asyncrat | 0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521

Resubmissions

08-08-2024 08:56

240808-kv41havgjh 10

08-08-2024 08:55

240808-kvncravgjb 10

08-08-2024 08:48

240808-kqyypavfpg 10

Analysis

max time kernel
124s
max time network
122s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-08-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shellbag anylizer.exe
Size

247KB
MD5

851269fc86de5d91e5f2db1b2b34cb6e
SHA1

6103dab45c98bddef65b6eed235a60159d458526
SHA256

0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521
SHA512

c01c7d2ec52d55ece6f88eeb9c5ecf260ef9b59fd3f08ad42e4ed582b24bd482fcfd334375177b032564f567af6d195f7627249abe1e428f52f6c2806783acfc
SSDEEP

6144:/bwmPMVWrVbVPwF9kfK8rpClz0KBb6o589GHWHWujiSPbp:/bw8n5gBuj/PV

Score

10^/10

asyncrat default discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

zedtklncvg

Attributes

delay
1
install
true
install_file
update.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/f2T8NYnM

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000200000002aa9d-12.dat	family_asyncrat

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
2208	update.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
24	pastebin.com
32	pastebin.com
1	pastebin.com
7	pastebin.com
11	pastebin.com
13	pastebin.com
14	pastebin.com
19	pastebin.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3192	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ = "IItemActivityCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\FileSyncClient.AutoPlayHandler\ = "FileSyncClient AutoPlayHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "IFileSyncClient3"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\ = "SyncEngineStorageProviderHandlerProxy Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\ = "SyncEngineFileInfoProvider Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\ = "SyncEngine Type Library"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\ProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\win32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ = "ICheckFileHashCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer\CLSID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ProgID\ = "OOBERequestHandler.OOBERequestHandler.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ = "FileSyncOutOfProcServices Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ = "IFileSyncClient4"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32	OneDrive.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2564	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4836	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
4448	Shellbag anylizer.exe
2208	update.exe
2208	update.exe
4836	OneDrive.exe
4836	OneDrive.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe
2208	update.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	Shellbag anylizer.exe
Token: SeDebugPrivilege	4448	Shellbag anylizer.exe
Token: SeDebugPrivilege	2208	update.exe
Token: SeDebugPrivilege	2208	update.exe
Token: SeDebugPrivilege	1640	Shellbag anylizer.exe
Token: SeDebugPrivilege	3732	Shellbag anylizer.exe
Token: SeDebugPrivilege	4880	Shellbag anylizer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4836	OneDrive.exe
4836	OneDrive.exe
4836	OneDrive.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4836	OneDrive.exe
4836	OneDrive.exe
4836	OneDrive.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2208	update.exe
4836	OneDrive.exe
1064	MiniSearchHost.exe
2580	OpenWith.exe
4576	OpenWith.exe
4648	OpenWith.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1348	4448	Shellbag anylizer.exe	83
PID 4448 wrote to memory of 1348	4448	Shellbag anylizer.exe	83
PID 4448 wrote to memory of 716	4448	Shellbag anylizer.exe	85
PID 4448 wrote to memory of 716	4448	Shellbag anylizer.exe	85
PID 1348 wrote to memory of 2564	1348	cmd.exe	87
PID 1348 wrote to memory of 2564	1348	cmd.exe	87
PID 716 wrote to memory of 3192	716	cmd.exe	88
PID 716 wrote to memory of 3192	716	cmd.exe	88
PID 716 wrote to memory of 2208	716	cmd.exe	89
PID 716 wrote to memory of 2208	716	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Shellbag anylizer.exe
"C:\Users\Admin\AppData\Local\Temp\Shellbag anylizer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC0A0.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3192
- - C:\Users\Admin\AppData\Roaming\update.exe
    "C:\Users\Admin\AppData\Roaming\update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2208

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1148

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2800

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1028

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Users\Admin\Desktop\Shellbag anylizer.exe
"C:\Users\Admin\Desktop\Shellbag anylizer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\Desktop\Shellbag anylizer.exe
"C:\Users\Admin\Desktop\Shellbag anylizer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Users\Admin\Desktop\Shellbag anylizer.exe
"C:\Users\Admin\Desktop\Shellbag anylizer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Shellbag anylizer.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c3e08121cabb9380e3d50cadde97d53a

SHA1
0e666954e83e97e3883e52092fe2be88a520e8f8

SHA256
76e1d3ab7320c4b863adb091b5b77205d81e13eafb539a18ebe3d8ea46b29433

SHA512
9a6ef7710781d2f3a1f873129b21990548c1b275720080d87fe4051b464b0aef4ad8625656c388a65163563c6fb2086c29c01ba5f518c5b9679e7227fcc7941f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0A0.tmp.bat

Filesize
150B

MD5
192400e285af778c5948a96f977215fa

SHA1
e47e2fa56f793a0eb3a78d54de4ac439fafe2cb8

SHA256
ba8ffc2f20a33ff8f26fcbd5643fa04863847566cc29f82701ff36f5bc363c95

SHA512
59d8077e10fc9070816586bf463ed0ff85053cfcf514cf2fb0ca0fa33b3ceb7f1067d5e7da7401e97fc236645378f2f263fe09a1ba65797c9b2464f9576834ce

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe

Filesize
247KB

MD5
851269fc86de5d91e5f2db1b2b34cb6e

SHA1
6103dab45c98bddef65b6eed235a60159d458526

SHA256
0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521

SHA512
c01c7d2ec52d55ece6f88eeb9c5ecf260ef9b59fd3f08ad42e4ed582b24bd482fcfd334375177b032564f567af6d195f7627249abe1e428f52f6c2806783acfc

Download Submit
memory/4448-0-0x00007FFD38193000-0x00007FFD38195000-memory.dmp

Filesize
8KB

Download
memory/4448-1-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/4448-3-0x00007FFD38190000-0x00007FFD38C52000-memory.dmp

Filesize
10.8MB

Download
memory/4448-4-0x00007FFD38190000-0x00007FFD38C52000-memory.dmp

Filesize
10.8MB

Download
memory/4448-9-0x00007FFD38190000-0x00007FFD38C52000-memory.dmp

Filesize
10.8MB

Download