asyncrat | 11aaf8e69584b151ba6630c78446ff2344888fdd80442ab32ce6c7a2e086bd2c

Analysis

max time kernel
148s
max time network
158s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

portmapper-2.2.3.exe
Size

5.2MB
MD5

9f14a0573f96ce3c3374044e585f7eb0
SHA1

88247dac3c2a4e5a760c215436a99afe9ad5577f
SHA256

e5f62be708a0caa8b4e5dfcf07127eabc49a8a61a300f434367718b7e7c2e7e3
SHA512

f1e5af30c5c251a294998eb15cef22d22c6e30c900e08d86721ad3bfe400b86b8866c8ec66082014f3f3da2fb576a4cf35f1ff9e1f36d1dad26403fa96f9f91b
SSDEEP

98304:rqw3fQlyOEaEyr9QsYhzAkSuwnu0J74Ijb4eDaJo99AXvhdkfx5:rqw3fsVPYa7J7zjxae7iZdK

Score

10^/10

asyncrat nanocore xworm default defense_evasion discovery evasion execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:3232

l838.ddns.net:3232

0x365c3e6EeF15a2938FC7267D5A3386c8e23aBc5F:123

Attributes

Install_directory
%ProgramData%
install_file
Windows Security Wrapper.exe

Extracted

Family

asyncrat

Version

L838 RAT v1.0.0

Botnet

Default

127.0.0.1:54984

l838.ddns.net:54984

Mutex

kswxiqghhjgkjqpqzz

Attributes

delay
3
install
true
install_file
Windows Service Wrapper.exe
install_folder
%programdata%

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

127.0.0.1:1608

Mutex

604f8f8e-6001-41ac-bd3b-ab5444c68531

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-06-24T16:20:21.998686336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1608
default_group
Default
enable_debug_mode
false
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
604f8f8e-6001-41ac-bd3b-ab5444c68531
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral17/files/0x0005000000019467-14.dat	family_xworm
behavioral17/memory/2788-52-0x00000000003B0000-0x00000000003C8000-memory.dmp	family_xworm

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral17/files/0x0005000000019496-20.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
1752	powershell.exe
1680	powershell.exe
1188	powershell.exe
2040	powershell.exe
1532	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Wrapper.lnk	WindowsSmartScreen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Wrapper.lnk	WindowsSmartScreen.exe

Executes dropped EXE 4 IoCs

pid	Process
1812	PortServices.exe
2788	WindowsSmartScreen.exe
2728	WindowsDriverFoundation.exe
2252	trellrt.exe

Loads dropped DLL 4 IoCs

pid	Process
1812	PortServices.exe
1812	PortServices.exe
1812	PortServices.exe
1812	PortServices.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdateWindowsSmartScreen = "C:\\Users\\Admin\\WindowsSmartScreen.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdateWindowsDriverFoundation = "C:\\Users\\Admin\\WindowsDriverFoundation.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Wrapper = "C:\\ProgramData\\Windows Security Wrapper.exe"	WindowsSmartScreen.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	trellrt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PortServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trellrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2876	schtasks.exe
1496	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	WindowsSmartScreen.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2676	powershell.exe
2684	powershell.exe
2040	powershell.exe
2252	trellrt.exe
2252	trellrt.exe
2252	trellrt.exe
2252	trellrt.exe
2252	trellrt.exe
2252	trellrt.exe
2252	trellrt.exe
2252	trellrt.exe
2252	trellrt.exe
1532	powershell.exe
1752	powershell.exe
1680	powershell.exe
1188	powershell.exe
2252	trellrt.exe
2252	trellrt.exe
2252	trellrt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2252	trellrt.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2788	WindowsSmartScreen.exe
Token: SeDebugPrivilege	2728	WindowsDriverFoundation.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2252	trellrt.exe
Token: SeIncreaseQuotaPrivilege	2728	WindowsDriverFoundation.exe
Token: SeSecurityPrivilege	2728	WindowsDriverFoundation.exe
Token: SeTakeOwnershipPrivilege	2728	WindowsDriverFoundation.exe
Token: SeLoadDriverPrivilege	2728	WindowsDriverFoundation.exe
Token: SeSystemProfilePrivilege	2728	WindowsDriverFoundation.exe
Token: SeSystemtimePrivilege	2728	WindowsDriverFoundation.exe
Token: SeProfSingleProcessPrivilege	2728	WindowsDriverFoundation.exe
Token: SeIncBasePriorityPrivilege	2728	WindowsDriverFoundation.exe
Token: SeCreatePagefilePrivilege	2728	WindowsDriverFoundation.exe
Token: SeBackupPrivilege	2728	WindowsDriverFoundation.exe
Token: SeRestorePrivilege	2728	WindowsDriverFoundation.exe
Token: SeShutdownPrivilege	2728	WindowsDriverFoundation.exe
Token: SeDebugPrivilege	2728	WindowsDriverFoundation.exe
Token: SeSystemEnvironmentPrivilege	2728	WindowsDriverFoundation.exe
Token: SeRemoteShutdownPrivilege	2728	WindowsDriverFoundation.exe
Token: SeUndockPrivilege	2728	WindowsDriverFoundation.exe
Token: SeManageVolumePrivilege	2728	WindowsDriverFoundation.exe
Token: 33	2728	WindowsDriverFoundation.exe
Token: 34	2728	WindowsDriverFoundation.exe
Token: 35	2728	WindowsDriverFoundation.exe
Token: SeIncreaseQuotaPrivilege	2728	WindowsDriverFoundation.exe
Token: SeSecurityPrivilege	2728	WindowsDriverFoundation.exe
Token: SeTakeOwnershipPrivilege	2728	WindowsDriverFoundation.exe
Token: SeLoadDriverPrivilege	2728	WindowsDriverFoundation.exe
Token: SeSystemProfilePrivilege	2728	WindowsDriverFoundation.exe
Token: SeSystemtimePrivilege	2728	WindowsDriverFoundation.exe
Token: SeProfSingleProcessPrivilege	2728	WindowsDriverFoundation.exe
Token: SeIncBasePriorityPrivilege	2728	WindowsDriverFoundation.exe
Token: SeCreatePagefilePrivilege	2728	WindowsDriverFoundation.exe
Token: SeBackupPrivilege	2728	WindowsDriverFoundation.exe
Token: SeRestorePrivilege	2728	WindowsDriverFoundation.exe
Token: SeShutdownPrivilege	2728	WindowsDriverFoundation.exe
Token: SeDebugPrivilege	2728	WindowsDriverFoundation.exe
Token: SeSystemEnvironmentPrivilege	2728	WindowsDriverFoundation.exe
Token: SeRemoteShutdownPrivilege	2728	WindowsDriverFoundation.exe
Token: SeUndockPrivilege	2728	WindowsDriverFoundation.exe
Token: SeManageVolumePrivilege	2728	WindowsDriverFoundation.exe
Token: 33	2728	WindowsDriverFoundation.exe
Token: 34	2728	WindowsDriverFoundation.exe
Token: 35	2728	WindowsDriverFoundation.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	2788	WindowsSmartScreen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1812	2496	portmapper-2.2.3.exe	31
PID 2496 wrote to memory of 1812	2496	portmapper-2.2.3.exe	31
PID 2496 wrote to memory of 1812	2496	portmapper-2.2.3.exe	31
PID 2496 wrote to memory of 1812	2496	portmapper-2.2.3.exe	31
PID 1812 wrote to memory of 2676	1812	PortServices.exe	32
PID 1812 wrote to memory of 2676	1812	PortServices.exe	32
PID 1812 wrote to memory of 2676	1812	PortServices.exe	32
PID 1812 wrote to memory of 2676	1812	PortServices.exe	32
PID 1812 wrote to memory of 2788	1812	PortServices.exe	34
PID 1812 wrote to memory of 2788	1812	PortServices.exe	34
PID 1812 wrote to memory of 2788	1812	PortServices.exe	34
PID 1812 wrote to memory of 2788	1812	PortServices.exe	34
PID 1812 wrote to memory of 2728	1812	PortServices.exe	35
PID 1812 wrote to memory of 2728	1812	PortServices.exe	35
PID 1812 wrote to memory of 2728	1812	PortServices.exe	35
PID 1812 wrote to memory of 2728	1812	PortServices.exe	35
PID 1812 wrote to memory of 2848	1812	PortServices.exe	36
PID 1812 wrote to memory of 2848	1812	PortServices.exe	36
PID 1812 wrote to memory of 2848	1812	PortServices.exe	36
PID 1812 wrote to memory of 2848	1812	PortServices.exe	36
PID 1812 wrote to memory of 2252	1812	PortServices.exe	38
PID 1812 wrote to memory of 2252	1812	PortServices.exe	38
PID 1812 wrote to memory of 2252	1812	PortServices.exe	38
PID 1812 wrote to memory of 2252	1812	PortServices.exe	38
PID 2848 wrote to memory of 2684	2848	cmd.exe	39
PID 2848 wrote to memory of 2684	2848	cmd.exe	39
PID 2848 wrote to memory of 2684	2848	cmd.exe	39
PID 2848 wrote to memory of 2684	2848	cmd.exe	39
PID 2496 wrote to memory of 2648	2496	portmapper-2.2.3.exe	40
PID 2496 wrote to memory of 2648	2496	portmapper-2.2.3.exe	40
PID 2496 wrote to memory of 2648	2496	portmapper-2.2.3.exe	40
PID 2252 wrote to memory of 2876	2252	trellrt.exe	42
PID 2252 wrote to memory of 2876	2252	trellrt.exe	42
PID 2252 wrote to memory of 2876	2252	trellrt.exe	42
PID 2252 wrote to memory of 2876	2252	trellrt.exe	42
PID 2848 wrote to memory of 2040	2848	cmd.exe	44
PID 2848 wrote to memory of 2040	2848	cmd.exe	44
PID 2848 wrote to memory of 2040	2848	cmd.exe	44
PID 2848 wrote to memory of 2040	2848	cmd.exe	44
PID 2848 wrote to memory of 2668	2848	cmd.exe	45
PID 2848 wrote to memory of 2668	2848	cmd.exe	45
PID 2848 wrote to memory of 2668	2848	cmd.exe	45
PID 2848 wrote to memory of 2668	2848	cmd.exe	45
PID 2848 wrote to memory of 2380	2848	cmd.exe	46
PID 2848 wrote to memory of 2380	2848	cmd.exe	46
PID 2848 wrote to memory of 2380	2848	cmd.exe	46
PID 2848 wrote to memory of 2380	2848	cmd.exe	46
PID 2848 wrote to memory of 2196	2848	cmd.exe	47
PID 2848 wrote to memory of 2196	2848	cmd.exe	47
PID 2848 wrote to memory of 2196	2848	cmd.exe	47
PID 2848 wrote to memory of 2196	2848	cmd.exe	47
PID 2848 wrote to memory of 1156	2848	cmd.exe	48
PID 2848 wrote to memory of 1156	2848	cmd.exe	48
PID 2848 wrote to memory of 1156	2848	cmd.exe	48
PID 2848 wrote to memory of 1156	2848	cmd.exe	48
PID 2848 wrote to memory of 2176	2848	cmd.exe	49
PID 2848 wrote to memory of 2176	2848	cmd.exe	49
PID 2848 wrote to memory of 2176	2848	cmd.exe	49
PID 2848 wrote to memory of 2176	2848	cmd.exe	49
PID 2848 wrote to memory of 1620	2848	cmd.exe	50
PID 2848 wrote to memory of 1620	2848	cmd.exe	50
PID 2848 wrote to memory of 1620	2848	cmd.exe	50
PID 2848 wrote to memory of 1620	2848	cmd.exe	50
PID 2788 wrote to memory of 1532	2788	WindowsSmartScreen.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\portmapper-2.2.3.exe
"C:\Users\Admin\AppData\Local\Temp\portmapper-2.2.3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAegBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAdAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYwBoACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Users\Admin\WindowsSmartScreen.exe
    "C:\Users\Admin\WindowsSmartScreen.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WindowsSmartScreen.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSmartScreen.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Security Wrapper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Wrapper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1188
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Security Wrapper" /tr "C:\ProgramData\Windows Security Wrapper.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1496
- - C:\Users\Admin\WindowsDriverFoundation.exe
    "C:\Users\Admin\WindowsDriverFoundation.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\STEALER.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Disabling-WindowsRecoveryEnvironment"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\WindowsExecutables'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2668
  - - C:\Windows\SysWOW64\find.exe
      find /i "SystemUpdateWindowsSmartScreen"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2380
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SystemUpdateWindowsSmartScreen" /t REG_SZ /d "C:\Users\Admin\WindowsSmartScreen.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2196
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1156
  - - C:\Windows\SysWOW64\find.exe
      find /i "SystemUpdateWindowsDriverFoundation"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2176
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SystemUpdateWindowsDriverFoundation" /t REG_SZ /d "C:\Users\Admin\WindowsDriverFoundation.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1620
- - C:\Users\Admin\AppData\Roaming\trellrt.exe
    "C:\Users\Admin\AppData\Roaming\trellrt.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2876
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\portmapper-2.2.3.jar"
  2⤵
  PID:2648

C:\Windows\system32\taskeng.exe
taskeng.exe {3E58607D-95FD-4F59-A11A-57AAD1189DDB} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe

Filesize
353KB

MD5
565ab186944e5842406ab4f9d74f46f5

SHA1
224bd1ca4711683c583945b3d6ecab5e5c639470

SHA256
679d4c6a8111b4948639cc03794708f234501e052b2ebe0451a3d8bcbc379328

SHA512
14b493887904eedcc55e2acf48196f4299a3e88a458ba75477a96796d644f5b11245f038cc0479d44bf58ea071c6a383a90c494654f775de4810ab2bb8129de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\portmapper-2.2.3.jar

Filesize
5.0MB

MD5
df6057d0eeba1ab4266dd271536f1298

SHA1
8be95aa1a26c4c4328ca6c5a98ba34766f748102

SHA256
aa5f3fb51ff107a38aaf07537e79754d94855fbe62f95a8cb702d7eeed928b6e

SHA512
f291051434229931681a55afb313f0f595de52c0d176155343c3e05fa73a5378451a203be061265cf696a5f334190a1a8060b513ee6bc9e838efda5b26c06795

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEALER.bat

Filesize
1KB

MD5
1f69a22a7a1b2d2fd521ce21eb188c8f

SHA1
e966e6e359bb9e7b77ed74e77375145e5cd21fdd

SHA256
54585cad234b01400a62516b60260366f8bf29fde4aaebd81cb6b1d4bfe0cce7

SHA512
905699190d5ee151ce34900920720e955a328a4d5012542529c8e22ccebcf96d0ab18f4b3977e3f1b65a41c52a7f2ede61ceff4eb07a9a66f8bf41ac7002d755

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp

Filesize
1KB

MD5
c959800473a9762a191d5458383878a6

SHA1
b4e211472e313711cd59ada511b0d9ad38ed7ff3

SHA256
de79f0647decf1c96baa7c71f984a23f651745a047cc5d979f42824efc3ce701

SHA512
239dd7b34a46fd5abb06d81a979b0586e9a129293248df0afdc403e3be22671df0a1d422e5e9270d8fbe5faae415b4fff9fa747aa32ef695177c4ced38688128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c2fe8f438b9a4a199b604fe262378548

SHA1
3f016c602188849c01e89d1813f5419787d0dc76

SHA256
42ce3ff44aadf22213fc7bcbfff94ba637353df4ec4758dc3301549be84637ab

SHA512
aa6046288706e47d401b87e33362b6f2cf99d17156f1ad6d817789816664173d112941f36468b7504c8a3cab3ec54fb5cb2b9480efd82782785c1724558354c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8139f004fbfba93dfcf5847de4496c48

SHA1
4d53a17676e148dd27349abe4e5cf97ceac0b10f

SHA256
9e0f0029b65d039c8992d8c55b77b72c5f13cab73bdc2210464be318c4899de8

SHA512
b94f452b3aade61e81e3aa8cca8f62ec3a2a4ae3f9dc28a09d0094829c7045847a5063627c6787ea37039879a0965f7179cf502d5b07db24cd291bbdac80b598

Download Submit
\Users\Admin\AppData\Roaming\trellrt.exe

Filesize
203KB

MD5
40b631e57ce22a4b52cb382cc44204c9

SHA1
58f46159e4cd20044d60c2572b91f6d48e9afafd

SHA256
338c3e0d6dc067eb96eba389e63f60621bcd5b3573bf0e6fd73dced54fe55d7a

SHA512
060d1c6e2a706bf3f375eb50647ba4820ac0c9f2d34838bda5f0303f1ef14e75e83d9167e9f50a19d72bfe4bb55fc28b7e64aa650e379f5dd2077b9e3ebbbdba

Download Submit
\Users\Admin\WindowsDriverFoundation.exe

Filesize
74KB

MD5
e40cf402a05b77c43a1934802059a39d

SHA1
126f95a2d81c7007214be6933862485292fab294

SHA256
edcae846e567107bdc6a741cdda70b82cd2526829899bc16ba4651f68e76a16c

SHA512
ded21984cf2d95b9cab4b677f2c58cadd914f3b5b63ecae056bcfd55bfd43c03433dbef73156aaa99c4a1fd47a8e32e0371f49ae5113beca31a47dd8221f1259

Download Submit
\Users\Admin\WindowsSmartScreen.exe

Filesize
69KB

MD5
603b4a00b2f8cb021066710cc002e323

SHA1
8d8b2f0e16de8c3e40485f608405bce07a31b49b

SHA256
5e380cae6f287ef4a209916f2e0f86e1511bec721fe85ddbab2bcb30255ad9a2

SHA512
0beefc1647b5e4cdd058c0a0d1e7c739297733f4d4dbf4cf5f2588b2c1c23049376c392150a375df855a27e4c99cf05f2c924427bc457bbe7ca53e58d8958956

Download Submit
memory/1532-78-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/1532-79-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1752-86-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1752-87-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2648-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2728-51-0x0000000000340000-0x0000000000358000-memory.dmp

Filesize
96KB

Download
memory/2788-52-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download