asyncrat | f0033f3778e39a3be78d3938a73c5e02301a85d138e2e4e3ec41be55996ceaa6

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
Size

47KB
MD5

27058f6c310e29963251df57e752456a
SHA1

747b0923209199b7e430e1a6896e9304eae02707
SHA256

f0033f3778e39a3be78d3938a73c5e02301a85d138e2e4e3ec41be55996ceaa6
SHA512

d6a9317d28580ada68c927bb7d0aa69a91e5868bdfa6dfb79f37fe9284e55ff35a96b10b69a2d342d5b8a5cb6019e31e17643460458e0f070084918266148eb2
SSDEEP

768:MuwpFTAY3IQWUe9jqmo2qLvJ/wzHGb4rQPIapEreM0brbS1rWFspBZz4w114G9eB:MuwpFTA4/2sGzrVapfbvSNWFybsw19Ns

Score

10^/10

asyncrat redline default diamotrix credential_access discovery execution infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

Hp6kvaq9BCyI

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

diamotrix

176.111.174.140:1912

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233ba-129.dat	family_redline
behavioral2/memory/1664-136-0x0000000000DC0000-0x0000000000E12000-memory.dmp	family_redline

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000a0000000232e4-11.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	relog.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3576	svchost.exe
5024	fpsgis.exe
3328	6201.tmp.nikmok1.exe
1664	6454.tmp.nikmok2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_{5BFB9598D20C2827686991} = "C:\\Users\\Admin\\AppData\\Roaming\\{5BFB9598D20C2827686991}\\Service_{5BFB9598D20C2827686991}.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{5BFB9598D20C2827686991}\\{5BFB9598D20C2827686991}.exe"	fpsgis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe"	relog.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
4780	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5024 set thread context of 4252	5024	fpsgis.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6201.tmp.nikmok1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6454.tmp.nikmok2.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
700	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2968	schtasks.exe
4852	schtasks.exe
1004	schtasks.exe
528	schtasks.exe
4080	schtasks.exe
4292	schtasks.exe
3372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
4780	powershell.exe
4780	powershell.exe
3576	svchost.exe
5024	fpsgis.exe
5024	fpsgis.exe
5024	fpsgis.exe
5024	fpsgis.exe
5024	fpsgis.exe
5024	fpsgis.exe
5024	fpsgis.exe
5024	fpsgis.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe
4252	relog.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
Token: SeDebugPrivilege	3576	svchost.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeIncreaseQuotaPrivilege	5024	fpsgis.exe
Token: SeSecurityPrivilege	5024	fpsgis.exe
Token: SeTakeOwnershipPrivilege	5024	fpsgis.exe
Token: SeLoadDriverPrivilege	5024	fpsgis.exe
Token: SeSystemProfilePrivilege	5024	fpsgis.exe
Token: SeSystemtimePrivilege	5024	fpsgis.exe
Token: SeProfSingleProcessPrivilege	5024	fpsgis.exe
Token: SeIncBasePriorityPrivilege	5024	fpsgis.exe
Token: SeCreatePagefilePrivilege	5024	fpsgis.exe
Token: SeBackupPrivilege	5024	fpsgis.exe
Token: SeRestorePrivilege	5024	fpsgis.exe
Token: SeShutdownPrivilege	5024	fpsgis.exe
Token: SeDebugPrivilege	5024	fpsgis.exe
Token: SeSystemEnvironmentPrivilege	5024	fpsgis.exe
Token: SeRemoteShutdownPrivilege	5024	fpsgis.exe
Token: SeUndockPrivilege	5024	fpsgis.exe
Token: SeManageVolumePrivilege	5024	fpsgis.exe
Token: 33	5024	fpsgis.exe
Token: 34	5024	fpsgis.exe
Token: 35	5024	fpsgis.exe
Token: 36	5024	fpsgis.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe
Token: SeDebugPrivilege	4252	relog.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3396	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 1472	4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe	86
PID 4816 wrote to memory of 1472	4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe	86
PID 4816 wrote to memory of 1472	4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe	86
PID 4816 wrote to memory of 1636	4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe	88
PID 4816 wrote to memory of 1636	4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe	88
PID 4816 wrote to memory of 1636	4816	f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe	88
PID 1636 wrote to memory of 700	1636	cmd.exe	90
PID 1636 wrote to memory of 700	1636	cmd.exe	90
PID 1636 wrote to memory of 700	1636	cmd.exe	90
PID 1472 wrote to memory of 4852	1472	cmd.exe	91
PID 1472 wrote to memory of 4852	1472	cmd.exe	91
PID 1472 wrote to memory of 4852	1472	cmd.exe	91
PID 1636 wrote to memory of 3576	1636	cmd.exe	92
PID 1636 wrote to memory of 3576	1636	cmd.exe	92
PID 1636 wrote to memory of 3576	1636	cmd.exe	92
PID 3576 wrote to memory of 640	3576	svchost.exe	98
PID 3576 wrote to memory of 640	3576	svchost.exe	98
PID 3576 wrote to memory of 640	3576	svchost.exe	98
PID 640 wrote to memory of 4780	640	cmd.exe	100
PID 640 wrote to memory of 4780	640	cmd.exe	100
PID 640 wrote to memory of 4780	640	cmd.exe	100
PID 4780 wrote to memory of 5024	4780	powershell.exe	102
PID 4780 wrote to memory of 5024	4780	powershell.exe	102
PID 5024 wrote to memory of 1004	5024	fpsgis.exe	103
PID 5024 wrote to memory of 1004	5024	fpsgis.exe	103
PID 5024 wrote to memory of 4252	5024	fpsgis.exe	105
PID 5024 wrote to memory of 4252	5024	fpsgis.exe	105
PID 5024 wrote to memory of 4252	5024	fpsgis.exe	105
PID 4252 wrote to memory of 528	4252	relog.exe	107
PID 4252 wrote to memory of 528	4252	relog.exe	107
PID 4252 wrote to memory of 4080	4252	relog.exe	109
PID 4252 wrote to memory of 4080	4252	relog.exe	109
PID 4252 wrote to memory of 4292	4252	relog.exe	111
PID 4252 wrote to memory of 4292	4252	relog.exe	111
PID 4252 wrote to memory of 3372	4252	relog.exe	113
PID 4252 wrote to memory of 3372	4252	relog.exe	113
PID 4252 wrote to memory of 2968	4252	relog.exe	115
PID 4252 wrote to memory of 2968	4252	relog.exe	115
PID 4252 wrote to memory of 3396	4252	relog.exe	56
PID 4252 wrote to memory of 3396	4252	relog.exe	56
PID 3396 wrote to memory of 3328	3396	Explorer.EXE	119
PID 3396 wrote to memory of 3328	3396	Explorer.EXE	119
PID 3396 wrote to memory of 3328	3396	Explorer.EXE	119
PID 3396 wrote to memory of 1664	3396	Explorer.EXE	120
PID 3396 wrote to memory of 1664	3396	Explorer.EXE	120
PID 3396 wrote to memory of 1664	3396	Explorer.EXE	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe
  "C:\Users\Admin\AppData\Local\Temp\f0033f3778e39a3be78d3938a73c5e02301a85d138e2e.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE55F.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:700
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fpsgis.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fpsgis.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\fpsgis.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fpsgis.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{5BFB9598D20C2827686991}\{5BFB9598D20C2827686991}.exe" /sc onstart /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1004
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        8⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "cDXD9ZOn7Z" /tr "C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:528
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "g39LzOaauP" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Service_Microsoft.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4080
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "g39LzOaauP" /tr "C:\Users\Admin\AppData\Roaming\Mozilla\Service_Mozilla.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4292
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "g39LzOaauP" /tr "C:\Users\Admin\AppData\Roaming\Sun\Service_Sun.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3372
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "g39LzOaauP" /tr "C:\Users\Admin\AppData\Roaming\{5BFB9598D20C2827686991}\Service_{5BFB9598D20C2827686991}.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2968
- C:\Users\Admin\AppData\Local\Temp\6201.tmp.nikmok1.exe
  "C:\Users\Admin\AppData\Local\Temp\6201.tmp.nikmok1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3328
- C:\Users\Admin\AppData\Local\Temp\6454.tmp.nikmok2.exe
  "C:\Users\Admin\AppData\Local\Temp\6454.tmp.nikmok2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6454.tmp.nikmok2.exe

Filesize
300KB

MD5
8d14c4ba7260c61ecde30d97fd3c124a

SHA1
f60a7243a5160ff0dd60c37e1de43b81cead3549

SHA256
6985ec7f67fabd26633c991be04ce5f899224a56bb078ba186b4be21f9e4714d

SHA512
b068decea7ec68d2b4347493d9e4b8cc4fb0c3c5f5ecc2a52be6eb35d28e75d3de1636efe0b67cce825e8d08d3fb82d137b1d6eb1225662fb8c3dff9616dcc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_udj5ngv5.zul.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpsgis.exe

Filesize
322KB

MD5
c1e4bbc07edcd498c3237c435a2479b8

SHA1
a5724a7cff16711d8c1a3071f39abe4df392d560

SHA256
410bbd43e9fe61cfd4dc8a903f016cb0b50e5efcd49cfba0bcc2a93fc9c50155

SHA512
56446325ae45aa7e6ae09a87e877263a7bba944732d6f791dc1cd65c1edbcaf3fc247a3f0abee887ea974526a9caeacd585ed2b8b3c4434ec187806998bbdea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE55F.tmp.bat

Filesize
151B

MD5
9cc1a47af947ffb39386349145f81676

SHA1
c6f37f20df08b9036e46983baa9cb637f58e2c0e

SHA256
55884d6705642b537c397323b379f8f3fe27131b27898d26728b6b963c2ee5ed

SHA512
c955d90feb3ee9c26afb71504cc424540154a0de9c7692a9e067f36f9a0f2992d82e7a6218152032d349c07c3beef0f487e5ce344ce61101fba1832eee419805

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
47KB

MD5
27058f6c310e29963251df57e752456a

SHA1
747b0923209199b7e430e1a6896e9304eae02707

SHA256
f0033f3778e39a3be78d3938a73c5e02301a85d138e2e4e3ec41be55996ceaa6

SHA512
d6a9317d28580ada68c927bb7d0aa69a91e5868bdfa6dfb79f37fe9284e55ff35a96b10b69a2d342d5b8a5cb6019e31e17643460458e0f070084918266148eb2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
47edf88ce39f173cf221b1316a217101

SHA1
5444b47f74c95255de52d6659e2d309366ec8375

SHA256
13410c71dba01424242519be8cac60f4b6cb2a2bda8c0ffad340b56666445e08

SHA512
e6c72e7ff4a1052932854f93ea345fc2ba713af8c3d9ea8781050319cefe507ad2b4c08adb23b2c2675e4a68cd7acd93c755ff8fe779161e2470276d1fd5e811

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
1530b50aac226cd50815c69326517e51

SHA1
e97855298b61d8a5b6cf2450a990d5cbc40c6aa4

SHA256
1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3

SHA512
c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432

Download Submit
memory/1664-139-0x0000000006730000-0x0000000006D48000-memory.dmp

Filesize
6.1MB

Download
memory/1664-142-0x0000000005AA0000-0x0000000005ADC000-memory.dmp

Filesize
240KB

Download
memory/1664-140-0x0000000006220000-0x000000000632A000-memory.dmp

Filesize
1.0MB

Download
memory/1664-143-0x0000000006110000-0x000000000615C000-memory.dmp

Filesize
304KB

Download
memory/1664-138-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/1664-137-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1664-136-0x0000000000DC0000-0x0000000000E12000-memory.dmp

Filesize
328KB

Download
memory/1664-141-0x0000000005A80000-0x0000000005A92000-memory.dmp

Filesize
72KB

Download
memory/1664-148-0x0000000007930000-0x0000000007980000-memory.dmp

Filesize
320KB

Download
memory/1664-147-0x0000000007B60000-0x000000000808C000-memory.dmp

Filesize
5.2MB

Download
memory/1664-146-0x0000000007460000-0x0000000007622000-memory.dmp

Filesize
1.8MB

Download
memory/3396-111-0x0000000000F50000-0x0000000000F66000-memory.dmp

Filesize
88KB

Download
memory/3396-110-0x00000000034F0000-0x0000000003547000-memory.dmp

Filesize
348KB

Download
memory/3396-108-0x0000000003160000-0x00000000031A3000-memory.dmp

Filesize
268KB

Download
memory/3576-19-0x00000000072A0000-0x0000000007316000-memory.dmp

Filesize
472KB

Download
memory/3576-16-0x00000000067B0000-0x0000000006D54000-memory.dmp

Filesize
5.6MB

Download
memory/3576-13-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3576-17-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/3576-18-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3576-20-0x0000000007220000-0x0000000007282000-memory.dmp

Filesize
392KB

Download
memory/3576-21-0x0000000007330000-0x000000000734E000-memory.dmp

Filesize
120KB

Download
memory/4252-145-0x00007FF62D660000-0x00007FF62D6B7000-memory.dmp

Filesize
348KB

Download
memory/4780-36-0x00000000063C0000-0x0000000006714000-memory.dmp

Filesize
3.3MB

Download
memory/4780-39-0x0000000007970000-0x0000000007A06000-memory.dmp

Filesize
600KB

Download
memory/4780-23-0x0000000003060000-0x0000000003096000-memory.dmp

Filesize
216KB

Download
memory/4780-27-0x0000000006240000-0x0000000006262000-memory.dmp

Filesize
136KB

Download
memory/4780-37-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/4780-31-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/4780-24-0x0000000005BA0000-0x00000000061C8000-memory.dmp

Filesize
6.2MB

Download
memory/4780-41-0x0000000006EC0000-0x0000000006EE2000-memory.dmp

Filesize
136KB

Download
memory/4780-38-0x0000000006A30000-0x0000000006A7C000-memory.dmp

Filesize
304KB

Download
memory/4780-40-0x0000000006E70000-0x0000000006E8A000-memory.dmp

Filesize
104KB

Download
memory/4816-8-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4816-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4816-3-0x0000000004B40000-0x0000000004BDC000-memory.dmp

Filesize
624KB

Download
memory/4816-2-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4816-1-0x00000000001B0000-0x00000000001C2000-memory.dmp

Filesize
72KB

Download