asyncrat | 0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521

Resubmissions

08-08-2024 08:56

240808-kv41havgjh 10

08-08-2024 08:55

240808-kvncravgjb 10

08-08-2024 08:48

240808-kqyypavfpg 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shellbag anylizer.exe
Size

247KB
MD5

851269fc86de5d91e5f2db1b2b34cb6e
SHA1

6103dab45c98bddef65b6eed235a60159d458526
SHA256

0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521
SHA512

c01c7d2ec52d55ece6f88eeb9c5ecf260ef9b59fd3f08ad42e4ed582b24bd482fcfd334375177b032564f567af6d195f7627249abe1e428f52f6c2806783acfc
SSDEEP

6144:/bwmPMVWrVbVPwF9kfK8rpClz0KBb6o589GHWHWujiSPbp:/bw8n5gBuj/PV

Score

10^/10

asyncrat umbral default collection credential_access discovery execution persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

zedtklncvg

Attributes

delay
1
install
true
install_file
update.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/f2T8NYnM

aes.plain

Extracted

Family

umbral

https://discord.com/api/webhooks/1268156147073028147/TIx6OxtO2lKmkHzKF1kx6lqRbTwM5gpzuWgE_bIMnb6ppmXmskOWpqqHICCvEtAo0VeV

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002343c-189.dat	family_umbral
behavioral2/memory/3528-193-0x000001776DFA0000-0x000001776DFE0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0006000000016985-11.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
4528	powershell.exe
1672	powershell.exe
4664	powershell.exe
4836	powershell.exe
2084	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	stealler.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Shellbag anylizer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	update.exe

Executes dropped EXE 2 IoCs

pid	Process
3584	update.exe
3528	stealler.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
52	discord.com
53	discord.com
66	discord.com
67	discord.com
15	pastebin.com
16	pastebin.com
17	4.tcp.eu.ngrok.io

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	icanhazip.com
45	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3884	PING.EXE
4052	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2816	cmd.exe
4480	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	update.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2024	timeout.exe
1592	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1396	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3884	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3032	Shellbag anylizer.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
3584	update.exe
4528	powershell.exe
4528	powershell.exe
3584	update.exe
3528	stealler.exe
2084	powershell.exe
2084	powershell.exe
1672	powershell.exe
1672	powershell.exe
4664	powershell.exe
4664	powershell.exe
3648	powershell.exe
3648	powershell.exe
4836	powershell.exe
4836	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	Shellbag anylizer.exe
Token: SeDebugPrivilege	3032	Shellbag anylizer.exe
Token: SeDebugPrivilege	3584	update.exe
Token: SeDebugPrivilege	3584	update.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	3528	stealler.exe
Token: SeIncreaseQuotaPrivilege	1428	wmic.exe
Token: SeSecurityPrivilege	1428	wmic.exe
Token: SeTakeOwnershipPrivilege	1428	wmic.exe
Token: SeLoadDriverPrivilege	1428	wmic.exe
Token: SeSystemProfilePrivilege	1428	wmic.exe
Token: SeSystemtimePrivilege	1428	wmic.exe
Token: SeProfSingleProcessPrivilege	1428	wmic.exe
Token: SeIncBasePriorityPrivilege	1428	wmic.exe
Token: SeCreatePagefilePrivilege	1428	wmic.exe
Token: SeBackupPrivilege	1428	wmic.exe
Token: SeRestorePrivilege	1428	wmic.exe
Token: SeShutdownPrivilege	1428	wmic.exe
Token: SeDebugPrivilege	1428	wmic.exe
Token: SeSystemEnvironmentPrivilege	1428	wmic.exe
Token: SeRemoteShutdownPrivilege	1428	wmic.exe
Token: SeUndockPrivilege	1428	wmic.exe
Token: SeManageVolumePrivilege	1428	wmic.exe
Token: 33	1428	wmic.exe
Token: 34	1428	wmic.exe
Token: 35	1428	wmic.exe
Token: 36	1428	wmic.exe
Token: SeIncreaseQuotaPrivilege	1428	wmic.exe
Token: SeSecurityPrivilege	1428	wmic.exe
Token: SeTakeOwnershipPrivilege	1428	wmic.exe
Token: SeLoadDriverPrivilege	1428	wmic.exe
Token: SeSystemProfilePrivilege	1428	wmic.exe
Token: SeSystemtimePrivilege	1428	wmic.exe
Token: SeProfSingleProcessPrivilege	1428	wmic.exe
Token: SeIncBasePriorityPrivilege	1428	wmic.exe
Token: SeCreatePagefilePrivilege	1428	wmic.exe
Token: SeBackupPrivilege	1428	wmic.exe
Token: SeRestorePrivilege	1428	wmic.exe
Token: SeShutdownPrivilege	1428	wmic.exe
Token: SeDebugPrivilege	1428	wmic.exe
Token: SeSystemEnvironmentPrivilege	1428	wmic.exe
Token: SeRemoteShutdownPrivilege	1428	wmic.exe
Token: SeUndockPrivilege	1428	wmic.exe
Token: SeManageVolumePrivilege	1428	wmic.exe
Token: 33	1428	wmic.exe
Token: 34	1428	wmic.exe
Token: 35	1428	wmic.exe
Token: 36	1428	wmic.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3584	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1152	3032	Shellbag anylizer.exe	85
PID 3032 wrote to memory of 1152	3032	Shellbag anylizer.exe	85
PID 3032 wrote to memory of 4940	3032	Shellbag anylizer.exe	86
PID 3032 wrote to memory of 4940	3032	Shellbag anylizer.exe	86
PID 1152 wrote to memory of 1936	1152	cmd.exe	89
PID 1152 wrote to memory of 1936	1152	cmd.exe	89
PID 4940 wrote to memory of 2024	4940	cmd.exe	90
PID 4940 wrote to memory of 2024	4940	cmd.exe	90
PID 4940 wrote to memory of 3584	4940	cmd.exe	91
PID 4940 wrote to memory of 3584	4940	cmd.exe	91
PID 3584 wrote to memory of 2816	3584	update.exe	96
PID 3584 wrote to memory of 2816	3584	update.exe	96
PID 2816 wrote to memory of 4320	2816	cmd.exe	98
PID 2816 wrote to memory of 4320	2816	cmd.exe	98
PID 2816 wrote to memory of 4480	2816	cmd.exe	99
PID 2816 wrote to memory of 4480	2816	cmd.exe	99
PID 2816 wrote to memory of 1408	2816	cmd.exe	100
PID 2816 wrote to memory of 1408	2816	cmd.exe	100
PID 3584 wrote to memory of 1980	3584	update.exe	101
PID 3584 wrote to memory of 1980	3584	update.exe	101
PID 1980 wrote to memory of 3864	1980	cmd.exe	103
PID 1980 wrote to memory of 3864	1980	cmd.exe	103
PID 1980 wrote to memory of 4188	1980	cmd.exe	104
PID 1980 wrote to memory of 4188	1980	cmd.exe	104
PID 3584 wrote to memory of 900	3584	update.exe	105
PID 3584 wrote to memory of 900	3584	update.exe	105
PID 900 wrote to memory of 4528	900	cmd.exe	107
PID 900 wrote to memory of 4528	900	cmd.exe	107
PID 4528 wrote to memory of 3528	4528	powershell.exe	108
PID 4528 wrote to memory of 3528	4528	powershell.exe	108
PID 3528 wrote to memory of 1428	3528	stealler.exe	109
PID 3528 wrote to memory of 1428	3528	stealler.exe	109
PID 3528 wrote to memory of 3336	3528	stealler.exe	111
PID 3528 wrote to memory of 3336	3528	stealler.exe	111
PID 3528 wrote to memory of 2084	3528	stealler.exe	113
PID 3528 wrote to memory of 2084	3528	stealler.exe	113
PID 3528 wrote to memory of 1672	3528	stealler.exe	115
PID 3528 wrote to memory of 1672	3528	stealler.exe	115
PID 3528 wrote to memory of 4664	3528	stealler.exe	117
PID 3528 wrote to memory of 4664	3528	stealler.exe	117
PID 3528 wrote to memory of 3648	3528	stealler.exe	119
PID 3528 wrote to memory of 3648	3528	stealler.exe	119
PID 3528 wrote to memory of 2816	3528	stealler.exe	121
PID 3528 wrote to memory of 2816	3528	stealler.exe	121
PID 3528 wrote to memory of 2284	3528	stealler.exe	123
PID 3528 wrote to memory of 2284	3528	stealler.exe	123
PID 3528 wrote to memory of 3280	3528	stealler.exe	125
PID 3528 wrote to memory of 3280	3528	stealler.exe	125
PID 3528 wrote to memory of 4836	3528	stealler.exe	127
PID 3528 wrote to memory of 4836	3528	stealler.exe	127
PID 3528 wrote to memory of 1396	3528	stealler.exe	129
PID 3528 wrote to memory of 1396	3528	stealler.exe	129
PID 3528 wrote to memory of 4052	3528	stealler.exe	131
PID 3528 wrote to memory of 4052	3528	stealler.exe	131
PID 4052 wrote to memory of 3884	4052	cmd.exe	133
PID 4052 wrote to memory of 3884	4052	cmd.exe	133
PID 3584 wrote to memory of 1004	3584	update.exe	134
PID 3584 wrote to memory of 1004	3584	update.exe	134
PID 3584 wrote to memory of 5108	3584	update.exe	135
PID 3584 wrote to memory of 5108	3584	update.exe	135
PID 5108 wrote to memory of 1592	5108	cmd.exe	138
PID 5108 wrote to memory of 1592	5108	cmd.exe	138
PID 1004 wrote to memory of 2476	1004	cmd.exe	139
PID 1004 wrote to memory of 2476	1004	cmd.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3336	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.exe

C:\Users\Admin\AppData\Local\Temp\Shellbag anylizer.exe
"C:\Users\Admin\AppData\Local\Temp\Shellbag anylizer.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8136.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2024
- - C:\Users\Admin\AppData\Roaming\update.exe
    "C:\Users\Admin\AppData\Roaming\update.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:3584
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4320
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4480
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:1408
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3864
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4188
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\stealler.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\stealler.exe"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Users\Admin\AppData\Local\Temp\stealler.exe
        
        "C:\Users\Admin\AppData\Local\Temp\stealler.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stealler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stealler.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:2284
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:3280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4836
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:1396
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stealler.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "update"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "update"
        5⤵
        
        PID:2476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC2CE.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7ba86534f3f85154d4d7b73717663638\Admin@ODZKDRGV_en-US\System\Process.txt

Filesize
4KB

MD5
8d7e4c73779fb802f31880ec456b8148

SHA1
93075f70f755341782003aa30cb00d853d50e569

SHA256
2b6a6ac2a3fa8360c176c05fb4fc09ad34fbec4146e537cc14399d755318f397

SHA512
1a658c3f6b7e38a876b4aef0a667bc037b2a929252b53fbfb56deb6e4c4609f4458f06ea44bbfbc9f69977e600b4286ec1ae8322cfecd8b30571f497293cbed2

Download Submit
C:\Users\Admin\AppData\Local\7ba86534f3f85154d4d7b73717663638\Admin@ODZKDRGV_en-US\System\Process.txt

Filesize
3KB

MD5
4afc9e89504058e0cf3d7eeb907f2d82

SHA1
99cfab23e19dcf8d527e1b5002b3ebb55848cb44

SHA256
2e1f66889aa980e6c93f711f569e6bf105a8239e607145868dd34f77c717fd40

SHA512
4573a4868863e86a80478fe97107e17543a196592e467a9402f8521df169229b51830beb77807a4af7f8d84e9a2cec6eeaafe9dc07aa9b768fff59b20d83dd2e

Download Submit
C:\Users\Admin\AppData\Local\7ba86534f3f85154d4d7b73717663638\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
28ef595a6cc9f47b8eccb22d4ed50d6c

SHA1
4335de707324b15eba79017938c3da2752d3eea5

SHA256
3abd14d4fe7b5697b2fa84993e7183f4fd2580be5b4e5150da15ddda5a9560b9

SHA512
687b7849faa62a4dabc240b573afa163f0cda9a80be61cebe28ef1461777744d73b465ac92d065093228068540846e79c899445057f5b906f9b9fa9868132208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca58d1913d3261f116a299095e04f734

SHA1
941d13d0c8c65adb6513f23991acfa0d62facdea

SHA256
755daf72f2f5e983abb009c3b1eef4c7c660999f5ff581545bbcae7088c17c69

SHA512
87b0d8c9a5348235e9ad6416e09665764db1af408bf763857dc40e39411fa0cf405e3e8b9f0b8540c72aa874059d1dee865aa0cff8dba0fde5779ec9480b5e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hyvu44p4.ws4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealler.exe

Filesize
231KB

MD5
ad7b2d43b3bb31abcd96f16cca3d8c26

SHA1
3f9dc2e9ed7259235d590c89f83441478c2f8a44

SHA256
9e0af1a13a732a3e857ab6a12f3faa92a78566647a75354564685e44c80e2c67

SHA512
83065e97dab577a15fd8a8411196f03acd998db0a14b0b2003c9317094b258b40e209a68c7093ac3f726387989aa85c1a0103f87d637880d38afaff1a719843b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8136.tmp.bat

Filesize
150B

MD5
5dd6ec3d17c701817be254dbbd713cf9

SHA1
5fdd009a25a54c4f850cdb100be24ebdbe9db4c7

SHA256
01ed12e62909ad7510d93b129677f52fe38c8013967524a8d2b18368eab64e54

SHA512
89ca250fb843bf129bcbd8aa72af2e88f987b1993f3cd077b44df7a1def474a9d6e2a99d2b2c0f64476e5cabd9b6c042816c8ba2a3d4eb6c472fe934da3a196f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC2CE.tmp.bat

Filesize
155B

MD5
6d5b11db1ec1c09cde895869b6c80a0f

SHA1
bf4227220ebceeee42de7ee37e1653a27f3c51de

SHA256
c5de5b284a7cd58db83d1c6f77e7f80b1eec67346644b9fe5eb2b8ca983902f4

SHA512
0f13aa75b4071065cbb2582dd1c1e673027dcc58bed94aec83d1caec32d214cabbb3d4b2b820e10ba06dfcad4c32a396c8812b9d29a1b316aae6545bdbaf6d15

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe

Filesize
247KB

MD5
851269fc86de5d91e5f2db1b2b34cb6e

SHA1
6103dab45c98bddef65b6eed235a60159d458526

SHA256
0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521

SHA512
c01c7d2ec52d55ece6f88eeb9c5ecf260ef9b59fd3f08ad42e4ed582b24bd482fcfd334375177b032564f567af6d195f7627249abe1e428f52f6c2806783acfc

Download Submit
memory/3032-0-0x00007FFC001D3000-0x00007FFC001D5000-memory.dmp

Filesize
8KB

Download
memory/3032-8-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/3032-3-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/3032-1-0x00000000005A0000-0x00000000005E4000-memory.dmp

Filesize
272KB

Download
memory/3528-255-0x000001776FD50000-0x000001776FD5A000-memory.dmp

Filesize
40KB

Download
memory/3528-219-0x0000017770800000-0x0000017770850000-memory.dmp

Filesize
320KB

Download
memory/3528-256-0x00000177705B0000-0x00000177705C2000-memory.dmp

Filesize
72KB

Download
memory/3528-193-0x000001776DFA0000-0x000001776DFE0000-memory.dmp

Filesize
256KB

Download
memory/3584-15-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/3584-178-0x00000000011C0000-0x00000000011CE000-memory.dmp

Filesize
56KB

Download
memory/3584-170-0x000000001CBD0000-0x000000001CBF2000-memory.dmp

Filesize
136KB

Download
memory/3584-169-0x000000001D2A0000-0x000000001D324000-memory.dmp

Filesize
528KB

Download
memory/3584-126-0x0000000001020000-0x000000000109A000-memory.dmp

Filesize
488KB

Download
memory/3584-18-0x000000001B6A0000-0x000000001B6AA000-memory.dmp

Filesize
40KB

Download
memory/3584-17-0x000000001C9A0000-0x000000001CAD4000-memory.dmp

Filesize
1.2MB

Download
memory/3584-16-0x0000000002BA0000-0x0000000002BBE000-memory.dmp

Filesize
120KB

Download
memory/3584-274-0x000000001CAD0000-0x000000001CB36000-memory.dmp

Filesize
408KB

Download
memory/3584-14-0x000000001CC20000-0x000000001CC96000-memory.dmp

Filesize
472KB

Download