asyncrat | 48d4f67b8b47513692ff94bd7716e8ca086752d5944af72e9404156ed8e31a53

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput.exe
Size

3.1MB
MD5

e18e846d4bdb6ef41cf0f0a27aa9f512
SHA1

72b3cb545c09e18f0398dd0ab5ff97ce11cb6444
SHA256

48d4f67b8b47513692ff94bd7716e8ca086752d5944af72e9404156ed8e31a53
SHA512

c6e67e0f58666883f388c247fde1680028756ad0c6dc7421b45d3d3b9623abeb10c982999a8271e9b76b851fac70797c98a999bc22507d831108c2343b877633
SSDEEP

98304:Xsee+YP9EONeQXCmKUgjVVO6BEr+49yOwboZZh:8eeBP9EOvtKUFM98Z

Score

10^/10

asyncrat xworm default discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

form-fly.gl.at.ply.gg:41810

Attributes

delay
1
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

and-statements.gl.at.ply.gg:43442

Attributes

Install_directory
%Public%
install_file
discord.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000233a2-97.dat	family_xworm
behavioral1/memory/4288-106-0x0000000000080000-0x00000000000C6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000700000002339b-48.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1448	powershell.exe
4360	powershell.exe
3440	powershell.exe
1564	powershell.exe
1824	powershell.exe
712	powershell.exe
3524	powershell.exe
4796	powershell.exe
1644	powershell.exe
2796	powershell.exe
3788	powershell.exe
3444	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	XBinderOutput.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DiscordSettings.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	DiscordSettings.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BZDNTO.lnk	TLULXB.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	DiscordSettings.exe

Executes dropped EXE 10 IoCs

pid	Process
1756	TLULXB.exe
4248	System32.exe
2672	Discord.exe
4288	DiscordSettings.exe
4508	System32.exe
4696	discord.exe
4844	services32.exe
3276	sihost32.exe
4576	discord.exe
1040	discord.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\Windows\\System32\\Discord.exe"	XBinderOutput.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DiscordSettings = "C:\\Windows\\System32\\DiscordSettings.exe"	XBinderOutput.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Public\\discord.exe"	DiscordSettings.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TLULXB = "C:\\Windows\\System32\\TLULXB.exe"	XBinderOutput.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\System32.exe"	XBinderOutput.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BZDNTO = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\SYYHCX.exe\""	TLULXB.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00080000000232fe-23.dat	autoit_exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\System32\System32.exe	XBinderOutput.exe
File opened for modification	C:\Windows\System32\Discord.exe	XBinderOutput.exe
File created	C:\Windows\System32\DiscordSettings.exe	XBinderOutput.exe
File opened for modification	C:\Windows\System32\DiscordSettings.exe	XBinderOutput.exe
File created	C:\Windows\system32\services32.exe	conhost.exe
File created	C:\Windows\System32\TLULXB.exe	XBinderOutput.exe
File opened for modification	C:\Windows\System32\System32.exe	XBinderOutput.exe
File created	C:\Windows\System32\Discord.exe	XBinderOutput.exe
File opened for modification	C:\Windows\system32\services32.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe
File opened for modification	C:\Windows\System32\TLULXB.exe	XBinderOutput.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLULXB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSCript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1516	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	TLULXB.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4560	schtasks.exe
3080	schtasks.exe
3976	schtasks.exe
3308	schtasks.exe
2764	schtasks.exe
3412	schtasks.exe
2984	schtasks.exe
1564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	powershell.exe
4796	powershell.exe
1448	powershell.exe
1448	powershell.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1644	powershell.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1644	powershell.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe
1756	TLULXB.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1756	TLULXB.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	4288	DiscordSettings.exe
Token: SeDebugPrivilege	4248	System32.exe
Token: SeDebugPrivilege	4248	System32.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	4508	System32.exe
Token: SeDebugPrivilege	4508	System32.exe
Token: SeDebugPrivilege	4288	DiscordSettings.exe
Token: SeDebugPrivilege	2140	conhost.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	4696	discord.exe
Token: SeDebugPrivilege	4756	conhost.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	4576	discord.exe
Token: SeDebugPrivilege	1040	discord.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4288	DiscordSettings.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4796	5096	XBinderOutput.exe	86
PID 5096 wrote to memory of 4796	5096	XBinderOutput.exe	86
PID 5096 wrote to memory of 3412	5096	XBinderOutput.exe	88
PID 5096 wrote to memory of 3412	5096	XBinderOutput.exe	88
PID 5096 wrote to memory of 1756	5096	XBinderOutput.exe	90
PID 5096 wrote to memory of 1756	5096	XBinderOutput.exe	90
PID 5096 wrote to memory of 1756	5096	XBinderOutput.exe	90
PID 5096 wrote to memory of 1448	5096	XBinderOutput.exe	91
PID 5096 wrote to memory of 1448	5096	XBinderOutput.exe	91
PID 5096 wrote to memory of 2984	5096	XBinderOutput.exe	93
PID 5096 wrote to memory of 2984	5096	XBinderOutput.exe	93
PID 5096 wrote to memory of 4248	5096	XBinderOutput.exe	95
PID 5096 wrote to memory of 4248	5096	XBinderOutput.exe	95
PID 5096 wrote to memory of 1644	5096	XBinderOutput.exe	96
PID 5096 wrote to memory of 1644	5096	XBinderOutput.exe	96
PID 1756 wrote to memory of 2512	1756	TLULXB.exe	98
PID 1756 wrote to memory of 2512	1756	TLULXB.exe	98
PID 1756 wrote to memory of 2512	1756	TLULXB.exe	98
PID 1756 wrote to memory of 1680	1756	TLULXB.exe	99
PID 1756 wrote to memory of 1680	1756	TLULXB.exe	99
PID 1756 wrote to memory of 1680	1756	TLULXB.exe	99
PID 2512 wrote to memory of 1564	2512	cmd.exe	101
PID 2512 wrote to memory of 1564	2512	cmd.exe	101
PID 2512 wrote to memory of 1564	2512	cmd.exe	101
PID 5096 wrote to memory of 4560	5096	XBinderOutput.exe	103
PID 5096 wrote to memory of 4560	5096	XBinderOutput.exe	103
PID 5096 wrote to memory of 2672	5096	XBinderOutput.exe	105
PID 5096 wrote to memory of 2672	5096	XBinderOutput.exe	105
PID 5096 wrote to memory of 2796	5096	XBinderOutput.exe	106
PID 5096 wrote to memory of 2796	5096	XBinderOutput.exe	106
PID 5096 wrote to memory of 3080	5096	XBinderOutput.exe	108
PID 5096 wrote to memory of 3080	5096	XBinderOutput.exe	108
PID 5096 wrote to memory of 4288	5096	XBinderOutput.exe	110
PID 5096 wrote to memory of 4288	5096	XBinderOutput.exe	110
PID 4248 wrote to memory of 4580	4248	System32.exe	111
PID 4248 wrote to memory of 4580	4248	System32.exe	111
PID 4248 wrote to memory of 1724	4248	System32.exe	113
PID 4248 wrote to memory of 1724	4248	System32.exe	113
PID 1724 wrote to memory of 1516	1724	cmd.exe	115
PID 1724 wrote to memory of 1516	1724	cmd.exe	115
PID 4580 wrote to memory of 3976	4580	cmd.exe	116
PID 4580 wrote to memory of 3976	4580	cmd.exe	116
PID 1724 wrote to memory of 4508	1724	cmd.exe	117
PID 1724 wrote to memory of 4508	1724	cmd.exe	117
PID 4288 wrote to memory of 3788	4288	DiscordSettings.exe	118
PID 4288 wrote to memory of 3788	4288	DiscordSettings.exe	118
PID 4288 wrote to memory of 3444	4288	DiscordSettings.exe	120
PID 4288 wrote to memory of 3444	4288	DiscordSettings.exe	120
PID 4288 wrote to memory of 4360	4288	DiscordSettings.exe	122
PID 4288 wrote to memory of 4360	4288	DiscordSettings.exe	122
PID 4288 wrote to memory of 1824	4288	DiscordSettings.exe	124
PID 4288 wrote to memory of 1824	4288	DiscordSettings.exe	124
PID 4288 wrote to memory of 3308	4288	DiscordSettings.exe	126
PID 4288 wrote to memory of 3308	4288	DiscordSettings.exe	126
PID 2672 wrote to memory of 2140	2672	Discord.exe	128
PID 2672 wrote to memory of 2140	2672	Discord.exe	128
PID 2672 wrote to memory of 2140	2672	Discord.exe	128
PID 2140 wrote to memory of 2084	2140	conhost.exe	129
PID 2140 wrote to memory of 2084	2140	conhost.exe	129
PID 2084 wrote to memory of 712	2084	cmd.exe	131
PID 2084 wrote to memory of 712	2084	cmd.exe	131
PID 2140 wrote to memory of 1528	2140	conhost.exe	132
PID 2140 wrote to memory of 1528	2140	conhost.exe	132
PID 1528 wrote to memory of 2764	1528	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\TLULXB.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "TLULXB" /SC ONLOGON /TR "C:\Windows\System32\TLULXB.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3412
- C:\Windows\System32\TLULXB.exe
  "C:\Windows\System32\TLULXB.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn BZDNTO.exe /tr C:\Users\Admin\AppData\Roaming\Windata\SYYHCX.exe /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn BZDNTO.exe /tr C:\Users\Admin\AppData\Roaming\Windata\SYYHCX.exe /sc minute /mo 1
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1564
- - C:\Windows\SysWOW64\WSCript.exe
    WSCript C:\Users\Admin\AppData\Local\Temp\BZDNTO.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\System32.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "System32" /SC ONLOGON /TR "C:\Windows\System32\System32.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2984
- C:\Windows\System32\System32.exe
  "C:\Windows\System32\System32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp84FF.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1516
  - - C:\Users\Admin\AppData\Roaming\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Discord.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "Discord" /SC ONLOGON /TR "C:\Windows\System32\Discord.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4560
- C:\Windows\System32\Discord.exe
  "C:\Windows\System32\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Windows\System32\Discord.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2764
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Windows\system32\services32.exe"
      4⤵
      PID:3020
    - - C:\Windows\system32\services32.exe
        
        C:\Windows\system32\services32.exe
        5⤵
        Executes dropped EXE
        
        PID:4844
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
        6⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        
        PID:2392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        7⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost32"
        8⤵
        
        PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordSettings.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "DiscordSettings" /SC ONLOGON /TR "C:\Windows\System32\DiscordSettings.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3080
- C:\Windows\System32\DiscordSettings.exe
  "C:\Windows\System32\DiscordSettings.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordSettings.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DiscordSettings.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\discord.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Public\discord.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3308

C:\Users\Public\discord.exe
C:\Users\Public\discord.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Users\Public\discord.exe
C:\Users\Public\discord.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Users\Public\discord.exe
C:\Users\Public\discord.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System32.exe.log

Filesize
871B

MD5
d58f949aad7df2e7b55248bfdfc6e1b8

SHA1
6713cad396b5808b66ede2dd9b169e00d5e5018f

SHA256
5e1611e4d915fd9759825811fa4463f09172889f85889a2942be1561948fab8a

SHA512
bdddb838108c4f3f0a7737703cbde935fe26aaea97459bb099c4c773c0789997283d7f20ac7ea4ac2aedef23515afc0b251b5b461aa12d3b7a60846b87b26e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\discord.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04f1d68afbed6b13399edfae1e9b1472

SHA1
8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

SHA256
f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

SHA512
30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
92075279f2dbcaa5724ee5a47e49712f

SHA1
8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb

SHA256
fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442

SHA512
744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7daa0b6c9f8fb37635f8121b0c06690a

SHA1
5684d950c7e582b02ba88e579f0d350100d16889

SHA256
a37ab7ac828226c2de1d05cdf35a6d7934ff3e5ecd617d46df1cdc784783d86b

SHA512
55578b4054f8e12df4721df0f8f35ca1f879dd2e2e32ac8aaa8bebf68f5521dfb35547a0f15e670cecd8019f18b32c0e6d78f44556431807e4225b04c0e99c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
993af531f0b57e8128ec273731c3a8e2

SHA1
a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

SHA256
fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

SHA512
bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BZDNTO.vbs

Filesize
818B

MD5
7b78df21455e052b3efadb2f08a1b709

SHA1
1938235abc094a866ad59a4f4af0a4da9896a5d8

SHA256
4012340f167f12b53280b968c86818ab951a59f3926cbd4c6c302cec44070b5f

SHA512
f295a6dc8ce5af8e09554b45eef4ce39259a8b2d1648ff77db771351d62e78343d2efec0fc1b10e196d3f086d80416951e07cbd4fa26c7f6930da6c3915b7e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gbr.jpg

Filesize
30KB

MD5
9a6aa0e6c240fde248a56e0d2e6aa7cd

SHA1
f15abd594f702a2b90194bbbcbc470dc08f48a3b

SHA256
d13a8a40d8c5a2d57c81b59758ebd34c004337b0d37ded22c564cabf84412253

SHA512
ee3508cc9f5439f7da9b84a917472fcddd4040ef36f354d3f0543f64ba1fbca8417b9cee1c25004b5de4ab89ec05e6360468077904990769487cfa05473be25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5adi5cv4.j5j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84FF.tmp.bat

Filesize
152B

MD5
4c396bbee87071bf182ed2d4fd7c2b93

SHA1
9953b0a38ae11defd888c9b5f7f6f68d6e212bbe

SHA256
c5fcd0fb984cdd76b6dafe30e5ae629db6dffe43e30031261e15f41fbf6a793e

SHA512
29edaefbfb5276941c49fc18520777baf287a189a2e6d1c6a79bd6feda7405c2713525822f726e61d0cb8a53b792bd7665d42374b5ca1770334ce6fdf953cd9a

Download Submit
C:\Windows\System32\Discord.exe

Filesize
1.9MB

MD5
f3300c52bf4eefbcb2bd4ac14348969e

SHA1
80ccc13db7973fb45a7e98eddd12e43caa692d66

SHA256
d6a234450430588eb0c8c5d1003b0427697054bfd4f8cdd06a9eb4726bcbfef9

SHA512
3dfbba205d967279274397302f36329d7fbb2d0c3dd4c05008d5af9436cbe980c153ae4e1aa78d08aaa7e4635dff0d18ec786a297f6af75552c37538aeae2884

Download Submit
C:\Windows\System32\DiscordSettings.exe

Filesize
255KB

MD5
7fd6c3caf76ca0c100501743dbd6f012

SHA1
4d047377927ed3eedf06d72b272871cc37ff49a9

SHA256
ef7984535ed8630647ec6b41983bae5e83541c5b583f5dd8e70fa2085203c5da

SHA512
6b2a7445da766b8b0f7b644ed6e2a3fa1cf32ad88a724b1185670223bb2249fe13da125148da93b37704a7a7d17b6eacf86f6782ca5ffd4f5a8529844fc29ece

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
32KB

MD5
4d917ba54fed7e86008fc0e3791c2f4c

SHA1
2480bfbcbab40addcdcfb195949a5944e52625bb

SHA256
69cec2e4be1de84131e6a81d3c1055c58877dfd7e9d52e12c2fb03a2615c68a2

SHA512
3ac2bc876ced7a5644e6d28bf6c056043228895eae49056e12ef970153f0df6b6d744114360fbad4633ff7eaa8c6233772fa7d929d38790f512968a363481558

Download Submit
C:\Windows\System32\System32.exe

Filesize
63KB

MD5
a04f965746aa20b8b6748074848f67da

SHA1
2f5a717ed859aad3db76671a0c6856dcc6887d0d

SHA256
cef9fc272e2349385d2fde43063a89e36f0bb9f7a767b794b05c711ff3115df8

SHA512
06d2f8bfe627e41d777edd27563307c0db8d71b00aaf0c0541eba65eab70f34627b2303152c5b658c8a8a39308326d1dad25dec29b8c44513189b06d3bf55782

Download Submit
C:\Windows\System32\TLULXB.exe

Filesize
1.3MB

MD5
30b4fcf9527096b2612e0e36ab05bbc6

SHA1
4909aa211dc69365e581caabdcdb0d61b4046e35

SHA256
4471405dd0a3699fc8253ee93b1cda8801997220b83e0c47a82b7ef65c907c5e

SHA512
8c77a3a0f8189b5c66292aa685c90fb661a58db96d314d95648675d63c07ecc2aac052cbbb59b9e5e6a81fbc5762c186e632097d4aa561b9c6ce1e146d88d24c

Download Submit
memory/2140-165-0x0000029C61050000-0x0000029C61241000-memory.dmp

Filesize
1.9MB

Download
memory/2140-167-0x0000029C62F60000-0x0000029C62F72000-memory.dmp

Filesize
72KB

Download
memory/2140-166-0x0000029C7BBD0000-0x0000029C7BDC2000-memory.dmp

Filesize
1.9MB

Download
memory/4248-56-0x00000000000A0000-0x00000000000B6000-memory.dmp

Filesize
88KB

Download
memory/4288-106-0x0000000000080000-0x00000000000C6000-memory.dmp

Filesize
280KB

Download
memory/4288-238-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/4580-232-0x000001628E5B0000-0x000001628E5B7000-memory.dmp

Filesize
28KB

Download
memory/4580-233-0x00000162900D0000-0x00000162900D6000-memory.dmp

Filesize
24KB

Download
memory/4796-14-0x00007FFA47E20000-0x00007FFA488E1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-11-0x0000028092740000-0x0000028092762000-memory.dmp

Filesize
136KB

Download
memory/4796-12-0x00007FFA47E20000-0x00007FFA488E1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-13-0x00007FFA47E20000-0x00007FFA488E1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-17-0x00007FFA47E20000-0x00007FFA488E1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-0-0x00007FFA47E23000-0x00007FFA47E25000-memory.dmp

Filesize
8KB

Download
memory/5096-1-0x0000000000B90000-0x0000000000EA8000-memory.dmp

Filesize
3.1MB

Download
memory/5096-107-0x00007FFA47E20000-0x00007FFA488E1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-20-0x00007FFA47E20000-0x00007FFA488E1000-memory.dmp

Filesize
10.8MB

Download