asyncrat | 0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712

General

Target

2c701b9904603479c8e01a692383e396_JaffaCakes118.exe
Size

7.0MB
MD5

2c701b9904603479c8e01a692383e396
SHA1

c9662c1ee3ed00ea0f70d12a6e5ecfa50d1d9c77
SHA256

0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712
SHA512

60e2e350e44c5676f283842d2af354b55b559c46eb3e1c8236c2abf87654845f7a6727da1aea824395b0d102a643790fb9eed55f729085dfee595aab259cf650
SSDEEP

196608:WHPdZwCsXDjDyf4L2WliXYrHW1LzbpbWg:eP4CEDHL2ciIrHWRzbB

Score

10^/10

asyncrat njrat ase_2 discovery persistence pyinstaller rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

ASE_2

Mutex

AsyncMutex_6SI8OkPnk

Attributes

c2_url_file
https://aa.larinax999.repl.co
delay
3
install
true
install_file
MsMpEng.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

v4.0

Botnet

ASE_2

C2

103.91.207.190:4985

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ASE_2.EXE	family_asyncrat

Drops startup file 2 IoCs

Processes:

MSMPENG_ASE.EXEMsMpEng_ASE.exe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	MSMPENG_ASE.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	MsMpEng_ASE.exe.exe

Executes dropped EXE 8 IoCs

Processes:

cmd.execmd.exetemp.exeASE_2.EXEMSMPENG_ASE.EXEMsMpEng.exeMsMpEng_ASE.exe.exe

pid process

2748 cmd.exe
2404 cmd.exe
1204
2424 temp.exe
476 ASE_2.EXE
592 MSMPENG_ASE.EXE
1868 MsMpEng.exe
1928 MsMpEng_ASE.exe.exe
Loads dropped DLL 8 IoCs

Processes:

2c701b9904603479c8e01a692383e396_JaffaCakes118.execmd.execmd.exetemp.execmd.exeMSMPENG_ASE.EXE

pid process

2432 2c701b9904603479c8e01a692383e396_JaffaCakes118.exe
2748 cmd.exe
2404 cmd.exe
1204
2424 temp.exe
2424 temp.exe
764 cmd.exe
592 MSMPENG_ASE.EXE

pid	process
2748	cmd.exe
2404	cmd.exe
1204
2424	temp.exe
476	ASE_2.EXE
592	MSMPENG_ASE.EXE
1868	MsMpEng.exe
1928	MsMpEng_ASE.exe.exe

pid	process
2432	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe
2748	cmd.exe
2404	cmd.exe
1204
2424	temp.exe
2424	temp.exe
764	cmd.exe
592	MSMPENG_ASE.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MsMpEng_ASE.exe.exeMSMPENG_ASE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	MsMpEng_ASE.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	MsMpEng_ASE.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\MsMpEng_ASE.exe.exe"	MSMPENG_ASE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	MsMpEng_ASE.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	MsMpEng_ASE.exe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 discord.com
8 discord.com

flow	ioc
7	discord.com
8	discord.com

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cmd.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exetimeout.exeattrib.exeattrib.exetemp.exeMSMPENG_ASE.EXEMsMpEng.exeMsMpEng_ASE.exe.exeattrib.exeASE_2.EXEschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSMPENG_ASE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsMpEng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsMpEng_ASE.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASE_2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1800 timeout.exe

pid	process
1800	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MsMpEng.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	MsMpEng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	MsMpEng.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2320 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ASE_2.EXE

pid process

476 ASE_2.EXE
476 ASE_2.EXE
476 ASE_2.EXE

pid	process
2320	schtasks.exe

pid	process
476	ASE_2.EXE
476	ASE_2.EXE
476	ASE_2.EXE

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

ASE_2.EXEMsMpEng.exeMsMpEng_ASE.exe.exe

description	pid	process
Token: SeDebugPrivilege	476	ASE_2.EXE
Token: SeDebugPrivilege	1868	MsMpEng.exe
Token: SeDebugPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe
Token: 33	1928	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	1928	MsMpEng_ASE.exe.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

2c701b9904603479c8e01a692383e396_JaffaCakes118.execmd.exetemp.exeASE_2.EXEcmd.execmd.exeMSMPENG_ASE.EXEMsMpEng_ASE.exe.exe

description	pid	process	target process
PID 2432 wrote to memory of 2748	2432	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	cmd.exe
PID 2432 wrote to memory of 2748	2432	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	cmd.exe
PID 2432 wrote to memory of 2748	2432	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 2404	2748	cmd.exe	cmd.exe
PID 2748 wrote to memory of 2404	2748	cmd.exe	cmd.exe
PID 2748 wrote to memory of 2404	2748	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2424	2432	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	temp.exe
PID 2432 wrote to memory of 2424	2432	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	temp.exe
PID 2432 wrote to memory of 2424	2432	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	temp.exe
PID 2432 wrote to memory of 2424	2432	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	temp.exe
PID 2424 wrote to memory of 476	2424	temp.exe	ASE_2.EXE
PID 2424 wrote to memory of 476	2424	temp.exe	ASE_2.EXE
PID 2424 wrote to memory of 476	2424	temp.exe	ASE_2.EXE
PID 2424 wrote to memory of 476	2424	temp.exe	ASE_2.EXE
PID 2424 wrote to memory of 592	2424	temp.exe	MSMPENG_ASE.EXE
PID 2424 wrote to memory of 592	2424	temp.exe	MSMPENG_ASE.EXE
PID 2424 wrote to memory of 592	2424	temp.exe	MSMPENG_ASE.EXE
PID 2424 wrote to memory of 592	2424	temp.exe	MSMPENG_ASE.EXE
PID 476 wrote to memory of 1044	476	ASE_2.EXE	cmd.exe
PID 476 wrote to memory of 1044	476	ASE_2.EXE	cmd.exe
PID 476 wrote to memory of 1044	476	ASE_2.EXE	cmd.exe
PID 476 wrote to memory of 1044	476	ASE_2.EXE	cmd.exe
PID 476 wrote to memory of 764	476	ASE_2.EXE	cmd.exe
PID 476 wrote to memory of 764	476	ASE_2.EXE	cmd.exe
PID 476 wrote to memory of 764	476	ASE_2.EXE	cmd.exe
PID 476 wrote to memory of 764	476	ASE_2.EXE	cmd.exe
PID 1044 wrote to memory of 2320	1044	cmd.exe	schtasks.exe
PID 1044 wrote to memory of 2320	1044	cmd.exe	schtasks.exe
PID 1044 wrote to memory of 2320	1044	cmd.exe	schtasks.exe
PID 1044 wrote to memory of 2320	1044	cmd.exe	schtasks.exe
PID 764 wrote to memory of 1800	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1800	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1800	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1800	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1868	764	cmd.exe	MsMpEng.exe
PID 764 wrote to memory of 1868	764	cmd.exe	MsMpEng.exe
PID 764 wrote to memory of 1868	764	cmd.exe	MsMpEng.exe
PID 764 wrote to memory of 1868	764	cmd.exe	MsMpEng.exe
PID 592 wrote to memory of 1928	592	MSMPENG_ASE.EXE	MsMpEng_ASE.exe.exe
PID 592 wrote to memory of 1928	592	MSMPENG_ASE.EXE	MsMpEng_ASE.exe.exe
PID 592 wrote to memory of 1928	592	MSMPENG_ASE.EXE	MsMpEng_ASE.exe.exe
PID 592 wrote to memory of 1928	592	MSMPENG_ASE.EXE	MsMpEng_ASE.exe.exe
PID 592 wrote to memory of 1656	592	MSMPENG_ASE.EXE	attrib.exe
PID 592 wrote to memory of 1656	592	MSMPENG_ASE.EXE	attrib.exe
PID 592 wrote to memory of 1656	592	MSMPENG_ASE.EXE	attrib.exe
PID 592 wrote to memory of 1656	592	MSMPENG_ASE.EXE	attrib.exe
PID 1928 wrote to memory of 1128	1928	MsMpEng_ASE.exe.exe	attrib.exe
PID 1928 wrote to memory of 1128	1928	MsMpEng_ASE.exe.exe	attrib.exe
PID 1928 wrote to memory of 1128	1928	MsMpEng_ASE.exe.exe	attrib.exe
PID 1928 wrote to memory of 1128	1928	MsMpEng_ASE.exe.exe	attrib.exe
PID 1928 wrote to memory of 1588	1928	MsMpEng_ASE.exe.exe	attrib.exe
PID 1928 wrote to memory of 1588	1928	MsMpEng_ASE.exe.exe	attrib.exe
PID 1928 wrote to memory of 1588	1928	MsMpEng_ASE.exe.exe	attrib.exe
PID 1928 wrote to memory of 1588	1928	MsMpEng_ASE.exe.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1656 attrib.exe
1128 attrib.exe
1588 attrib.exe

pid	process
1656	attrib.exe
1128	attrib.exe
1588	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2c701b9904603479c8e01a692383e396_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c701b9904603479c8e01a692383e396_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe" GoZgc6IpGuOXQ36dVdtx
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe" GoZgc6IpGuOXQ36dVdtx
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404

C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe" oGzlirr1EQPdBmb6YVZq
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\ASE_2.EXE
"C:\Users\Admin\AppData\Local\Temp\ASE_2.EXE"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MsMpEng" /tr '"C:\Users\Admin\AppData\Roaming\MsMpEng.exe"' & exit
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "MsMpEng" /tr '"C:\Users\Admin\AppData\Roaming\MsMpEng.exe"'
5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9147.tmp.bat""
4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1800

C:\Users\Admin\AppData\Roaming\MsMpEng.exe
"C:\Users\Admin\AppData\Roaming\MsMpEng.exe"
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Users\Admin\AppData\Local\Temp\MSMPENG_ASE.EXE
"C:\Users\Admin\AppData\Local\Temp\MSMPENG_ASE.EXE"
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Roaming\MsMpEng_ASE.exe.exe
"C:\Users\Admin\AppData\Roaming\MsMpEng_ASE.exe.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1128

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1588

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\MsMpEng_ASE.exe.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSMPENG_ASE.EXE

Filesize
27KB

MD5
8ca3aa218d25ea5a0b172b17415bb003

SHA1
f39fb0aea10075935403c5c23f780fe64345e248

SHA256
0c7ac7076b94ae6d619a6d3ada388f823b7a13d8927810a36a0dd92b8d4b08cb

SHA512
254ef34b38bcc52244c676fff9d6ca7adeeea4259f2d55748ce57dca6ee4a0769b75eade8a1fa7d4b8c8676bba1e2e83aa9e5e8a74c90b0ac2a67bb153e6dc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27482\python39.dll

Filesize
4.3MB

MD5
1d5e4c20a20740f38f061bdf48aaca4f

SHA1
de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

SHA256
f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

SHA512
9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
6.9MB

MD5
4621621eba5ceabfbfa7aa607a9d6a3d

SHA1
e86fbf0e414e60bbfd130007811844c11aaff1fd

SHA256
6b19078dd387b51fe3fb55a80d0fa36dbc30008b7bd4052297b3c9ab7fadd636

SHA512
93b25e9da281111e4cf8d542dd0847ae07f100d6f470097e11dad2bf8ead64b83acafcfc0a20c46058ecda2d8c02b3d28c68abc7951c833ac46af3921a6f4b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
128KB

MD5
1345c9556ce21d1a147ddd1ed6712a90

SHA1
0d74f412a719226802d1d8713037e62a3c9cb465

SHA256
ed991ad801b907dc8d39c87bdc3ec75ad50d076172b7e701009341aca9367842

SHA512
a705e351c234969579273e259477c876e2a9a1de7da91dbd4e9fe1d8c3c72ba274b48020d1bce9124c7542d4f050d3efb18b1c128eaff5efaa124fb719afa583

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9147.tmp.bat

Filesize
151B

MD5
d1a2494dab8fa75ae46df03a771b151d

SHA1
d831474d34f2e42671a8a9192f8715ba3833ccfe

SHA256
2cb4178bae3a795a7b8429b708b8e9a53fb844d30c36f8204da39d5ae5dfedc8

SHA512
31c534f7802df277b8cee4e10a788ecb4c31bf8f53debd6a2e91424742ef51a7ada5dbfb1427dfc0cd260bad262a0f5107c4fb2825a379d9a26e2d8a5831909f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
175dcf91ef523df6166fc091918c8841

SHA1
e07af27597a939af81039147f404680d28f33850

SHA256
78be10b7e3783e797bfff8f3f5dcaab17d0612c508dd9259b046f8dab5cb89de

SHA512
6de78d023e2fb500944d7cbe2995b91bf98c54f97e8b36cefae5458c3c6e7b68eea3e3e746777bfad62d59b069bd3143d07f3c8d90dedb0d6eccd90fb8c79378

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1022B

MD5
2003bb0332ddfd3d91153db0bd88564e

SHA1
32e60a8379db536b5037a7bf909289960369582b

SHA256
b3fd92b0ef90b98cb7d9ed6435266f9d8e364054038ce8490bd0d005ef144517

SHA512
be63a85396b5c4deefebd891c5997785708a27bcc6a95b3221328be4711b9315c57966de43503bec3a58c674238ce57aa401f6afcdcb4d66e9b5723c465b28d7

Download Submit
\Users\Admin\AppData\Local\Temp\ASE_2.EXE

Filesize
48KB

MD5
322973fcfa6811db872e6d3942bd7a8e

SHA1
4c9f630e248c4fdddba2b9095c427a34ac51042a

SHA256
d06417e9d191f55788b7a25e3e79bea3fdc981e8d8ab0b6eec89cb0a05b84932

SHA512
11c45414a09f10822c37d24f557bd619cb3a89559f644d0ee55919f5cfecce3ba174329b9088144872daebc0b94752d63edfdfbdfdfc5b2462551fd72cc9e75f

Download Submit
memory/476-79-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/592-80-0x0000000001340000-0x000000000134E000-memory.dmp

Filesize
56KB

Download
memory/1868-95-0x0000000001120000-0x0000000001132000-memory.dmp

Filesize
72KB

Download
memory/1928-103-0x0000000000030000-0x000000000003E000-memory.dmp

Filesize
56KB

Download
memory/2432-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2432-36-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x0000000000B20000-0x000000000122E000-memory.dmp

Filesize
7.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads