asyncrat | bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3644f9a06d97f903a5ceebdd7f2f4500.exe
Size

222KB
MD5

3644f9a06d97f903a5ceebdd7f2f4500
SHA1

53ed26fba664d03b0e2423d6da7235c983fe2a1e
SHA256

bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56
SHA512

f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a
SSDEEP

6144:zVW1Fk5kc9tepTde06Or1HVSuZyfbqLW:JWnYt0hHVSuTLW

Score

10^/10

asyncrat stormkitty default persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

94.232.249.111:6606

94.232.249.111:7707

94.232.249.111:8808

Mutex

o6tEeoRxJb0n

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002327a-69.dat	family_stormkitty
behavioral2/memory/2364-88-0x0000000000190000-0x00000000001C2000-memory.dmp	family_stormkitty

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023270-58.dat	family_asyncrat
behavioral2/files/0x000700000002327a-69.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DC6.tmp.svchost.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Sun.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe

Executes dropped EXE 5 IoCs

pid	Process
3512	relog.exe
3812	DC6.tmp.svchost.exe
2364	17AB.tmp.Serverssss.exe
1808	1932.tmp.svchost.exe
2928	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3644f9a06d97f903a5ceebdd7f2f4500.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	17AB.tmp.Serverssss.exe
File created	C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	17AB.tmp.Serverssss.exe
File opened for modification	C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	17AB.tmp.Serverssss.exe
File opened for modification	C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	17AB.tmp.Serverssss.exe
File created	C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	17AB.tmp.Serverssss.exe
File created	C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	17AB.tmp.Serverssss.exe
File created	C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	17AB.tmp.Serverssss.exe
File created	C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	17AB.tmp.Serverssss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
76	pastebin.com
77	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1616 set thread context of 3512	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	17AB.tmp.Serverssss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	17AB.tmp.Serverssss.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3608	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3300	Explorer.EXE
3300	Explorer.EXE
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
684	msedge.exe
684	msedge.exe
2280	msedge.exe
408	msedge.exe
408	msedge.exe
2524	msedge.exe
4288	msedge.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3512	relog.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3812	DC6.tmp.svchost.exe
3512	relog.exe
3512	relog.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeSecurityPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeTakeOwnershipPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeLoadDriverPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeSystemProfilePrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeSystemtimePrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeProfSingleProcessPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeIncBasePriorityPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeCreatePagefilePrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeBackupPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeRestorePrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeShutdownPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeDebugPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeSystemEnvironmentPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeRemoteShutdownPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeUndockPrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeManageVolumePrivilege	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: 33	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: 34	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: 35	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: 36	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeDebugPrivilege	3512	relog.exe
Token: SeDebugPrivilege	3512	relog.exe
Token: SeDebugPrivilege	3512	relog.exe
Token: SeDebugPrivilege	3512	relog.exe
Token: SeDebugPrivilege	3512	relog.exe
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeDebugPrivilege	3512	relog.exe
Token: SeDebugPrivilege	3512	relog.exe
Token: SeDebugPrivilege	3512	relog.exe
Token: SeDebugPrivilege	3512	relog.exe
Token: SeDebugPrivilege	3512	relog.exe
Token: SeDebugPrivilege	2364	17AB.tmp.Serverssss.exe
Token: SeDebugPrivilege	3812	DC6.tmp.svchost.exe
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeDebugPrivilege	2928	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 3512	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe	91
PID 1616 wrote to memory of 3512	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe	91
PID 1616 wrote to memory of 3512	1616	3644f9a06d97f903a5ceebdd7f2f4500.exe	91
PID 3512 wrote to memory of 3300	3512	relog.exe	55
PID 3512 wrote to memory of 3300	3512	relog.exe	55
PID 3512 wrote to memory of 684	3512	relog.exe	77
PID 3512 wrote to memory of 2496	3512	relog.exe	78
PID 3300 wrote to memory of 3812	3300	Explorer.EXE	94
PID 3300 wrote to memory of 3812	3300	Explorer.EXE	94
PID 3300 wrote to memory of 3812	3300	Explorer.EXE	94
PID 3300 wrote to memory of 2364	3300	Explorer.EXE	96
PID 3300 wrote to memory of 2364	3300	Explorer.EXE	96
PID 3300 wrote to memory of 2364	3300	Explorer.EXE	96
PID 3300 wrote to memory of 1808	3300	Explorer.EXE	97
PID 3300 wrote to memory of 1808	3300	Explorer.EXE	97
PID 3300 wrote to memory of 1808	3300	Explorer.EXE	97
PID 3512 wrote to memory of 2280	3512	relog.exe	79
PID 3512 wrote to memory of 408	3512	relog.exe	80
PID 3512 wrote to memory of 3436	3512	relog.exe	81
PID 3512 wrote to memory of 2524	3512	relog.exe	83
PID 3512 wrote to memory of 4288	3512	relog.exe	84
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100
PID 684 wrote to memory of 3232	684	msedge.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe
  "C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\system32\relog.exe
    C:\Windows\system32\relog.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3512
- C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    PID:3668
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D7F.tmp.bat""
    3⤵
    PID:3796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3608
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe
  "C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1112
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1092
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:4568
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:3472
- C:\Users\Admin\AppData\Local\Temp\1932.tmp.svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\1932.tmp.svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f4,0x7ffd3b3c2e98,0x7ffd3b3c2ea4,0x7ffd3b3c2eb0
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2276 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3220 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3480 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5312 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5324 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3468 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4700 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e1acba25e664db4f5b29a4f53d733a42

SHA1
3372c405dc21ae7e061e947176041b3414b52818

SHA256
40b699f4d64261b9802580be4e723fed50af6e081a6453e2eabbf9c58eb29012

SHA512
a9cbb29a0f4543b350951df9bdd3f06bbf9df4871692f87b4e84862e85d5b72305efba0ee886914de6b05075910f2906d75f78ade715240bc70e970a1e31f206

Download Submit
C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe

Filesize
175KB

MD5
da34ea26ddfedfd7966e8aedf0bb93e6

SHA1
ba30bde364d564268d175090364158cb66c165a9

SHA256
817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20

SHA512
fbf634fd22ec37a65540c6ad1968b53666308d4d31a151c26b1444e242de40c95c0f48f96010bc72e5e0e9a10982b4f56590e96aded12015de915d7d86af8dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe

Filesize
47KB

MD5
6d13d147a209e3be044035f0c03b7bde

SHA1
1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283

SHA256
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548

SHA512
a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TH6E1.tmp

Filesize
222KB

MD5
933bc84c355410977507fce60295cc73

SHA1
1b395d4888d1dc60127e7c65fe7da857981bda1e

SHA256
f097a2cdef650eddd702047ae31625bafedd92099b92c1cfc61be73e636ed152

SHA512
d7f3ae4b5729b392e610fd084b7b19408ec52215106e8dd58cf7d019db8cd398bd4a368adf526e72f8cd6e8584ac0fe392d979e719df79bb17b5570542cb4740

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D7F.tmp.bat

Filesize
151B

MD5
2bea490af3f2d791c9d9d23d3ebfced7

SHA1
b048fdb35104437d740c5dd84ebe8b8cbf0a454b

SHA256
dd82e69f788b551c42ee824d773b724950d86511ff3e8a7e1709a926f08e57d8

SHA512
e3b1b271210b1a4582900aad715d4a14736199b59ac40f4666c4d9f62014d7dce9dec853a19d7ed2303b82fbb2b35799f42d1610e761e177847132abf181f1c7

Download Submit
C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\System\Process.txt

Filesize
4KB

MD5
f016dfc231f6a5632ee40227595e58a1

SHA1
1177fc2d3fd86e97f625bb700074936e9b39367c

SHA256
ad7217e70adbbee374d0a8a44528b4e68706a03daf09f06e2172009620728409

SHA512
6a8a209e987de6bef6267e75a4f6ecaecd739ff897c7b0b54ebaa90bcec851efb5e3342c5f5406e6b8e2f56debb163409b4d78233c89aae5eb3ed48acbe0a5e3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe

Filesize
222KB

MD5
3644f9a06d97f903a5ceebdd7f2f4500

SHA1
53ed26fba664d03b0e2423d6da7235c983fe2a1e

SHA256
bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56

SHA512
f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a

Download Submit
memory/2364-102-0x0000000004C70000-0x0000000004CD6000-memory.dmp

Filesize
408KB

Download
memory/2364-88-0x0000000000190000-0x00000000001C2000-memory.dmp

Filesize
200KB

Download
memory/2364-272-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/2364-266-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/2364-260-0x0000000006110000-0x00000000066B4000-memory.dmp

Filesize
5.6MB

Download
memory/2364-259-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/3300-62-0x00007FFD5D3C0000-0x00007FFD5D3C1000-memory.dmp

Filesize
4KB

Download
memory/3300-107-0x00000000033C0000-0x0000000003411000-memory.dmp

Filesize
324KB

Download
memory/3300-106-0x0000000003170000-0x000000000318A000-memory.dmp

Filesize
104KB

Download
memory/3300-50-0x00000000033C0000-0x0000000003411000-memory.dmp

Filesize
324KB

Download
memory/3300-46-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

Filesize
88KB

Download
memory/3300-53-0x00000000033C0000-0x0000000003411000-memory.dmp

Filesize
324KB

Download
memory/3300-52-0x0000000003170000-0x000000000318A000-memory.dmp

Filesize
104KB

Download
memory/3300-48-0x00000000031C0000-0x0000000003202000-memory.dmp

Filesize
264KB

Download
memory/3812-96-0x00000000057D0000-0x000000000586C000-memory.dmp

Filesize
624KB

Download
memory/3812-89-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download