asyncrat | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42f972925508a82236e8533567487761.exe
Size

3.7MB
MD5

9d2a888ca79e1ff3820882ea1d88d574
SHA1

112c38d80bf2c0d48256249bbabe906b834b1f66
SHA256

8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
SHA512

17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840
SSDEEP

98304:Nn1CVf+y/EFc7DvOUxlpq2JdnQ+O2M7hlXKUmkbtT2TMI:A/EqaUFqItO2M7PXKUmkbtT2T

Score

10^/10

asyncrat babylonrat darkcomet njrat warzonerat 2020nov1 evasion infostealer persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

babylonrat

sandyclark255.hopto.org

Extracted

Family

warzonerat

sandyclark255.hopto.org:5200

Extracted

Family

darkcomet

Botnet

2020NOV1

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes

InstallPath
excelsl.exe
gencode
n7asq0Dbu7D2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
office

Extracted

Family

asyncrat

Version

0.5.6A

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Mutex

adweqsds56332

Attributes

delay
5
install
true
install_file
prndrvest.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\7ZzzdrRqOCBz.exe\",explorer.exe"	QyDSW8NVl3ePpAfR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe"	svuhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\oRMWLmxDxIiZ.exe\",explorer.exe"	svbhost.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral16/memory/4860-195-0x0000000005050000-0x0000000005062000-memory.dmp	family_asyncrat
behavioral16/memory/2812-255-0x0000000005AA0000-0x0000000005AB2000-memory.dmp	family_asyncrat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral16/memory/4460-107-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral16/memory/4460-111-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svuhost.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svuhost.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3852	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	42f972925508a82236e8533567487761.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	svuhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	DonKdq8BWj8daM41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	oBXgVKAbRuKoSQ4A.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe	svehosts.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe	svehosts.exe

Executes dropped EXE 21 IoCs

pid	Process
1596	DonKdq8BWj8daM41.exe
2672	QyDSW8NVl3ePpAfR.exe
4200	GOgeIF51dah78xBn.exe
4860	oBXgVKAbRuKoSQ4A.exe
3524	vkFkwTHl4aZC3Krr.exe
2676	Z33KiU5j5gmh3zfr.exe
4540	svthost.exe
3228	svthost.exe
2024	svthost.exe
1196	svthost.exe
8	svbhost.exe
4460	eridjeht.exe
2556	svbhost.exe
4476	svrhost.exe
404	svrhost.exe
2536	svuhost.exe
3140	excelsl.exe
3976	svbhost.exe
3892	svehosts.exe
3480	svuhost.exe
2812	prndrvest.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .."	svehosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe"	svuhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe"	svuhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .."	svehosts.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 3140 set thread context of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 2672 set thread context of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2676 set thread context of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 3524 set thread context of 4476	3524	vkFkwTHl4aZC3Krr.exe	118
PID 4200 set thread context of 2536	4200	GOgeIF51dah78xBn.exe	121
PID 2556 set thread context of 3976	2556	svbhost.exe	127
PID 3140 set thread context of 3480	3140	excelsl.exe	129

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svehosts.exe	DonKdq8BWj8daM41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2892	3140	WerFault.exe	86
380	2676	WerFault.exe	102
2160	3524	WerFault.exe	103
1308	4200	WerFault.exe	100
3524	3140	WerFault.exe	125

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1092	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svuhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
3140	42f972925508a82236e8533567487761.exe
2672	QyDSW8NVl3ePpAfR.exe
2672	QyDSW8NVl3ePpAfR.exe
2676	Z33KiU5j5gmh3zfr.exe
2676	Z33KiU5j5gmh3zfr.exe
2676	Z33KiU5j5gmh3zfr.exe
2676	Z33KiU5j5gmh3zfr.exe
3524	vkFkwTHl4aZC3Krr.exe
3524	vkFkwTHl4aZC3Krr.exe
3524	vkFkwTHl4aZC3Krr.exe
3524	vkFkwTHl4aZC3Krr.exe
3524	vkFkwTHl4aZC3Krr.exe
3524	vkFkwTHl4aZC3Krr.exe
3524	vkFkwTHl4aZC3Krr.exe
3524	vkFkwTHl4aZC3Krr.exe
4200	GOgeIF51dah78xBn.exe
4200	GOgeIF51dah78xBn.exe
4200	GOgeIF51dah78xBn.exe
4200	GOgeIF51dah78xBn.exe
2556	svbhost.exe
2556	svbhost.exe
3140	excelsl.exe
3140	excelsl.exe
3140	excelsl.exe
3140	excelsl.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
4860	oBXgVKAbRuKoSQ4A.exe
2812	prndrvest.exe
2812	prndrvest.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4476	svrhost.exe
8	svbhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	42f972925508a82236e8533567487761.exe
Token: SeDebugPrivilege	3140	42f972925508a82236e8533567487761.exe
Token: SeDebugPrivilege	2672	QyDSW8NVl3ePpAfR.exe
Token: SeDebugPrivilege	2672	QyDSW8NVl3ePpAfR.exe
Token: SeDebugPrivilege	2676	Z33KiU5j5gmh3zfr.exe
Token: SeDebugPrivilege	3524	vkFkwTHl4aZC3Krr.exe
Token: SeDebugPrivilege	1596	DonKdq8BWj8daM41.exe
Token: SeDebugPrivilege	1596	DonKdq8BWj8daM41.exe
Token: SeShutdownPrivilege	8	svbhost.exe
Token: SeDebugPrivilege	8	svbhost.exe
Token: SeTcbPrivilege	8	svbhost.exe
Token: SeDebugPrivilege	4200	GOgeIF51dah78xBn.exe
Token: SeDebugPrivilege	4860	oBXgVKAbRuKoSQ4A.exe
Token: SeIncreaseQuotaPrivilege	2536	svuhost.exe
Token: SeSecurityPrivilege	2536	svuhost.exe
Token: SeTakeOwnershipPrivilege	2536	svuhost.exe
Token: SeLoadDriverPrivilege	2536	svuhost.exe
Token: SeSystemProfilePrivilege	2536	svuhost.exe
Token: SeSystemtimePrivilege	2536	svuhost.exe
Token: SeProfSingleProcessPrivilege	2536	svuhost.exe
Token: SeIncBasePriorityPrivilege	2536	svuhost.exe
Token: SeCreatePagefilePrivilege	2536	svuhost.exe
Token: SeBackupPrivilege	2536	svuhost.exe
Token: SeRestorePrivilege	2536	svuhost.exe
Token: SeShutdownPrivilege	2536	svuhost.exe
Token: SeDebugPrivilege	2536	svuhost.exe
Token: SeSystemEnvironmentPrivilege	2536	svuhost.exe
Token: SeChangeNotifyPrivilege	2536	svuhost.exe
Token: SeRemoteShutdownPrivilege	2536	svuhost.exe
Token: SeUndockPrivilege	2536	svuhost.exe
Token: SeManageVolumePrivilege	2536	svuhost.exe
Token: SeImpersonatePrivilege	2536	svuhost.exe
Token: SeCreateGlobalPrivilege	2536	svuhost.exe
Token: 33	2536	svuhost.exe
Token: 34	2536	svuhost.exe
Token: 35	2536	svuhost.exe
Token: 36	2536	svuhost.exe
Token: SeDebugPrivilege	2556	svbhost.exe
Token: SeDebugPrivilege	2556	svbhost.exe
Token: SeDebugPrivilege	3140	excelsl.exe
Token: SeShutdownPrivilege	3976	svbhost.exe
Token: SeDebugPrivilege	3976	svbhost.exe
Token: SeTcbPrivilege	3976	svbhost.exe
Token: SeIncreaseQuotaPrivilege	3480	svuhost.exe
Token: SeSecurityPrivilege	3480	svuhost.exe
Token: SeTakeOwnershipPrivilege	3480	svuhost.exe
Token: SeLoadDriverPrivilege	3480	svuhost.exe
Token: SeSystemProfilePrivilege	3480	svuhost.exe
Token: SeSystemtimePrivilege	3480	svuhost.exe
Token: SeProfSingleProcessPrivilege	3480	svuhost.exe
Token: SeIncBasePriorityPrivilege	3480	svuhost.exe
Token: SeCreatePagefilePrivilege	3480	svuhost.exe
Token: SeBackupPrivilege	3480	svuhost.exe
Token: SeRestorePrivilege	3480	svuhost.exe
Token: SeShutdownPrivilege	3480	svuhost.exe
Token: SeDebugPrivilege	3480	svuhost.exe
Token: SeSystemEnvironmentPrivilege	3480	svuhost.exe
Token: SeChangeNotifyPrivilege	3480	svuhost.exe
Token: SeRemoteShutdownPrivilege	3480	svuhost.exe
Token: SeUndockPrivilege	3480	svuhost.exe
Token: SeManageVolumePrivilege	3480	svuhost.exe
Token: SeImpersonatePrivilege	3480	svuhost.exe
Token: SeCreateGlobalPrivilege	3480	svuhost.exe
Token: 33	3480	svuhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
8	svbhost.exe
3480	svuhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 1596	3140	42f972925508a82236e8533567487761.exe	98
PID 3140 wrote to memory of 1596	3140	42f972925508a82236e8533567487761.exe	98
PID 3140 wrote to memory of 1596	3140	42f972925508a82236e8533567487761.exe	98
PID 3140 wrote to memory of 2672	3140	42f972925508a82236e8533567487761.exe	99
PID 3140 wrote to memory of 2672	3140	42f972925508a82236e8533567487761.exe	99
PID 3140 wrote to memory of 2672	3140	42f972925508a82236e8533567487761.exe	99
PID 3140 wrote to memory of 4200	3140	42f972925508a82236e8533567487761.exe	100
PID 3140 wrote to memory of 4200	3140	42f972925508a82236e8533567487761.exe	100
PID 3140 wrote to memory of 4200	3140	42f972925508a82236e8533567487761.exe	100
PID 3140 wrote to memory of 4860	3140	42f972925508a82236e8533567487761.exe	101
PID 3140 wrote to memory of 4860	3140	42f972925508a82236e8533567487761.exe	101
PID 3140 wrote to memory of 4860	3140	42f972925508a82236e8533567487761.exe	101
PID 3140 wrote to memory of 2676	3140	42f972925508a82236e8533567487761.exe	102
PID 3140 wrote to memory of 2676	3140	42f972925508a82236e8533567487761.exe	102
PID 3140 wrote to memory of 2676	3140	42f972925508a82236e8533567487761.exe	102
PID 3140 wrote to memory of 3524	3140	42f972925508a82236e8533567487761.exe	103
PID 3140 wrote to memory of 3524	3140	42f972925508a82236e8533567487761.exe	103
PID 3140 wrote to memory of 3524	3140	42f972925508a82236e8533567487761.exe	103
PID 3140 wrote to memory of 4540	3140	42f972925508a82236e8533567487761.exe	104
PID 3140 wrote to memory of 4540	3140	42f972925508a82236e8533567487761.exe	104
PID 3140 wrote to memory of 4540	3140	42f972925508a82236e8533567487761.exe	104
PID 3140 wrote to memory of 3228	3140	42f972925508a82236e8533567487761.exe	105
PID 3140 wrote to memory of 3228	3140	42f972925508a82236e8533567487761.exe	105
PID 3140 wrote to memory of 3228	3140	42f972925508a82236e8533567487761.exe	105
PID 3140 wrote to memory of 2024	3140	42f972925508a82236e8533567487761.exe	106
PID 3140 wrote to memory of 2024	3140	42f972925508a82236e8533567487761.exe	106
PID 3140 wrote to memory of 2024	3140	42f972925508a82236e8533567487761.exe	106
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 3140 wrote to memory of 1196	3140	42f972925508a82236e8533567487761.exe	107
PID 2672 wrote to memory of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2672 wrote to memory of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2672 wrote to memory of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2672 wrote to memory of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2672 wrote to memory of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2672 wrote to memory of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2672 wrote to memory of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2672 wrote to memory of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2672 wrote to memory of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2672 wrote to memory of 8	2672	QyDSW8NVl3ePpAfR.exe	111
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 2676 wrote to memory of 4460	2676	Z33KiU5j5gmh3zfr.exe	112
PID 8 wrote to memory of 2556	8	svbhost.exe	114
PID 8 wrote to memory of 2556	8	svbhost.exe	114
PID 8 wrote to memory of 2556	8	svbhost.exe	114
PID 3524 wrote to memory of 404	3524	vkFkwTHl4aZC3Krr.exe	117

C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe
"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\DonKdq8BWj8daM41.exe
  "C:\Users\Admin\AppData\Local\Temp\DonKdq8BWj8daM41.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- - C:\Windows\svehosts.exe
    "C:\Windows\svehosts.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3892
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3852
- C:\Users\Admin\AppData\Local\Temp\QyDSW8NVl3ePpAfR.exe
  "C:\Users\Admin\AppData\Local\Temp\QyDSW8NVl3ePpAfR.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
    "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
      "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 8
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
- C:\Users\Admin\AppData\Local\Temp\GOgeIF51dah78xBn.exe
  "C:\Users\Admin\AppData\Local\Temp\GOgeIF51dah78xBn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
    "C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:1528
  - - C:\Users\Admin\Documents\excelsl.exe
      "C:\Users\Admin\Documents\excelsl.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3480
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:4168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1140
        5⤵
        Program crash
        
        PID:3524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1148
    3⤵
    - Program crash
    PID:1308
- C:\Users\Admin\AppData\Local\Temp\oBXgVKAbRuKoSQ4A.exe
  "C:\Users\Admin\AppData\Local\Temp\oBXgVKAbRuKoSQ4A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'prndrvest"' /tr "'C:\Users\Admin\AppData\Roaming\prndrvest.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp79CF.tmp.bat""
    3⤵
    PID:3316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1092
  - - C:\Users\Admin\AppData\Roaming\prndrvest.exe
      "C:\Users\Admin\AppData\Roaming\prndrvest.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2812
- C:\Users\Admin\AppData\Local\Temp\Z33KiU5j5gmh3zfr.exe
  "C:\Users\Admin\AppData\Local\Temp\Z33KiU5j5gmh3zfr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
    "C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"
    3⤵
    - Executes dropped EXE
    PID:4460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1160
    3⤵
    - Program crash
    PID:380
- C:\Users\Admin\AppData\Local\Temp\vkFkwTHl4aZC3Krr.exe
  "C:\Users\Admin\AppData\Local\Temp\vkFkwTHl4aZC3Krr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
    "C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"
    3⤵
    - Executes dropped EXE
    PID:404
- - C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
    "C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1152
    3⤵
    - Program crash
    PID:2160
- C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
  "C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
  "C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
  "C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
  "C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1628
  2⤵
  - Program crash
  PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3140 -ip 3140
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2676 -ip 2676
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3524 -ip 3524
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4200 -ip 4200
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3140 -ip 3140
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\excelsl.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

Filesize
3.7MB

MD5
9d2a888ca79e1ff3820882ea1d88d574

SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66

SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

Download Submit
C:\Users\Admin\AppData\Local\Temp\DonKdq8BWj8daM41.exe

Filesize
472KB

MD5
2819e45588024ba76f248a39d3e232ba

SHA1
08a797b87ecfbee682ce14d872177dae1a5a46a2

SHA256
b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93

SHA512
a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOgeIF51dah78xBn.exe

Filesize
742KB

MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QyDSW8NVl3ePpAfR.exe

Filesize
801KB

MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z33KiU5j5gmh3zfr.exe

Filesize
366KB

MD5
f07d2c33e4afe36ec6f6f14f9a56e84a

SHA1
3ebed0c1a265d1e17ce038dfaf1029387f0b53ee

SHA256
309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca

SHA512
b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oBXgVKAbRuKoSQ4A.exe

Filesize
376KB

MD5
590acb5fa6b5c3001ebce3d67242aac4

SHA1
5df39906dc4e60f01b95783fc55af6128402d611

SHA256
7bf9b7b25cf1671e5640f8eeac149f9a4e8c9f6c63415f4bd61bccb10ddf8509

SHA512
4ac518140ee666491132525853f2843357d622fe351e59cca7ce3b054d665f77ad8987adddd601e6b1afe6903222d77cf3c41a5aa69e8caf0dcdc7656a43e9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79CF.tmp.bat

Filesize
153B

MD5
14618446405a6abc2e7e885d063b844f

SHA1
29e2c6654aac9f76e1c7b92a91d4623f9817ee4a

SHA256
b2a71834247dbeaa2229ae9f09fcbb583418fcfae8373d4f60f3ec4d2e56e3d1

SHA512
329d154c43a9350faacff8c1a8519b42e1bd706c07c89a990c112497c7eb95880e242f35d459ec5300531f55d68db160a09418f695325e5868dc07186c68eb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkFkwTHl4aZC3Krr.exe

Filesize
336KB

MD5
e87459f61fd1f017d4bd6b0a1a1fc86a

SHA1
30838d010aad8c9f3fd0fc302e71b4cbe6f138c0

SHA256
ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727

SHA512
dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

Download Submit
C:\Users\Admin\AppData\Roaming\prndrvest.exe

Filesize
41.4MB

MD5
df21fe1cbcecafe376d33476601b264d

SHA1
af1dee5dc588acc7e835aaccb8ef86079e7f24d1

SHA256
78df9394bfee605531e5e9b17471a169645d72b693d0e55075b210650ee329e0

SHA512
5a53d85a8f04eb047676db2c1c82a0ba34cc187836c16a08478777f0d14faaa2e4997d0697b7eba446c2e12c67f36c320dfcc8588cde503ff3f2a45f50360589

Download Submit
memory/8-98-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/8-115-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/8-200-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/8-113-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/8-116-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/8-112-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/8-108-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/8-103-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/8-101-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/8-234-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1196-88-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1528-138-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1596-221-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1596-35-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1596-36-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2536-131-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2536-128-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2536-133-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2672-60-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2672-247-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2672-67-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2812-255-0x0000000005AA0000-0x0000000005AB2000-memory.dmp

Filesize
72KB

Download
memory/3140-27-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/3140-0-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/3140-1-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3140-75-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3140-3-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3140-93-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3140-2-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3480-228-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3480-230-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3480-231-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3480-226-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3976-207-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4168-229-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4200-196-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4200-81-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4460-111-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4460-107-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4476-123-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4476-121-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4860-91-0x00000000098F0000-0x0000000009914000-memory.dmp

Filesize
144KB

Download
memory/4860-233-0x0000000009A10000-0x0000000009A76000-memory.dmp

Filesize
408KB

Download
memory/4860-84-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/4860-236-0x0000000009D30000-0x0000000009DCC000-memory.dmp

Filesize
624KB

Download
memory/4860-87-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/4860-90-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/4860-83-0x0000000000E10000-0x0000000000E74000-memory.dmp

Filesize
400KB

Download
memory/4860-195-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download