asyncrat | 70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

670d1014ec5713d005f8ddfefc495a9e.exe
Size

47KB
MD5

670d1014ec5713d005f8ddfefc495a9e
SHA1

91362eaf33dc55e4d970fbefbda975be32628d6b
SHA256

70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd
SHA512

175827b48f35899e89fcbdacd2e98b378b92abc8e7a1c225441f57a46d02fea838104e3d6480a137f401c72e2d7979ff3db7a74d5c52e84a0733246f0fa5384f
SSDEEP

768:EuwpFTAY3IQWUe9jqmo2qLPzXR8myUdPIvfc2C0b2lnNPVPUXHyk/UQsS25BDZ8x:EuwpFTA4/2KRx0vfb9bgnTUXHmpS2nd+

Score

10^/10

asyncrat redline default diamotrix credential_access discovery execution infostealer persistence rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

PWhSiRkcxVoa

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

diamotrix

176.111.174.140:1912

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234b0-116.dat	family_redline
behavioral2/memory/4744-123-0x0000000000410000-0x0000000000462000-memory.dmp	family_redline

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000b0000000233e6-11.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	relog.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	670d1014ec5713d005f8ddfefc495a9e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	12C4.tmp.svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
2204	svchost.exe
5012	yiowyo.exe
4744	C1C.tmp.uIZtAux.exe
3904	12C4.tmp.svchost.exe
2276	vukksf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234b3-131.dat	upx
behavioral2/memory/3904-138-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral2/memory/2276-163-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral2/memory/2276-165-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral2/memory/3904-166-0x0000000000400000-0x00000000004BC000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_{55B28E2F7F6B3750773564} = "C:\\Users\\Admin\\AppData\\Roaming\\{55B28E2F7F6B3750773564}\\Service_{55B28E2F7F6B3750773564}.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{55B28E2F7F6B3750773564}\\{55B28E2F7F6B3750773564}.exe"	yiowyo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe"	relog.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
5060	powershell.exe
3988	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5012 set thread context of 4640	5012	yiowyo.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C1C.tmp.uIZtAux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12C4.tmp.svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	670d1014ec5713d005f8ddfefc495a9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vukksf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5076	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2616	schtasks.exe
1324	schtasks.exe
3684	schtasks.exe
3488	schtasks.exe
4708	schtasks.exe
3892	schtasks.exe
3916	schtasks.exe
1344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
4760	670d1014ec5713d005f8ddfefc495a9e.exe
3988	powershell.exe
2204	svchost.exe
3988	powershell.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
3452	Explorer.EXE
3452	Explorer.EXE
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe
4640	relog.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	670d1014ec5713d005f8ddfefc495a9e.exe
Token: SeDebugPrivilege	2204	svchost.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeIncreaseQuotaPrivilege	5012	yiowyo.exe
Token: SeSecurityPrivilege	5012	yiowyo.exe
Token: SeTakeOwnershipPrivilege	5012	yiowyo.exe
Token: SeLoadDriverPrivilege	5012	yiowyo.exe
Token: SeSystemProfilePrivilege	5012	yiowyo.exe
Token: SeSystemtimePrivilege	5012	yiowyo.exe
Token: SeProfSingleProcessPrivilege	5012	yiowyo.exe
Token: SeIncBasePriorityPrivilege	5012	yiowyo.exe
Token: SeCreatePagefilePrivilege	5012	yiowyo.exe
Token: SeBackupPrivilege	5012	yiowyo.exe
Token: SeRestorePrivilege	5012	yiowyo.exe
Token: SeShutdownPrivilege	5012	yiowyo.exe
Token: SeDebugPrivilege	5012	yiowyo.exe
Token: SeSystemEnvironmentPrivilege	5012	yiowyo.exe
Token: SeRemoteShutdownPrivilege	5012	yiowyo.exe
Token: SeUndockPrivilege	5012	yiowyo.exe
Token: SeManageVolumePrivilege	5012	yiowyo.exe
Token: 33	5012	yiowyo.exe
Token: 34	5012	yiowyo.exe
Token: 35	5012	yiowyo.exe
Token: 36	5012	yiowyo.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe
Token: SeDebugPrivilege	4640	relog.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3192	4760	670d1014ec5713d005f8ddfefc495a9e.exe	92
PID 4760 wrote to memory of 3192	4760	670d1014ec5713d005f8ddfefc495a9e.exe	92
PID 4760 wrote to memory of 3192	4760	670d1014ec5713d005f8ddfefc495a9e.exe	92
PID 4760 wrote to memory of 3624	4760	670d1014ec5713d005f8ddfefc495a9e.exe	94
PID 4760 wrote to memory of 3624	4760	670d1014ec5713d005f8ddfefc495a9e.exe	94
PID 4760 wrote to memory of 3624	4760	670d1014ec5713d005f8ddfefc495a9e.exe	94
PID 3624 wrote to memory of 5076	3624	cmd.exe	98
PID 3624 wrote to memory of 5076	3624	cmd.exe	98
PID 3624 wrote to memory of 5076	3624	cmd.exe	98
PID 3192 wrote to memory of 1324	3192	cmd.exe	97
PID 3192 wrote to memory of 1324	3192	cmd.exe	97
PID 3192 wrote to memory of 1324	3192	cmd.exe	97
PID 3624 wrote to memory of 2204	3624	cmd.exe	99
PID 3624 wrote to memory of 2204	3624	cmd.exe	99
PID 3624 wrote to memory of 2204	3624	cmd.exe	99
PID 2204 wrote to memory of 4232	2204	svchost.exe	106
PID 2204 wrote to memory of 4232	2204	svchost.exe	106
PID 2204 wrote to memory of 4232	2204	svchost.exe	106
PID 4232 wrote to memory of 3988	4232	cmd.exe	108
PID 4232 wrote to memory of 3988	4232	cmd.exe	108
PID 4232 wrote to memory of 3988	4232	cmd.exe	108
PID 3988 wrote to memory of 5012	3988	powershell.exe	109
PID 3988 wrote to memory of 5012	3988	powershell.exe	109
PID 5012 wrote to memory of 3684	5012	yiowyo.exe	110
PID 5012 wrote to memory of 3684	5012	yiowyo.exe	110
PID 5012 wrote to memory of 4640	5012	yiowyo.exe	112
PID 5012 wrote to memory of 4640	5012	yiowyo.exe	112
PID 5012 wrote to memory of 4640	5012	yiowyo.exe	112
PID 4640 wrote to memory of 3488	4640	relog.exe	113
PID 4640 wrote to memory of 3488	4640	relog.exe	113
PID 4640 wrote to memory of 4708	4640	relog.exe	115
PID 4640 wrote to memory of 4708	4640	relog.exe	115
PID 4640 wrote to memory of 3892	4640	relog.exe	117
PID 4640 wrote to memory of 3892	4640	relog.exe	117
PID 4640 wrote to memory of 3916	4640	relog.exe	119
PID 4640 wrote to memory of 3916	4640	relog.exe	119
PID 4640 wrote to memory of 1344	4640	relog.exe	121
PID 4640 wrote to memory of 1344	4640	relog.exe	121
PID 4640 wrote to memory of 3452	4640	relog.exe	56
PID 4640 wrote to memory of 3452	4640	relog.exe	56
PID 3452 wrote to memory of 4744	3452	Explorer.EXE	123
PID 3452 wrote to memory of 4744	3452	Explorer.EXE	123
PID 3452 wrote to memory of 4744	3452	Explorer.EXE	123
PID 2204 wrote to memory of 4976	2204	svchost.exe	124
PID 2204 wrote to memory of 4976	2204	svchost.exe	124
PID 2204 wrote to memory of 4976	2204	svchost.exe	124
PID 4976 wrote to memory of 5060	4976	cmd.exe	126
PID 4976 wrote to memory of 5060	4976	cmd.exe	126
PID 4976 wrote to memory of 5060	4976	cmd.exe	126
PID 3452 wrote to memory of 3904	3452	Explorer.EXE	127
PID 3452 wrote to memory of 3904	3452	Explorer.EXE	127
PID 3452 wrote to memory of 3904	3452	Explorer.EXE	127
PID 3904 wrote to memory of 2616	3904	12C4.tmp.svchost.exe	128
PID 3904 wrote to memory of 2616	3904	12C4.tmp.svchost.exe	128
PID 3904 wrote to memory of 2616	3904	12C4.tmp.svchost.exe	128
PID 5060 wrote to memory of 2276	5060	powershell.exe	130
PID 5060 wrote to memory of 2276	5060	powershell.exe	130
PID 5060 wrote to memory of 2276	5060	powershell.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\670d1014ec5713d005f8ddfefc495a9e.exe
  "C:\Users\Admin\AppData\Local\Temp\670d1014ec5713d005f8ddfefc495a9e.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD179.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5076
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\yiowyo.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4232
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\yiowyo.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\yiowyo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yiowyo.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{55B28E2F7F6B3750773564}\{55B28E2F7F6B3750773564}.exe" /sc onstart /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        8⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "BnaZsTZafj" /tr "C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3488
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "BnaZsTZafj" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Service_Microsoft.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4708
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "E9iAjnmNS5" /tr "C:\Users\Admin\AppData\Roaming\Mozilla\Service_Mozilla.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3892
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "E9iAjnmNS5" /tr "C:\Users\Admin\AppData\Roaming\Sun\Service_Sun.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3916
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "E9iAjnmNS5" /tr "C:\Users\Admin\AppData\Roaming\{55B28E2F7F6B3750773564}\Service_{55B28E2F7F6B3750773564}.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vukksf.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vukksf.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\vukksf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vukksf.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276
- C:\Users\Admin\AppData\Local\Temp\C1C.tmp.uIZtAux.exe
  "C:\Users\Admin\AppData\Local\Temp\C1C.tmp.uIZtAux.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\12C4.tmp.svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\12C4.tmp.svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\Admin\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
5315900105942deb090a358a315b06fe

SHA1
22fe5d2e1617c31afbafb91c117508d41ef0ce44

SHA256
e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7

SHA512
77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
be1d10998837d9184f66ed7766e6b736

SHA1
ca25148e653c8fa95db8fab9dd18614520b5eb83

SHA256
bca46c8870743a8c76c6c0bfc270372559fd052f7880d09ee56083800e71b328

SHA512
bbc7395fbf54690cbffe3df5a1f36b2a8f3624b143c4c7aac803434158a509188f9cd6af8cfd7efee502b5ecad14b0df363f8042ce6d64e87a1b1a945038172f

Download Submit
C:\Users\Admin\AppData\Local\Temp\12C4.tmp.svchost.exe

Filesize
321KB

MD5
6ddd28445b8fc2485cb72f22d1adc936

SHA1
403c02d952120aafc6fb659a0ce0b99b1384442c

SHA256
d73a9c06d72b25fc9cc1d3883ba52ba949c91297d20f8cff37481d9b442a7ef7

SHA512
9abc68fab4c2a37f6cf07e2d1d7baccf26da411969b6dca4508776b9f57e3ed228dbc1a50e6dc4784791bdb86423d1f20c0f4d118c20d23951906a14ebd4682b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1C.tmp.uIZtAux.exe

Filesize
300KB

MD5
8d14c4ba7260c61ecde30d97fd3c124a

SHA1
f60a7243a5160ff0dd60c37e1de43b81cead3549

SHA256
6985ec7f67fabd26633c991be04ce5f899224a56bb078ba186b4be21f9e4714d

SHA512
b068decea7ec68d2b4347493d9e4b8cc4fb0c3c5f5ecc2a52be6eb35d28e75d3de1636efe0b67cce825e8d08d3fb82d137b1d6eb1225662fb8c3dff9616dcc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wh1521pz.eqt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD179.tmp.bat

Filesize
151B

MD5
17d1244e0f520d9748d9d6120add93b9

SHA1
4559cea4d236776b95aa8e09be451469700c880a

SHA256
2a7d1da6052130e2591a23fee211f27edec106e63dd1b9f0c7976c986ba811b1

SHA512
e6904d11a78b1bafd65220d4922aaa0e66440e6edcdcb435c887f90d70341b00ef5f8eb16b13a1779c21c8e8cfe07507428d26701c23660b52be56649d49821c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiowyo.exe

Filesize
322KB

MD5
61c5a8e414a47b8cc2c69e1ac4370a35

SHA1
d6d66b31e7ebe3bd032a33fbe35fed2720fae964

SHA256
4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b

SHA512
b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92

Download Submit
C:\Users\Admin\AppData\Roaming\WinZIP_32\version.xml

Filesize
1KB

MD5
2b29aa25ee90747f05e920706e4dfc4f

SHA1
2ec04aa0574178e5b5245362fdb5b1cfbf4ec637

SHA256
93e469a8135addc4822f19a7afb7d02baea8242626188ce3e2b039862fc67511

SHA512
2a3f6bda5c957eed82b5fdf39bb33d109c68e39a1e096c944bfe725f027757efa87bc44ea037f9baf47426d0335a12639ff67c626aec3fc1c5c430b2efbf44fb

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
47KB

MD5
670d1014ec5713d005f8ddfefc495a9e

SHA1
91362eaf33dc55e4d970fbefbda975be32628d6b

SHA256
70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd

SHA512
175827b48f35899e89fcbdacd2e98b378b92abc8e7a1c225441f57a46d02fea838104e3d6480a137f401c72e2d7979ff3db7a74d5c52e84a0733246f0fa5384f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
1530b50aac226cd50815c69326517e51

SHA1
e97855298b61d8a5b6cf2450a990d5cbc40c6aa4

SHA256
1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3

SHA512
c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432

Download Submit
memory/2204-16-0x00000000065D0000-0x0000000006636000-memory.dmp

Filesize
408KB

Download
memory/2204-17-0x0000000007680000-0x00000000076F6000-memory.dmp

Filesize
472KB

Download
memory/2204-18-0x0000000007600000-0x0000000007662000-memory.dmp

Filesize
392KB

Download
memory/2204-19-0x0000000007760000-0x000000000777E000-memory.dmp

Filesize
120KB

Download
memory/2204-15-0x0000000006AD0000-0x0000000007074000-memory.dmp

Filesize
5.6MB

Download
memory/2204-14-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2204-13-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2276-163-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2276-165-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3452-108-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/3452-110-0x0000000002AF0000-0x0000000002B47000-memory.dmp

Filesize
348KB

Download
memory/3452-106-0x00000000029F0000-0x0000000002A33000-memory.dmp

Filesize
268KB

Download
memory/3904-138-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3904-166-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3988-34-0x00000000061F0000-0x0000000006544000-memory.dmp

Filesize
3.3MB

Download
memory/3988-21-0x0000000002D10000-0x0000000002D46000-memory.dmp

Filesize
216KB

Download
memory/3988-36-0x0000000006720000-0x000000000676C000-memory.dmp

Filesize
304KB

Download
memory/3988-35-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/3988-38-0x0000000006B70000-0x0000000006B8A000-memory.dmp

Filesize
104KB

Download
memory/3988-33-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/3988-28-0x0000000005E70000-0x0000000005E92000-memory.dmp

Filesize
136KB

Download
memory/3988-22-0x00000000057D0000-0x0000000005DF8000-memory.dmp

Filesize
6.2MB

Download
memory/3988-37-0x0000000007630000-0x00000000076C6000-memory.dmp

Filesize
600KB

Download
memory/3988-39-0x0000000006BC0000-0x0000000006BE2000-memory.dmp

Filesize
136KB

Download
memory/4640-162-0x00007FF64F1C0000-0x00007FF64F216000-memory.dmp

Filesize
344KB

Download
memory/4744-155-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/4744-169-0x00000000071D0000-0x00000000076FC000-memory.dmp

Filesize
5.2MB

Download
memory/4744-168-0x0000000006AD0000-0x0000000006C92000-memory.dmp

Filesize
1.8MB

Download
memory/4744-123-0x0000000000410000-0x0000000000462000-memory.dmp

Filesize
328KB

Download
memory/4744-157-0x0000000005010000-0x000000000504C000-memory.dmp

Filesize
240KB

Download
memory/4744-154-0x0000000005DA0000-0x00000000063B8000-memory.dmp

Filesize
6.1MB

Download
memory/4744-125-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

Filesize
40KB

Download
memory/4744-156-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4744-124-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/4760-3-0x00000000055F0000-0x000000000568C000-memory.dmp

Filesize
624KB

Download
memory/4760-2-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4760-1-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/4760-8-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4760-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/5060-153-0x00000000067D0000-0x000000000681C000-memory.dmp

Filesize
304KB

Download
memory/5060-144-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

Filesize
3.3MB

Download