asyncrat | hxxps://drive[.]google[.]com/uc?export=download&id=1_kjJMXjn64mxRCcs5l4W7ZXJmj9lNBea

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
26-08-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1_kjJMXjn64mxRCcs5l4W7ZXJmj9lNBea

Score

10^/10

asyncrat carlos1 discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7A

Botnet

CARLOS1

carlos1.con-ip.com:6606

Mutex

uuooxuxbnkywum

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe

Executes dropped EXE 2 IoCs

pid	Process
3820	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe
3368	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yxccjcrhp = "C:\\Users\\Admin\\AppData\\Roaming\\Yxccjcrhp.exe"	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
9	drive.google.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3820 set thread context of 5492	3820	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe	127
PID 3820 set thread context of 5280	3820	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe	128
PID 3368 set thread context of 5620	3368	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe	129

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
1944	timeout.exe
4304	timeout.exe
4392	timeout.exe
732	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133691556725444474"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2308	chrome.exe
2308	chrome.exe
3820	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe
3820	DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe
2568	7zFM.exe
2568	7zFM.exe
2568	7zFM.exe
2568	7zFM.exe
2568	7zFM.exe
2568	7zFM.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2308	chrome.exe
2308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeRestorePrivilege	2568	7zFM.exe
Token: 35	2568	7zFM.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2568	7zFM.exe
2568	7zFM.exe
2568	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3152	2308	chrome.exe	84
PID 2308 wrote to memory of 3152	2308	chrome.exe	84
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 1176	2308	chrome.exe	85
PID 2308 wrote to memory of 924	2308	chrome.exe	86
PID 2308 wrote to memory of 924	2308	chrome.exe	86
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87
PID 2308 wrote to memory of 1068	2308	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/uc?export=download&id=1_kjJMXjn64mxRCcs5l4W7ZXJmj9lNBea
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbb668cc40,0x7ffbb668cc4c,0x7ffbb668cc58
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,12417311131485818691,9334176662222895082,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,12417311131485818691,9334176662222895082,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2036 /prefetch:3
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,12417311131485818691,9334176662222895082,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,12417311131485818691,9334176662222895082,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,12417311131485818691,9334176662222895082,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4032,i,12417311131485818691,9334176662222895082,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,12417311131485818691,9334176662222895082,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4748,i,12417311131485818691,9334176662222895082,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5748

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4516

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2568
- C:\Users\Admin\AppData\Local\Temp\7zO80A16B98\DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO80A16B98\DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5280
- C:\Users\Admin\AppData\Local\Temp\7zO80AD2BA8\DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO80AD2BA8\DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4660
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d9ffbbf06e67435647a251a145c2fce4

SHA1
4215da1f4b0ea78170a3ece078d0e88a72b3aea2

SHA256
f743072c51f064cf8c0557ac7d4e4dabc4f6291b8ec6b1c5fb9804cd83f93414

SHA512
670d0081ab0c325b4dc942f7ee226db50ae577e29b92e5b8620c71b28b2204ca1f5bbe629cbee2acf7e765238e99db974e8130fc04fbcd2b0a8a719552908aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f5713b9841813e186da7e9a6fdabb04d

SHA1
19f8ea9c3f7c1cb6b87e2a3f07a48602ab4259c1

SHA256
2dac8cdf6506dd55e1ac471eb8d527033bb8fd5b905720275a3935d491635b96

SHA512
d2d483fb724cb147554980405dac93c38c4ec1c4c4539cab0575829d3d1598652244ebc4ffefd5859adc3dab78a01cf31692ecb201c59f2cedbe740be1dd4db7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1bb843dd561fb6a520f7d3bcd64e9092

SHA1
6f9eae684bc39b71cf16f66e5fac92c158e60296

SHA256
1dd592f88e637b447b5bda210c846c34687547e624e9fa970aa898070f3b5c0c

SHA512
cb4a20020135a219b3a1a2b226e861516ad1964772aa24697239730fba47229d63db05c2f6784ec3eb4d9348da700b9746fc061261495dd617a55becf32f209b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
b9129126aea8170e1c2a7bfa2f6c44dc

SHA1
8554e76d705e31c45ed04ad43f199a2a9b4907a8

SHA256
f1d3e0e055273282f22a5f83454c0547b5d6c58b13f63eaa573a9db488a03fa2

SHA512
b6d4f2f321849cf6cf683fbba889f304b90201a06b57b2c9055c6bee73246c72c9d91631a5fc859a71adeea7360c3d7270059bfcb51da3b34f4d010fb3bfa291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f27362af0323af4ec2a08ec0e4cc3065

SHA1
c557288d6f1315b38cf7271b757a579e8b7a84c2

SHA256
0acab2b1a3e0d7c60760048ed731b510df907beeea1c227c4d0e49d2dca0399d

SHA512
4b07b5b0453383cdae13648286d06eadc3492789149e8912a0bb7af277e1f81225b45ff75daf85a3b5a19d4f21a85196db3231b38149978e807489521484a39b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
74df7e8bb1f870b253c5e85f9f380b74

SHA1
ed11c74091d8dd040fec01e4d67102102b8a11eb

SHA256
5230645cf8cd7d4289c3f5e7a335422fdc0e1384b7d5db11c41e9ee409f53fd5

SHA512
9aa9eb580abac0946178a11e8688e10bb5fb69919403123e5e55e8b323d8fa8b35e8d21c193105c5fb3598cd9afdcad4c6e1294512c5d34c7526beb0e388a355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f6e67fbf5e80f022946405022d7570f8

SHA1
038e0ce1d7a68eaa4b83dac95e75c201643525a8

SHA256
46604a468fc7284acbe239032c0697fbd51dc18afa5c0f7d783c719d48bf3c3a

SHA512
e3e977a5b9ec7cb62a511059af27b9eb96b45613059db2641bc7907f16cc3f8055aa357aa41ebcb95b3a492f4bdb4e738693a58eb2b0c7c7bf590c97007557f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
10921a24ae88a8c4ef62d3c1f894478f

SHA1
5c86cf6b805f26e0c811832af63be3e53b1795ed

SHA256
14f14db48300e8134d7d18f4b97fdfa06c0f10d63bf31095d26e5f3a05b7fe6f

SHA512
6a8e6efb8b580a45d51ed7a288722bc1a600fb72f6cc65049931aa7d957e90106dd87e03585c1f9d05424243ab3fce4fcad8270d09fa9532b90f59ffac4b5092

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf92caae3ae852a898feb42bc776ebe9

SHA1
eb20c5876e6420ea822722edf12d5d4dde031c05

SHA256
92133cdd43e5a8f414a43383c993f523a5ce5550054c6004b39394a8f0c5f576

SHA512
fdc814cdefb6b71c3faaa404a5e35bb24ad213abd02bdc2ee57454d270270690bfcd3fe55dae6fb62f311cb5b54208043b059126a2e52cc715cfec7e00f63892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc03e2cc2fa7d6b9e59657c997f0fd0c

SHA1
b1c0cc41818e8450282e084fd011349e8f05b632

SHA256
19e6db5b1a534a71f2cad6a3cc75c41fd38646d15af9507fe23d54a6943511cd

SHA512
d4f9015eefd8951f2247353625703d88a8a75c31e820d87aac2bcb267da7653b5d5eb85f81e551655d27796eb58c95be2fb7622bb1a34970ed59ef3910474134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
60c5381638ddb93fa9ccf29ba355d81f

SHA1
f13c49e1813d2f5a14521f626d5d2456be1a4457

SHA256
3fb6dcfbb97fce23a86588b62c80bb3904765aed2e59350bc8549e87e781c82c

SHA512
668f0877c1bc127e502b1ed2513681ca4c73d209b07616c743f9755c21cf1bae58cd1c64c9d09fb48d612d951f5e3cdc6919c014f4f8eb71c964f3561d1089d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
16361e1721cd729eb6939dae4cf8553a

SHA1
a586f6de1bfe48f16f16719a88e400cb36957906

SHA256
478df37d7c46238b63e852f2f7d4a808720f14eb78fc6f4d527c3b8a262159b9

SHA512
bf5119417971b108d6ce72e12ae1a3785fe982ed6f2ea9fb51466c3d1c0f7cbc9a1c9f8355b2b5073dbe1b5e4b41c35015dc3de8df6bf187679e829c73136367

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
f79b30c6cf0949c610812f974b381d58

SHA1
cf6775a4e032b094f0593de9b353dfed4b59d57a

SHA256
79ae912a98d8c450cc8ae5b7ea32be87d78e225a610cf29ea4a0ec10f671e982

SHA512
e245c7a31055cc2c49ea5871765af2a96294b13168d10245d5c62f8a3126379f280a02126f54d535765b0f72fad94bcc13186b227c19332156107691d1a3b447

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
7e25774df83a9088943dc3c5902259c9

SHA1
5083d6adb36d686e683aea97024c3fc582f82596

SHA256
2ee54b01e1a0a820a9f33e1340c2994d58274c82ffed295760f18b98cc46a9f3

SHA512
1f4dfa8eb1001fdc2599a3c455125084ab959a48f04e446263d27c648754c975322e4cb677801729dc61692c6c88ca209674594adb9346e31473540b64921d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO80A16B98\DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.exe

Filesize
935KB

MD5
af89a12ffef79f9aca96cca0900f062c

SHA1
f8cd52afbf1ff73369f1e155b8c99d8f8d8a5829

SHA256
4378ecffb9fa3af7cc50abc880672a7c02a4608a2e84db036975a3cccb27835c

SHA512
5532a2952f117884535175f38c3ecd792f9cafe6ed59f88478c33a8c0d8bcfbca6927c88617984033ada49b1c9b0db0ee35e75a89fd46f0a88625c2fe5bd65d8

Download Submit
C:\Users\Admin\Downloads\DOCUMENTOS PROPOR CARPETAS PDF 03452973270593526098652102719050369352790635958601322.rar.crdownload

Filesize
869KB

MD5
95a0723eae4586b5bf5cf5d66cf75b00

SHA1
02999ff7c3fc77d616d949571ac1b2e44efe9c2b

SHA256
5b4add7696994a7480d745d2974b7b42e506dced139709e85e94a704c90676e5

SHA512
8311b9b1eb125864e55530f47d97358896acec4d39ee1e0b7ff0ceaa747c068c8b5995cc2b81fd8aba5687c67ac0490ffdc0b6074876797a4e84b3c66131e61a

Download Submit
memory/3820-157-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-134-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-181-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-179-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-177-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-175-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-171-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-169-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-165-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-163-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-161-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-159-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-185-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-155-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-151-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-149-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-147-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-145-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-143-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-141-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-135-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-183-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-131-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-130-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-127-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-125-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-167-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-153-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-123-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-122-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-173-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-137-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-1176-0x0000000006BE0000-0x0000000006C3C000-memory.dmp

Filesize
368KB

Download
memory/3820-1177-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/3820-140-0x0000000006A70000-0x0000000006B45000-memory.dmp

Filesize
852KB

Download
memory/3820-2223-0x0000000007D50000-0x00000000082F4000-memory.dmp

Filesize
5.6MB

Download
memory/3820-2224-0x0000000007290000-0x00000000072E4000-memory.dmp

Filesize
336KB

Download
memory/3820-2225-0x00000000078B0000-0x00000000079B2000-memory.dmp

Filesize
1.0MB

Download
memory/3820-107-0x0000000000BC0000-0x0000000000CAE000-memory.dmp

Filesize
952KB

Download
memory/3820-121-0x0000000006A70000-0x0000000006B4A000-memory.dmp

Filesize
872KB

Download
memory/5280-2234-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/5280-2233-0x0000000005290000-0x000000000532C000-memory.dmp

Filesize
624KB

Download
memory/5280-2229-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download