edge.exe	112
PID 4556 wrote to memory of 1852	4556	Microsoft Edge.exe	112
PID 1852 wrote to memory of 2604	1852	cmd.exe	114
PID 1852 wrote to memory of 2604	1852	cmd.exe	114
PID 1852 wrote to memory of 2604	1852	cmd.exe	114
PID 1852 wrote to memory of 1880	1852	cmd.exe	115
PID 1852 wrote to memory of 1880	1852	cmd.exe	115
PID 1852 wrote to memory of 1880	1852	cmd.exe	115
PID 1132 wrote to memory of 2444	1132	Windows Security Health Service.exe	116
PID 1132 wrote to memory of 2444	1132	Windows Security Health Service.exe	116
PID 1132 wrote to memory of 2444	1132	Windows Security Health Service.exe	116
PID 2444 wrote to memory of 4024	2444	cmd.exe	118
PID 2444 wrote to memory of 4024	2444	cmd.exe	118
PID 2444 wrote to memory of 4024	2444	cmd.exe	118
PID 1132 wrote to memory of 808	1132	Windows Security Health Service.exe	122
PID 1132 wrote to memory of 808	1132	Windows Security Health Service.exe	122
PID 1132 wrote to memory of 808	1132	Windows Security Health Service.exe	122
PID 808 wrote to memory of 3912	808	cmd.exe	124
PID 808 wrote to memory of 3912	808	cmd.exe	124
PID 808 wrote to memory of 3912	808	cmd.exe	124
PID 808 wrote to memory of 528	808	cmd.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Flash-USDT-main\Flash USDT v2.exe
"C:\Users\Admin\AppData\Local\Temp\Flash-USDT-main\Flash USDT v2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Roaming\service.exe
  "C:\Users\Admin\AppData\Roaming\service.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"
    3⤵
    - Creates scheduled task(s)
    PID:2044
- C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe
  "C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Security Health Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:232
- - C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe
    "C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Security Health Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1648
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qLSO7q5Q4viY.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:528
  - - C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1432
- C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3016
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:3232
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2604
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\435d2f3cdb74369c71abe038a7701be8\msgid.dat

Filesize
6B

MD5
b765bec9e861d1a2ac741349b2136a6f

SHA1
538d1ab6077d4bd6a99d3ad66503edcba8af544b

SHA256
94d766578113ef524b3e0806860cd3900ea205c81fb88cb7060aa79fa2f2d584

SHA512
576d2e3a6fed184f3bdcf04eddb1c6204fd181a5d8eb17ec8144f677cb342c0d86504546709a7cd7574ec1922b3b574aabdbc010033cbfada23a834c0d425134

Download Submit
C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\System\Process.txt

Filesize
4KB

MD5
1488ae43365f4187f843ba9808c11e73

SHA1
42440a9e5e44c2e14febb15bf26197fa2580c7a4

SHA256
7efb36d9d4d945c638eadcb3b04355927d88940fa1bdb24f39779d076915aef0

SHA512
e80f987c81e9e512f2d667224697c0eede86910b252a6d6131be48c269f54d7256dfad8219710a8d0ab003e6ae37f7f448fba75b5c80648d4fe93b93444663ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security Health Service.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uxn3bmjz.aer.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
25b97815c0005fc273a7eff8e4306d35

SHA1
9e23f75f19686261d5a3c9abfc7905bd2b8885bb

SHA256
08eb8fb2f947cfa307191716fc503a9e547fa9104e16f16f4e706a64ac19a393

SHA512
26e258004e766f3a1542f2a5a12ea3223dec9ac37b79e3ffee8a16326d623e57ab10f92fc9302a46dcc938511dd078b105e81b12a9872892fcbd25f0cca7b856

Download Submit
C:\Users\Admin\AppData\Local\Temp\qLSO7q5Q4viY.bat

Filesize
225B

MD5
78e78877a0e3282212eecf181e3ec62d

SHA1
8822e07ab95555fbc6f529850ecde52e8f6278f1

SHA256
3e41064b097c55847e0942dd564af6020cc97b3ef053dc5e19ed26712a11db3b

SHA512
5f46276c09a315d9a70e2b9508f130ceed6c8ad2fbc0795d92ed2914b4c9c5f3f5b01da51ab913835e8efe63cc356fad61c2072e9258d0695ddd8b806b3e6e06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

Filesize
195KB

MD5
e7f8c4ea62d6c4ae774f981480c6b232

SHA1
2dad33c36ad472cee4ca8231c723e92bd7033b7d

SHA256
c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b

SHA512
f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe

Filesize
534KB

MD5
b934a776bf8ad0d2acba5fecd3e8d54a

SHA1
2c2419eaa05137543fbacd52929b758633543fc2

SHA256
9ecdfad064bdd85e9f36f5d6580e4576b495f6b2981f822129fe2f37b69ac405

SHA512
c8f06093c6048edbdb92f12263179595c23aa6263aff2c359736c41cbb7548c886d55b7d85dbbd2651df4dfebd4fec88f2f4380d9d59453224ca0483c1cb18f3

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
68KB

MD5
e3959c47fd8eb8989ffcccbedb64f28d

SHA1
fb4e8f09c8a395cae695dd7431d2985a949aa89c

SHA256
ad93141af1cd287247d5365955f235e7c1b9477d4a32354680f684237a07b145

SHA512
c52783c65a929c971667a806f234b086aae6b1db2b09e763cb17c09e31484aef26f5cea4340b01bcb6172679b8a8b11fa4c7ae0eb160eccf271903a3371a990c

Download Submit
memory/1132-42-0x0000000005480000-0x0000000005A24000-memory.dmp

Filesize
5.6MB

Download
memory/1132-41-0x0000000000540000-0x00000000005CC000-memory.dmp

Filesize
560KB

Download
memory/1132-52-0x0000000005410000-0x0000000005422000-memory.dmp

Filesize
72KB

Download
memory/1132-53-0x0000000006110000-0x000000000614C000-memory.dmp

Filesize
240KB

Download
memory/1132-51-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/2376-46-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/2376-44-0x0000000005650000-0x00000000056EC000-memory.dmp

Filesize
624KB

Download
memory/2376-43-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/2376-40-0x0000000000CA0000-0x0000000000CD6000-memory.dmp

Filesize
216KB

Download
memory/2512-96-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

Filesize
10.8MB

Download
memory/2512-286-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

Filesize
10.8MB

Download
memory/2512-33-0x0000000000850000-0x0000000000868000-memory.dmp

Filesize
96KB

Download
memory/2512-39-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

Filesize
10.8MB

Download
memory/3036-75-0x0000000006BD0000-0x0000000006BDA000-memory.dmp

Filesize
40KB

Download
memory/3452-1-0x0000000000C10000-0x0000000000CFC000-memory.dmp

Filesize
944KB

Download
memory/3452-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

Filesize
8KB

Download
memory/3880-73-0x00000000060B0000-0x00000000060FC000-memory.dmp

Filesize
304KB

Download
memory/3880-99-0x0000000007490000-0x00000000074A4000-memory.dmp

Filesize
80KB

Download
memory/3880-88-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/3880-89-0x0000000007120000-0x00000000071C3000-memory.dmp

Filesize
652KB

Download
memory/3880-90-0x0000000007890000-0x0000000007F0A000-memory.dmp

Filesize
6.5MB

Download
memory/3880-91-0x0000000007250000-0x000000000726A000-memory.dmp

Filesize
104KB

Download
memory/3880-92-0x00000000072C0000-0x00000000072CA000-memory.dmp

Filesize
40KB

Download
memory/3880-95-0x00000000074D0000-0x0000000007566000-memory.dmp

Filesize
600KB

Download
memory/3880-77-0x00000000070E0000-0x0000000007112000-memory.dmp

Filesize
200KB

Download
memory/3880-97-0x0000000007450000-0x0000000007461000-memory.dmp

Filesize
68KB

Download
memory/3880-98-0x0000000007480000-0x000000000748E000-memory.dmp

Filesize
56KB

Download
memory/3880-78-0x0000000070740000-0x000000007078C000-memory.dmp

Filesize
304KB

Download
memory/3880-100-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/3880-101-0x0000000007570000-0x0000000007578000-memory.dmp

Filesize
32KB

Download
memory/3880-72-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/3880-71-0x0000000005A40000-0x0000000005D94000-memory.dmp

Filesize
3.3MB

Download
memory/3880-58-0x0000000002620000-0x0000000002656000-memory.dmp

Filesize
216KB

Download
memory/3880-66-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/3880-59-0x00000000050C0000-0x00000000056E8000-memory.dmp

Filesize
6.2MB

Download
memory/3880-60-0x0000000005050000-0x0000000005072000-memory.dmp

Filesize
136KB

Download
memory/4556-261-0x0000000006450000-0x0000000006462000-memory.dmp

Filesize
72KB

Download
memory/4556-255-0x0000000005F50000-0x0000000005F5A000-memory.dmp

Filesize
40KB

Download
memory/4556-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download