asyncrat | hxxps://gofile[.]io/d/SDxKQp

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/SDxKQp

Score

10^/10

asyncrat pac discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

pac

127.0.0.1:4040

Mutex

cevassad

Attributes

delay
1
install
true
install_file
pac.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000300000001ea57-192.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	pac.exe

Executes dropped EXE 2 IoCs

pid	Process
6132	pac.exe
5496	pac.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5524	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133666705349387054"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
6132	pac.exe
5496	pac.exe
5496	pac.exe
5496	pac.exe
5496	pac.exe
5496	pac.exe
5496	pac.exe
5496	pac.exe
5496	pac.exe
5496	pac.exe
5496	pac.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3800	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeRestorePrivilege	3800	7zFM.exe
Token: 35	3800	7zFM.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
3800	7zFM.exe
3800	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5496	pac.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3584	4908	chrome.exe	86
PID 4908 wrote to memory of 3584	4908	chrome.exe	86
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4152	4908	chrome.exe	87
PID 4908 wrote to memory of 4500	4908	chrome.exe	88
PID 4908 wrote to memory of 4500	4908	chrome.exe	88
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89
PID 4908 wrote to memory of 2884	4908	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/SDxKQp
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9f3a7cc40,0x7ff9f3a7cc4c,0x7ff9f3a7cc58
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2520,i,752579846274525352,11046632108687668255,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2512 /prefetch:2
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1808,i,752579846274525352,11046632108687668255,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2548 /prefetch:3
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2012,i,752579846274525352,11046632108687668255,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,752579846274525352,11046632108687668255,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,752579846274525352,11046632108687668255,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3708,i,752579846274525352,11046632108687668255,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4384 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3456,i,752579846274525352,11046632108687668255,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,752579846274525352,11046632108687668255,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5252,i,752579846274525352,11046632108687668255,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=768,i,752579846274525352,11046632108687668255,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=976 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:3296

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4440

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2008

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\pac.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:5292

C:\Users\Admin\Desktop\pac.exe
"C:\Users\Admin\Desktop\pac.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "pac" /tr '"C:\Users\Admin\AppData\Roaming\pac.exe"' & exit
  2⤵
  PID:5344
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "pac" /tr '"C:\Users\Admin\AppData\Roaming\pac.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8028.tmp.bat""
  2⤵
  PID:5400
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:5524
- - C:\Users\Admin\AppData\Roaming\pac.exe
    "C:\Users\Admin\AppData\Roaming\pac.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7767e5d44c17715194994fb66e645513

SHA1
3aadd1ef5c91b7ddcda3dde1ef06545825606acf

SHA256
878a6b8b4c86525a75b34a1891f59b6870740e50103707f2bd04fb423dce186b

SHA512
a5b0f8d70cc4fdc138a080fc9970b3ca75670317f03c26e3344c65265a0ec9b1f5764b83b41f9611d12b401a3b9bca0d6ab9fb055cd8fee26335c46e43e369ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
70517c97e4d38bba20d3fca17d474d16

SHA1
1c1ecbaa9e48ec61890dc73fb22f78e0820bbc06

SHA256
c1e814188754e1d249d8f7130fff450a74a2bea85814457ae62b8e8ee46ad975

SHA512
d8b92ce1a34f72551d3e264da69863cf425ce269ea58060e6d379b69c1579d67f60a5ad8580229cc0172465580da3efae4107f7ac9343f10b42e68b5667c69df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
488a695105d85b7520b2fc857367015a

SHA1
6671087e0ec855b8956e5ee2f6fe6b5cca15d33d

SHA256
d3873baec40de85ed87554eafe279d543ef083b87e17e6d0a48636cb4d808931

SHA512
8272c97d4092d1b978a8f01cdc77d5db87e03d31f376cb91d670f4328109f9f72145a5282341cfe7e7ed943e655e1e966efa877e2499214059a33a8cd84273b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
a1789b634fb652d61c5e1f7642d4fb50

SHA1
eb862c41e84d16a7c9620cd9af2c75936d446800

SHA256
01c2e0df46e3990a2648e9793ef94532d4518923b3f1af40c498c19bb2f7e515

SHA512
05537716fbcd2f1378d456b5465166070c2b506d16422f10c14eeaefca11f987c2435ebbeebeaf77976536aed169fbaf160dcf45aa31ffcd669810d14eb9bcdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c24e2f52-9be8-452f-a239-75d6ff30d952.tmp

Filesize
1KB

MD5
27b3258908c3d59d14b8394f00249dbb

SHA1
ee99718b897ad1e7d32051c289940fab81968105

SHA256
fe6cf92e4873f723511843b50f80f04d01ee06ec74b8c1328fda7426769bb9a0

SHA512
8e9cde5f29713279dbd3666afce041275371ec1fc8119656d15bafbf35dcd32bdedb5f340ccf515cfa1a3d8969133cb02c563921b4c9aa374c6a17e7db4b4393

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b10247e92657861fc1546cff90c45e6

SHA1
b67c922737ba09f4e013fe1194605e69d6d80eec

SHA256
41a82a1cb7d43378eaed81f5fbf27486f6f8333dd1bebede5201a53c5f34cf80

SHA512
395b23d3ff6b60cb960744b9f4857e2427d0670d1b7a3fc04821364790e132b40f9dd556fbd0422e6974d3cf3428c3d96692ceba8d377a37c006eb4372506a2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
745f1eb7501126952bcf24e41dde53c0

SHA1
422ed1e235621097c8f7a24d687c6813ecdb1dda

SHA256
5679fe245249f4da5687780876449a5551e1bdfd7872075afbf46db2a79e4d04

SHA512
24512a4000b50a45a0cebfe893718fac45bcba8ca65b5a09590ee39f5706d50d096335f3c25b4ce4c15c21bc265872061a5064878456c6d4e86393c3c31d2d23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b274f42a40b435dc66124cdfa7886bfa

SHA1
66877d2f80441d97e0e84c33faa6675e6bb342c5

SHA256
c4ae144459d260ecb7077d9328788453ba0f205adbc8728b33786e7833531a5e

SHA512
d67b7ff1c15e0a47576f0bdfe403c5f7b3f055ebf1779f27816e8ffcb0a7adb28e5104f66228ee096a09034dd3ae91559c82f3915545fe7112abc51b3fc9a9cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c01fe0e2d337261a626bac7b9750fa72

SHA1
749afe4c47e3e0127e6d01d5a60fbca2195a93ae

SHA256
aa09994d98d74d4e7b05aa078b0e2b004fbc5bfc7d5f18eddc75c965e57d08ee

SHA512
b14a971b5393bd6fa950cf82864bb9a8e806325f269647da7cbfbb63d8aea512ac1e4b26189dbccb0994b7412223445816b0fad89295566cc7f0cb66d5af9a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c3e1bf58adb7eab9784336426625e917

SHA1
d3941ae67219cbc14b00cb6daa32679a2a2d67f6

SHA256
e613b6f13e6d844767b98658e32b866a1e8bea682dfa86e2afa641095f405ae3

SHA512
300cd30c09b17ae7807dfc0ba3b14e7bd0ea1a4fe2ff53f7c37e03f987d64afb023e3dbc04708d02e0b58a785ec5e0ac28936692965a8fbfe9a18682bc833515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc9c418d8b25ab0381a60cdf9925229f

SHA1
90f47f1c58eb4dcc944f7c1333fbf2ad39a950a0

SHA256
14add4e811fe9a954812bc87a43c6691de4c8f59d33ae0abf4178ac50b59a9f4

SHA512
9a0be6963be0d407934af4d80be4743f0ca5b2bac7a387890c4ba807ba254b82d8973b9e647f7b35c412a89b57133dacb7f78a3306804e684629e7c9a58eab1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c0a591ff-7aef-4d4f-9301-58d41db608f6.tmp

Filesize
9KB

MD5
ea431a50fec239ce2e23cdda0e9c2599

SHA1
3c347896b89d2eb3e96149b6588d37aaf347681f

SHA256
9fdb7e0316c4e7f808c6411e4c56d2bb71e438e561d67672425ca0e3bab2f4af

SHA512
e30d1c4304c309f45a310f89b37f6a094f1c64c9c5583c96546d3819df6a303679fcdc99258bbf2fc840291019eae1b4b89975ee063a3d113df53d8cba346a31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
8ffec67381f4810ef46297a0905e2431

SHA1
8b81a7159023d460d278345ac56e816ed449ff37

SHA256
0a78f15cf5da04cc4f0b3fa0473d6b9013549249754e1f625e84b34765de172d

SHA512
411463fc16c5651d30ca7f945f1a933eafb2ec47fe271d9d0aa15bbaffec76ac3263e45454e7d25f5a777241042e4db15de18456471cd77e7b9d345dcda55e93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
19bd0b2a8b05b731f4ddf63812d270a8

SHA1
3fd6353e576dba7b51fc71b21bfab97e387fe094

SHA256
ceb497daf34d5861901314dfc44677782f9665ff5181c71d88515df7370da4ad

SHA512
8ccb913b29f4649da61082033e61451ef697b685127042ed869c0b7e93cc898ed094e5e66d3939fed01ee616c1407a7a52abe21dd032b0c13bcab7c34bd5c4fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\pac.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8028.tmp.bat

Filesize
147B

MD5
b6919c692fe1520516427d5652fc979c

SHA1
475d24319f0072a09f64573283a69145b3730a14

SHA256
ce180fa35faac5a628d300dc88121508b1898bd6752e2ac65956a3a41e974220

SHA512
293f031d0e04a452460ddc81c322875c4a598650546e5ff143ffe521a03bcf32da86af266ef4dcbb5dbea1299ecba6d1e8699ef24b164b820b5c98acd206b7fa

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Desktop\pac.exe

Filesize
74KB

MD5
f3aea18a68bfbb164c71d090a81fa6ce

SHA1
98014bfe457c6623397151ce2a3d4e001f38cb17

SHA256
d1db39829d8cd926778ed92563da933dd6369955f1b66be92495f1d74ad14eee

SHA512
6db7e968067da6df99b86e6ca4c1b924332076c458e6a3f3b3dbf6767229bf1ae2b3886fe3c2d228ecef126d7691767b2f9359a41d0bd1a1ebaf25b71047fade

Download Submit
C:\Users\Admin\Downloads\pac.rar.crdownload

Filesize
32KB

MD5
4075a45fc34ff6cb4ef67416ff70adbb

SHA1
e6a97042f535cabcfcddbf94272bcfbbac2d0fb7

SHA256
294cee79e3760a34f8d0b221524e707aebbd9f35f08845c245979241a32ca1c4

SHA512
7cbd295b7c92c7c29f8a2b346e71054dfc223aa1f26852b0ac7f062d616f8e93cf599a8cfff1a8cc060a6f698c2a985efa74a3eb1d49a7a5576e0af8b5739841

Download Submit
memory/5292-119-0x00000182AB540000-0x00000182AB550000-memory.dmp

Filesize
64KB

Download
memory/5292-144-0x00000182B3B60000-0x00000182B3B61000-memory.dmp

Filesize
4KB

Download
memory/5292-146-0x00000182B3780000-0x00000182B3781000-memory.dmp

Filesize
4KB

Download
memory/5292-147-0x00000182B3770000-0x00000182B3771000-memory.dmp

Filesize
4KB

Download
memory/5292-149-0x00000182B3780000-0x00000182B3781000-memory.dmp

Filesize
4KB

Download
memory/5292-152-0x00000182B3770000-0x00000182B3771000-memory.dmp

Filesize
4KB

Download
memory/5292-155-0x00000182B36B0000-0x00000182B36B1000-memory.dmp

Filesize
4KB

Download
memory/5292-167-0x00000182B38B0000-0x00000182B38B1000-memory.dmp

Filesize
4KB

Download
memory/5292-169-0x00000182B38C0000-0x00000182B38C1000-memory.dmp

Filesize
4KB

Download
memory/5292-170-0x00000182B38C0000-0x00000182B38C1000-memory.dmp

Filesize
4KB

Download
memory/5292-171-0x00000182B39D0000-0x00000182B39D1000-memory.dmp

Filesize
4KB

Download
memory/5292-145-0x00000182B3B60000-0x00000182B3B61000-memory.dmp

Filesize
4KB

Download
memory/5292-143-0x00000182B3B60000-0x00000182B3B61000-memory.dmp

Filesize
4KB

Download
memory/5292-142-0x00000182B3B60000-0x00000182B3B61000-memory.dmp

Filesize
4KB

Download
memory/5292-103-0x00000182AB440000-0x00000182AB450000-memory.dmp

Filesize
64KB

Download
memory/5292-141-0x00000182B3B60000-0x00000182B3B61000-memory.dmp

Filesize
4KB

Download
memory/5292-140-0x00000182B3B60000-0x00000182B3B61000-memory.dmp

Filesize
4KB

Download
memory/5292-139-0x00000182B3B60000-0x00000182B3B61000-memory.dmp

Filesize
4KB

Download
memory/5292-138-0x00000182B3B60000-0x00000182B3B61000-memory.dmp

Filesize
4KB

Download
memory/5292-137-0x00000182B3B60000-0x00000182B3B61000-memory.dmp

Filesize
4KB

Download
memory/5292-136-0x00000182B3B60000-0x00000182B3B61000-memory.dmp

Filesize
4KB

Download
memory/5292-135-0x00000182B3B30000-0x00000182B3B31000-memory.dmp

Filesize
4KB

Download
memory/6132-194-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download