asyncrat | 3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
submitted
22-09-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

920KB
MD5

df9eddff9512b4eff624b492bdb8c791
SHA1

aa4623f25c3aa1687cc38b179246ae5874ee017f
SHA256

3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59
SHA512

d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e
SSDEEP

12288:4MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9niwQiKDKqaAs:4nsJ39LyjbJkQFMhmC+6GD9nhKeFf

Score

10^/10

asyncrat stormkitty xred default backdoor discovery persistence phishing privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7409950713:AAGOgqTx-C_IXW4TMVH0D3NzyJW8XztSM_c/sendMessage?chat_id=6059920057

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023477-5.dat	family_stormkitty
behavioral2/files/0x0007000000023480-65.dat	family_stormkitty
behavioral2/memory/2748-129-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty
behavioral2/memory/4952-130-0x00000000009B0000-0x00000000009E2000-memory.dmp	family_stormkitty
behavioral2/memory/4380-511-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty
behavioral2/memory/4380-642-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023477-5.dat	family_asyncrat

A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024092230559PMSystemWindows10Pro64BitUsernameAdminCompNameHVDPCYGSLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.1.213ExternalIP194.110.13.70BSSID921780db7a9cDomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
phishing

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
4952	._cache_Server.exe
4380	Synaptics.exe
1660	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Server.exe

Drops desktop.ini file(s) 15 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\8e93176dd6e1ad6393f713144fedfd4b\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\8e93176dd6e1ad6393f713144fedfd4b\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\8e93176dd6e1ad6393f713144fedfd4b\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\8e93176dd6e1ad6393f713144fedfd4b\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\8e93176dd6e1ad6393f713144fedfd4b\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\8e93176dd6e1ad6393f713144fedfd4b\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\8e93176dd6e1ad6393f713144fedfd4b\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Synaptics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
51	pastebin.com
52	pastebin.com
53	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2492	netsh.exe
3188	cmd.exe
4724	netsh.exe
4924	cmd.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
808	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4952	._cache_Server.exe
4952	._cache_Server.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
4952	._cache_Server.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe
1660	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	._cache_Server.exe
Token: SeDebugPrivilege	1660	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
808	EXCEL.EXE
808	EXCEL.EXE
808	EXCEL.EXE
808	EXCEL.EXE
808	EXCEL.EXE
808	EXCEL.EXE
808	EXCEL.EXE
808	EXCEL.EXE
808	EXCEL.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4952	2748	Server.exe	84
PID 2748 wrote to memory of 4952	2748	Server.exe	84
PID 2748 wrote to memory of 4952	2748	Server.exe	84
PID 2748 wrote to memory of 4380	2748	Server.exe	85
PID 2748 wrote to memory of 4380	2748	Server.exe	85
PID 2748 wrote to memory of 4380	2748	Server.exe	85
PID 4380 wrote to memory of 1660	4380	Synaptics.exe	86
PID 4380 wrote to memory of 1660	4380	Synaptics.exe	86
PID 4380 wrote to memory of 1660	4380	Synaptics.exe	86
PID 4952 wrote to memory of 4924	4952	._cache_Server.exe	95
PID 4952 wrote to memory of 4924	4952	._cache_Server.exe	95
PID 4952 wrote to memory of 4924	4952	._cache_Server.exe	95
PID 4924 wrote to memory of 3684	4924	cmd.exe	97
PID 4924 wrote to memory of 3684	4924	cmd.exe	97
PID 4924 wrote to memory of 3684	4924	cmd.exe	97
PID 4924 wrote to memory of 2492	4924	cmd.exe	98
PID 4924 wrote to memory of 2492	4924	cmd.exe	98
PID 4924 wrote to memory of 2492	4924	cmd.exe	98
PID 4924 wrote to memory of 1416	4924	cmd.exe	99
PID 4924 wrote to memory of 1416	4924	cmd.exe	99
PID 4924 wrote to memory of 1416	4924	cmd.exe	99
PID 1660 wrote to memory of 3188	1660	._cache_Synaptics.exe	100
PID 1660 wrote to memory of 3188	1660	._cache_Synaptics.exe	100
PID 1660 wrote to memory of 3188	1660	._cache_Synaptics.exe	100
PID 3188 wrote to memory of 5080	3188	cmd.exe	102
PID 3188 wrote to memory of 5080	3188	cmd.exe	102
PID 3188 wrote to memory of 5080	3188	cmd.exe	102
PID 3188 wrote to memory of 4724	3188	cmd.exe	103
PID 3188 wrote to memory of 4724	3188	cmd.exe	103
PID 3188 wrote to memory of 4724	3188	cmd.exe	103
PID 3188 wrote to memory of 4764	3188	cmd.exe	104
PID 3188 wrote to memory of 4764	3188	cmd.exe	104
PID 3188 wrote to memory of 4764	3188	cmd.exe	104
PID 4952 wrote to memory of 3708	4952	._cache_Server.exe	105
PID 4952 wrote to memory of 3708	4952	._cache_Server.exe	105
PID 4952 wrote to memory of 3708	4952	._cache_Server.exe	105
PID 3708 wrote to memory of 5008	3708	cmd.exe	107
PID 3708 wrote to memory of 5008	3708	cmd.exe	107
PID 3708 wrote to memory of 5008	3708	cmd.exe	107
PID 3708 wrote to memory of 3412	3708	cmd.exe	108
PID 3708 wrote to memory of 3412	3708	cmd.exe	108
PID 3708 wrote to memory of 3412	3708	cmd.exe	108
PID 1660 wrote to memory of 2816	1660	._cache_Synaptics.exe	109
PID 1660 wrote to memory of 2816	1660	._cache_Synaptics.exe	109
PID 1660 wrote to memory of 2816	1660	._cache_Synaptics.exe	109
PID 2816 wrote to memory of 4004	2816	cmd.exe	111
PID 2816 wrote to memory of 4004	2816	cmd.exe	111
PID 2816 wrote to memory of 4004	2816	cmd.exe	111
PID 2816 wrote to memory of 2840	2816	cmd.exe	112
PID 2816 wrote to memory of 2840	2816	cmd.exe	112
PID 2816 wrote to memory of 2840	2816	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3684
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2492
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:5008
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3412
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4724
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2840

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
920KB

MD5
df9eddff9512b4eff624b492bdb8c791

SHA1
aa4623f25c3aa1687cc38b179246ae5874ee017f

SHA256
3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59

SHA512
d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e

Download Submit
C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\Admin@HVDPCYGS_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\655ba9c4db5c8f4c43f1e147b63bcc71\Admin@HVDPCYGS_en-US\System\Process.txt

Filesize
4KB

MD5
d5e486fc3332f964d10df58c8d1b1c57

SHA1
c8597689cba35fb33ddb1d4d2eb8441d8cf7b67a

SHA256
b2d12792e9295e9c355d8239d9b36c1d0d99083c2a8928e8b507cc06245d4f37

SHA512
0b5693043a931d00dd22db53007754804bf21ec9e4359df6597d00e796d29b461d3de7e983104f7ef0a51e76d9d7474012e615339bd5cde29b04dd746100d4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe

Filesize
175KB

MD5
33d7934b7f436cde6b5f374c179fd228

SHA1
0b985932346e625934f2100eab2f62406897dfdf

SHA256
f262e3910d40c694d77b77aa4bc9a62abdb0394efed57fab03dd86834c333c96

SHA512
501454fdb67cc44ce136bedc3fdc0594bb684ebdca9593e2d462f4c553b6a2efd0874e33963c0ee4e4cef64752c1b4ec3869188b85cb08066c74ffcb85f740b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DD75E00

Filesize
26KB

MD5
cf7c1775ee3beabe04de1b74db08d709

SHA1
2d80b0f2b5c0856d6ce10110e490d4f516305404

SHA256
c536925247810f2131e5f874d11933f84c6c21c15a81eb7abdc192bdb1f26827

SHA512
7221b190107b2aabb365ef40959952475a1faf9b9cfd4d3984de305e03e147ccb2500393e847a118d04c7398f6a90454a0016959c333c8bca153adb8d0d3ea47

Download Submit
C:\Users\Admin\AppData\Local\Temp\YSmmh6cT.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
14640ede02774424a6e16d3c3b459bd0

SHA1
00915b6769e94bc726b64a2decc881262b4f1b9f

SHA256
676e950074a335c14afceb09c942c56ad0988ad04221949f6bd83b67570d4483

SHA512
63b063abac61c8fabd140b138a629bc029bf82174578c7e018b12c831285cd30ec53bd43ce1243d903dcddd87facf6c740d04048512f8e42a84d4606365c47fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF05B.tmp.dat

Filesize
114KB

MD5
35fb57f056b0f47185c5dfb9a0939dba

SHA1
7c1b0bbbb77dbe46286078bca427202d494a5d36

SHA256
1dc436687ed65d9f2fcda9a68a812346f56f566f7671cbe1be0beaa157045294

SHA512
531351adffddc5a9c8c9d1fcba531d85747be0927156bae79106114b4bdc3f2fd2570c97bbfcec09265dcc87ed286655f2ab15fb3c7af0ad638a67a738f504c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF05D.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF070.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\a02f2e4892d25bdee7d33bbf4cfa5ef0\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/808-195-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/808-197-0x00007FF997E20000-0x00007FF997E30000-memory.dmp

Filesize
64KB

Download
memory/808-198-0x00007FF997E20000-0x00007FF997E30000-memory.dmp

Filesize
64KB

Download
memory/808-196-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/808-193-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/808-194-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/808-192-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/2748-0-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2748-129-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4380-511-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4380-131-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4380-512-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4380-642-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4952-239-0x0000000005250000-0x00000000052B6000-memory.dmp

Filesize
408KB

Download
memory/4952-452-0x0000000072E8E000-0x0000000072E8F000-memory.dmp

Filesize
4KB

Download
memory/4952-130-0x00000000009B0000-0x00000000009E2000-memory.dmp

Filesize
200KB

Download
memory/4952-538-0x0000000005CD0000-0x0000000005D62000-memory.dmp

Filesize
584KB

Download
memory/4952-539-0x0000000006460000-0x0000000006A04000-memory.dmp

Filesize
5.6MB

Download
memory/4952-554-0x0000000005DA0000-0x0000000005DAA000-memory.dmp

Filesize
40KB

Download
memory/4952-126-0x0000000072E8E000-0x0000000072E8F000-memory.dmp

Filesize
4KB

Download
memory/4952-560-0x0000000005F70000-0x0000000005F82000-memory.dmp

Filesize
72KB

Download