asyncrat | fa85009348923daee9acc7adef2f6926f6442aabffcf393abaae4ab17cc9795c

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
Size

579KB
MD5

8eb6236d11b0463ae82eb268ccc1f7e9
SHA1

08e1140bb7dd86231b8dbbc686e894cfe1d1c7b0
SHA256

37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01
SHA512

d07bf2ec8ca8a57475b1d03214dea1b5c2f300962618d8fde5d987d94c749a0282cb639d6162d79ba10010c05f3df22b7e5d1036cb91bfdd1475198f82fc1af5
SSDEEP

12288:sCn4AyHnseftJpS/mErsKah4dNTTdAPCDbWhwP8wEV:/nEnseftbYmtX4pTywP8R

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

fresh01.ddns.net:2256

Mutex

waVkxgc3A4Ar

Attributes

delay
3
install
true
install_file
logs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5012	powershell.exe
3912	powershell.exe
4388	powershell.exe
4304	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Landingspunkternes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Landingspunkternes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Landingspunkternes.exe

Executes dropped EXE 3 IoCs

pid	Process
2896	logs.exe
5024	logs.exe
4268	logs.exe

Loads dropped DLL 14 IoCs

pid	Process
5080	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
5080	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
5080	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
5080	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
1620	Landingspunkternes.exe
2896	logs.exe
2896	logs.exe
2680	Landingspunkternes.exe
5024	logs.exe
5024	logs.exe
4276	Landingspunkternes.exe
4268	logs.exe
4268	logs.exe
1424	Landingspunkternes.exe

Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs

pid	Process
1620	Landingspunkternes.exe
2680	Landingspunkternes.exe
4276	Landingspunkternes.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4304	powershell.exe
1620	Landingspunkternes.exe
5012	powershell.exe
2680	Landingspunkternes.exe
3912	powershell.exe
4276	Landingspunkternes.exe
4388	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4304 set thread context of 1620	4304	powershell.exe	95
PID 5012 set thread context of 2680	5012	powershell.exe	107
PID 3912 set thread context of 4276	3912	powershell.exe	117
PID 4388 set thread context of 1424	4388	powershell.exe	127

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\indflyvnings\Sparhawk128.Mod	logs.exe
File opened for modification	C:\Program Files (x86)\astonied.ini	logs.exe
File opened for modification	C:\Program Files (x86)\indflyvnings\Sparhawk128.Mod	logs.exe
File opened for modification	C:\Program Files (x86)\astonied.ini	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
File opened for modification	C:\Program Files (x86)\indflyvnings\Sparhawk128.Mod	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
File opened for modification	C:\Program Files (x86)\astonied.ini	logs.exe
File opened for modification	C:\Program Files (x86)\indflyvnings\Sparhawk128.Mod	logs.exe
File opened for modification	C:\Program Files (x86)\astonied.ini	logs.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\resources\sammentrkket\fatherlike.lnk	logs.exe
File opened for modification	C:\Windows\Fonts\frasiger.ini	logs.exe
File created	C:\Windows\resources\sammentrkket\fatherlike.lnk	logs.exe
File opened for modification	C:\Windows\Fonts\frasiger.ini	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
File created	C:\Windows\resources\sammentrkket\fatherlike.lnk	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
File opened for modification	C:\Windows\Fonts\frasiger.ini	logs.exe
File created	C:\Windows\resources\sammentrkket\fatherlike.lnk	logs.exe
File opened for modification	C:\Windows\Fonts\frasiger.ini	logs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Landingspunkternes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Landingspunkternes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Landingspunkternes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	logs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	logs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Landingspunkternes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	logs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000002270e-71.dat	nsis_installer_1
behavioral2/files/0x000600000002270e-71.dat	nsis_installer_2

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1476	timeout.exe
3164	timeout.exe
452	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4276	schtasks.exe
4848	schtasks.exe
1668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
1620	Landingspunkternes.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
2680	Landingspunkternes.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4304	powershell.exe
5012	powershell.exe
3912	powershell.exe
4388	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	1620	Landingspunkternes.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	2680	Landingspunkternes.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	4276	Landingspunkternes.exe
Token: SeDebugPrivilege	4388	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4304	5080	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe	85
PID 5080 wrote to memory of 4304	5080	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe	85
PID 5080 wrote to memory of 4304	5080	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe	85
PID 4304 wrote to memory of 1620	4304	powershell.exe	95
PID 4304 wrote to memory of 1620	4304	powershell.exe	95
PID 4304 wrote to memory of 1620	4304	powershell.exe	95
PID 4304 wrote to memory of 1620	4304	powershell.exe	95
PID 4304 wrote to memory of 1620	4304	powershell.exe	95
PID 1620 wrote to memory of 3116	1620	Landingspunkternes.exe	97
PID 1620 wrote to memory of 3116	1620	Landingspunkternes.exe	97
PID 1620 wrote to memory of 3116	1620	Landingspunkternes.exe	97
PID 1620 wrote to memory of 1964	1620	Landingspunkternes.exe	99
PID 1620 wrote to memory of 1964	1620	Landingspunkternes.exe	99
PID 1620 wrote to memory of 1964	1620	Landingspunkternes.exe	99
PID 3116 wrote to memory of 4276	3116	cmd.exe	101
PID 3116 wrote to memory of 4276	3116	cmd.exe	101
PID 3116 wrote to memory of 4276	3116	cmd.exe	101
PID 1964 wrote to memory of 1476	1964	cmd.exe	102
PID 1964 wrote to memory of 1476	1964	cmd.exe	102
PID 1964 wrote to memory of 1476	1964	cmd.exe	102
PID 1964 wrote to memory of 2896	1964	cmd.exe	103
PID 1964 wrote to memory of 2896	1964	cmd.exe	103
PID 1964 wrote to memory of 2896	1964	cmd.exe	103
PID 2896 wrote to memory of 5012	2896	logs.exe	104
PID 2896 wrote to memory of 5012	2896	logs.exe	104
PID 2896 wrote to memory of 5012	2896	logs.exe	104
PID 5012 wrote to memory of 2680	5012	powershell.exe	107
PID 5012 wrote to memory of 2680	5012	powershell.exe	107
PID 5012 wrote to memory of 2680	5012	powershell.exe	107
PID 5012 wrote to memory of 2680	5012	powershell.exe	107
PID 5012 wrote to memory of 2680	5012	powershell.exe	107
PID 2680 wrote to memory of 2816	2680	Landingspunkternes.exe	108
PID 2680 wrote to memory of 2816	2680	Landingspunkternes.exe	108
PID 2680 wrote to memory of 2816	2680	Landingspunkternes.exe	108
PID 2816 wrote to memory of 4848	2816	cmd.exe	110
PID 2816 wrote to memory of 4848	2816	cmd.exe	110
PID 2816 wrote to memory of 4848	2816	cmd.exe	110
PID 2680 wrote to memory of 3104	2680	Landingspunkternes.exe	111
PID 2680 wrote to memory of 3104	2680	Landingspunkternes.exe	111
PID 2680 wrote to memory of 3104	2680	Landingspunkternes.exe	111
PID 3104 wrote to memory of 3164	3104	cmd.exe	113
PID 3104 wrote to memory of 3164	3104	cmd.exe	113
PID 3104 wrote to memory of 3164	3104	cmd.exe	113
PID 3104 wrote to memory of 5024	3104	cmd.exe	114
PID 3104 wrote to memory of 5024	3104	cmd.exe	114
PID 3104 wrote to memory of 5024	3104	cmd.exe	114
PID 5024 wrote to memory of 3912	5024	logs.exe	115
PID 5024 wrote to memory of 3912	5024	logs.exe	115
PID 5024 wrote to memory of 3912	5024	logs.exe	115
PID 3912 wrote to memory of 4276	3912	powershell.exe	117
PID 3912 wrote to memory of 4276	3912	powershell.exe	117
PID 3912 wrote to memory of 4276	3912	powershell.exe	117
PID 3912 wrote to memory of 4276	3912	powershell.exe	117
PID 3912 wrote to memory of 4276	3912	powershell.exe	117
PID 4276 wrote to memory of 4716	4276	Landingspunkternes.exe	118
PID 4276 wrote to memory of 4716	4276	Landingspunkternes.exe	118
PID 4276 wrote to memory of 4716	4276	Landingspunkternes.exe	118
PID 4716 wrote to memory of 1668	4716	cmd.exe	120
PID 4716 wrote to memory of 1668	4716	cmd.exe	120
PID 4716 wrote to memory of 1668	4716	cmd.exe	120
PID 4276 wrote to memory of 536	4276	Landingspunkternes.exe	121
PID 4276 wrote to memory of 536	4276	Landingspunkternes.exe	121
PID 4276 wrote to memory of 536	4276	Landingspunkternes.exe	121
PID 536 wrote to memory of 452	536	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
"C:\Users\Admin\AppData\Local\Temp\37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Rigsrevisorers=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra';$Cocculus=$Rigsrevisorers.SubString(9851,3);.$Cocculus($Rigsrevisorers)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe
    "C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3116
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4419.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1476
    - - C:\Users\Admin\AppData\Roaming\logs.exe
        
        "C:\Users\Admin\AppData\Roaming\logs.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -windowstyle hidden "$Rigsrevisorers=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra';$Cocculus=$Rigsrevisorers.SubString(9851,3);.$Cocculus($Rigsrevisorers)"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"
        7⤵
        Checks computer location settings
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC90.tmp.bat""
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3164
        
        C:\Users\Admin\AppData\Roaming\logs.exe
        
        "C:\Users\Admin\AppData\Roaming\logs.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -windowstyle hidden "$Rigsrevisorers=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra';$Cocculus=$Rigsrevisorers.SubString(9851,3);.$Cocculus($Rigsrevisorers)"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"
        11⤵
        Checks computer location settings
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp795C.tmp.bat""
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        13⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\logs.exe
        
        "C:\Users\Admin\AppData\Roaming\logs.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -windowstyle hidden "$Rigsrevisorers=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra';$Cocculus=$Rigsrevisorers.SubString(9851,3);.$Cocculus($Rigsrevisorers)"
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\astonied.ini

Filesize
40B

MD5
05c70eab829786b13f4250010970e93e

SHA1
1f3e904027d380cb6fce257deb4bbe28626296dd

SHA256
957608d4fdf7a422674dc07bd33d9b698b1009e664de3a54f848d40dde234244

SHA512
4f1be0e7fbc87876c22d1c8f785db1e9737593c3e2474100dc13ea8d102833c3d2ba599e9031bcc26fcc1e7ff3d0fc7876d7643fe4deff5fef50fcd6bbd88d9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
87e3a7462732224ad68974d2e5c629da

SHA1
a19da17d3a4070f8df1ef131302fd0728b7de838

SHA256
6766896c0c5d29eabe2e399a797db760d98b1f0f473ee1e33aa08cf7c3241463

SHA512
2519574908d0b9bbeb7c1a737be99785dd1dc610f684aa09ebf01a15e581c170a10fdee07ed2bd526f052c0d4672737fbb404d2b876cd3c2f3e9f36507644573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Landingspunkternes.exe.log

Filesize
522B

MD5
acc9090417037dfa2a55b46ed86e32b8

SHA1
53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

SHA256
2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

SHA512
d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe

Filesize
579KB

MD5
8eb6236d11b0463ae82eb268ccc1f7e9

SHA1
08e1140bb7dd86231b8dbbc686e894cfe1d1c7b0

SHA256
37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01

SHA512
d07bf2ec8ca8a57475b1d03214dea1b5c2f300962618d8fde5d987d94c749a0282cb639d6162d79ba10010c05f3df22b7e5d1036cb91bfdd1475198f82fc1af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_npbvffjp.dtj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA8A5.tmp\BgImage.dll

Filesize
7KB

MD5
49998d066af103d06b56f5b4c76b1497

SHA1
b7dce166147f40dfa17f5ca950c4e324a10d04be

SHA256
95042dbe7428461ee7fd210acf37040eb921012c7b32f66cb54766f0a16bb5b6

SHA512
61b0d75ef3a18c8c13ad8c614a012a71cbc4f6fd4bba0aa0c7b866e1a8fbf5f9fdb3e012a3566586d47fc8b456a7de36a06a0d70cdf27e504aac64eab37555d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA8A5.tmp\nsDialogs.dll

Filesize
9KB

MD5
19d3373e403a6e724cfa1563dfd1f463

SHA1
4917547b355a91e9431879209f56925097bf4fb3

SHA256
873fa0c52eae7cfbed56ea18b21fad0ca8f018ab7f305bd1db1a3ec454e353d1

SHA512
b6f6db23376ade4bb864ea14244980612f42f322d3915540090bfe8edc80e9577b7aec3589bd587ca47a729371ed8ab8e6e23031bb3e3f524d48783637646193

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA8A5.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4419.tmp.bat

Filesize
148B

MD5
9d23a728c0dcb1d85ba95b5df69aad5e

SHA1
2685f0b6cfb9bf5a6ac238717c35c702fd0fe787

SHA256
bbb4d06f0f9a492c7791b603fce8a2e7e76cd6347525341b7533f9e58c5b913a

SHA512
2d617337d9befad4df51b498a3464ec1076b07946e052ecde92a3f7a0de677cbffa7704ada3e7d753be3352f0ff9982fbc90d9f53577ae9c64d2926432f14064

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp795C.tmp.bat

Filesize
148B

MD5
fbe1c9fa58bef1a8b2e7556b14a12748

SHA1
6734c8315d8c4b7b38167c92c3f5a88cf3ed1742

SHA256
13ed1d6d9033cb76e5275e46f209d0f1317037df53574e928ecaa0f1a8385e0a

SHA512
0c2e3c9b06dafe81530f5b1f7d30307d688cf12a1441979193390d7fb3cbf316476affd54ffff1cd5a13d356f23e47d924228e2ae129f97697c92144ae425d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC90.tmp.bat

Filesize
148B

MD5
0b7a9b3fbb2e2839e88cfa021f22b8d3

SHA1
b7bb2e34a3c3c01007d4d8d2e9be03a243f5abf3

SHA256
d38cd62a3fc25a257120fecab6c43dfa1dc8d8429c3d58207c93e9be40aa0727

SHA512
300b5d2fc94702c731ced3f03dae0054c1d102e52d8e06fb9fc17dc7806a1828d8c82dca0edb225c6a85627ea1adecc0d23d4332b2f0210d94cac56ffb1b3107

Download Submit
C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra

Filesize
67KB

MD5
f920388117d05e71adf552e886f824ca

SHA1
1ea3664c4cf6305438c1fc84b7c6d980f39ae0b5

SHA256
ad0c18269a3971545eedcd2ddb5617c8dfd34e452bd43a1bf287d7b8be902289

SHA512
f2d3da62202662f6a29510f9ea2f66e144565d53839aa878c9589bafb5397457d9a67abdaf9cd3b8f98a56e50dba64176251a6d90c403008a73bfd158985d96f

Download Submit
C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Ligevgtstilstand.Sto

Filesize
329KB

MD5
cbfbd9d02683e7233a6937287e344bc3

SHA1
0522a3a3d1511ffde52174f662012d552bbab6ff

SHA256
4e84e07a820ad0f07c0d6ef0396bf9c4cce2c4a2e0bfc6a8f1a37aadb892bb80

SHA512
51518a7454f702f392fbb5f976ea7c49347c8430f5866f98c6971c595cdf5892180b9b3a74d031cdfcd9461c5822bc42084615da45d27554861ab029f688e8e3

Download Submit
C:\Windows\Fonts\frasiger.ini

Filesize
37B

MD5
2cb260c5458355e994a5f9598bcc1f24

SHA1
7222512306bf86f49868e5bd9b51bbedd950e6e5

SHA256
56e6165a2b5396aa43e06e8ebc3bf96ceecc0186577758a20a978c51e19b4e20

SHA512
592943bfc20860b84700951aa048d7e2ecc4320687765d2ae5e9f369c43b7304a9f2b832d2c19a47c35d082722ed1d5d6994d629d88c303bb1316ab191ad5440

Download Submit
memory/1620-80-0x0000000025B30000-0x0000000025BCC000-memory.dmp

Filesize
624KB

Download
memory/1620-86-0x00000000773B1000-0x00000000774D1000-memory.dmp

Filesize
1.1MB

Download
memory/1620-76-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/1620-78-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1620-72-0x00000000773B1000-0x00000000774D1000-memory.dmp

Filesize
1.1MB

Download
memory/2680-121-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2680-126-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2680-124-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/3912-160-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/4276-164-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/4276-163-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4304-48-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

Filesize
304KB

Download
memory/4304-52-0x0000000007670000-0x0000000007C14000-memory.dmp

Filesize
5.6MB

Download
memory/4304-65-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-66-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-68-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-70-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-63-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-62-0x000000007375E000-0x000000007375F000-memory.dmp

Filesize
4KB

Download
memory/4304-60-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-61-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-79-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-58-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-57-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-56-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-54-0x00000000082A0000-0x000000000891A000-memory.dmp

Filesize
6.5MB

Download
memory/4304-64-0x0000000008920000-0x000000000E604000-memory.dmp

Filesize
92.9MB

Download
memory/4304-51-0x0000000006420000-0x0000000006442000-memory.dmp

Filesize
136KB

Download
memory/4304-29-0x000000007375E000-0x000000007375F000-memory.dmp

Filesize
4KB

Download
memory/4304-30-0x00000000048E0000-0x0000000004916000-memory.dmp

Filesize
216KB

Download
memory/4304-49-0x0000000007020000-0x00000000070B6000-memory.dmp

Filesize
600KB

Download
memory/4304-50-0x00000000063D0000-0x00000000063EA000-memory.dmp

Filesize
104KB

Download
memory/4304-47-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

Filesize
120KB

Download
memory/4304-42-0x00000000058C0000-0x0000000005C14000-memory.dmp

Filesize
3.3MB

Download
memory/4304-35-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/4304-36-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/4304-34-0x0000000004F00000-0x0000000004F22000-memory.dmp

Filesize
136KB

Download
memory/4304-33-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-31-0x0000000073750000-0x0000000073F00000-memory.dmp

Filesize
7.7MB

Download
memory/4304-32-0x0000000005040000-0x0000000005668000-memory.dmp

Filesize
6.2MB

Download
memory/5012-117-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

Filesize
304KB

Download
memory/5012-116-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download