asyncrat | c40a6434008cf6fb6738f64bc52b5aa0f93cf50dec65c3d84e34174cfd3e962d

General

Target

Johnnyspanel.exe
Size

63KB
MD5

e6b3b8ea39d8bc6eea1c703295d17ef2
SHA1

34babad08af3f8ae9f4e6507625167038d479dd7
SHA256

c40a6434008cf6fb6738f64bc52b5aa0f93cf50dec65c3d84e34174cfd3e962d
SHA512

24a5505feddfe229304fd4c15af49e81e02cddbc0bc1612daa9a670fa13faab90a729079cdf1fbec176cda88c8ffcb6822d1f6aafeb5be774b15d7e45d829563
SSDEEP

768:S+BAGkPhz/n78FoC8A+Xk+YDT8JHy31+T4ySBGHmDbDgps0oXnoIIjzsSukdpqKX:Tq/bL2h39YUbWs9oVzrukdpqKmY7

Score

10^/10

asyncrat default discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:3232

Attributes

delay
1
install
true
install_file
Run.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Run.exe	family_asyncrat

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Executes dropped EXE 1 IoCs

Processes:

Run.exe

pid process

4668 Run.exe

pid	process
4668	Run.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

OneDrive.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

OneDrive.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OneDrive.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OneDrive.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4920 timeout.exe

pid	process
4920	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

OneDrive.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies registry class 64 IoCs

Processes:

OneDrive.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "IFileSyncClient3"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\ = "SyncingOverlayHandler2 Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\FileSyncClient.AutoPlayHandler.1	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ = "IContentProvider"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ = "FileSync ThumbnailProvider"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\ = "SyncEngineFileInfoProvider Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1\CLSID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ = "IFileUploadCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\FLAGS\ = "0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_CLASSES\ODOPEN\DEFAULTICON	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer\CLSID\ = "{AB807329-7324-431B-8B36-DBD581F56E0B}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ = "IGetLinkCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ = "ISyncEngine"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CLSID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\odopen\ = "URL: OneDrive Client Protocol"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\ProgID\ = "FileSyncClient.FileSyncClient.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ = "FileSyncOutOfProcServices Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\ = "SyncEngineStorageProviderHandlerProxy Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ = "IFileSyncClient7"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID	OneDrive.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1280 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OneDrive.exe

pid process

436 OneDrive.exe

pid	process
1280	schtasks.exe

pid	process
436	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Johnnyspanel.exeRun.exe

pid	process
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4496	Johnnyspanel.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe
4668	Run.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Johnnyspanel.exeRun.exe

description	pid	process
Token: SeDebugPrivilege	4496	Johnnyspanel.exe
Token: SeDebugPrivilege	4496	Johnnyspanel.exe
Token: SeDebugPrivilege	4668	Run.exe
Token: SeDebugPrivilege	4668	Run.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

OneDrive.exe

pid process

436 OneDrive.exe
436 OneDrive.exe
436 OneDrive.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

OneDrive.exe

pid process

436 OneDrive.exe
436 OneDrive.exe
436 OneDrive.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OneDrive.exe

pid process

436 OneDrive.exe

pid	process
436	OneDrive.exe
436	OneDrive.exe
436	OneDrive.exe

pid	process
436	OneDrive.exe
436	OneDrive.exe
436	OneDrive.exe

pid	process
436	OneDrive.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Johnnyspanel.execmd.execmd.exe

description	pid	process	target process
PID 4496 wrote to memory of 3512	4496	Johnnyspanel.exe	cmd.exe
PID 4496 wrote to memory of 3512	4496	Johnnyspanel.exe	cmd.exe
PID 4496 wrote to memory of 1960	4496	Johnnyspanel.exe	cmd.exe
PID 4496 wrote to memory of 1960	4496	Johnnyspanel.exe	cmd.exe
PID 1960 wrote to memory of 4920	1960	cmd.exe	timeout.exe
PID 1960 wrote to memory of 4920	1960	cmd.exe	timeout.exe
PID 3512 wrote to memory of 1280	3512	cmd.exe	schtasks.exe
PID 3512 wrote to memory of 1280	3512	cmd.exe	schtasks.exe
PID 1960 wrote to memory of 4668	1960	cmd.exe	Run.exe
PID 1960 wrote to memory of 4668	1960	cmd.exe	Run.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Johnnyspanel.exe
"C:\Users\Admin\AppData\Local\Temp\Johnnyspanel.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Run" /tr '"C:\Users\Admin\AppData\Roaming\Run.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Run" /tr '"C:\Users\Admin\AppData\Roaming\Run.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6755.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4920

C:\Users\Admin\AppData\Roaming\Run.exe
"C:\Users\Admin\AppData\Roaming\Run.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Event Triggered Execution

2

T1546

Change Default File Association

1

T1546.001

Component Object Model Hijacking

1

T1546.015

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Event Triggered Execution

2

T1546

Change Default File Association

1

T1546.001

Component Object Model Hijacking

1

T1546.015

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6755.tmp.bat

Filesize
147B

MD5
4d233052616b2bd45fad71cdb315a41c

SHA1
83f2012942db700c58819415ada38887b298bf1a

SHA256
ff0915a56ef3d4ff653227271f273d4662521cb186ee80c36e78a278d6f15d70

SHA512
2f17158ffd0b4ce0b543f5e554de92dc1f6f25ef2cb7352298fb5fdeece423029f0a31f1503a08eb407fe36b8f5359385a803d8b4a13b7ad91bcbe648394eac5

Download Submit
C:\Users\Admin\AppData\Roaming\Run.exe

Filesize
63KB

MD5
e6b3b8ea39d8bc6eea1c703295d17ef2

SHA1
34babad08af3f8ae9f4e6507625167038d479dd7

SHA256
c40a6434008cf6fb6738f64bc52b5aa0f93cf50dec65c3d84e34174cfd3e962d

SHA512
24a5505feddfe229304fd4c15af49e81e02cddbc0bc1612daa9a670fa13faab90a729079cdf1fbec176cda88c8ffcb6822d1f6aafeb5be774b15d7e45d829563

Download Submit
memory/4496-0-0x00007FFBCC3E3000-0x00007FFBCC3E4000-memory.dmp

Filesize
4KB

Download
memory/4496-1-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/4496-2-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-3-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-8-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads