asyncrat | efc1995469709c3c47b68816853480833240b5d455b975cd5dc1e13545ab3ea2

Analysis

max time kernel
1050s
max time network
1051s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Infected.exe
Size

63KB
MD5

e986330d6cfb70291985b064bcef56be
SHA1

1daa9abaf721a997df355d091faadea3642bb671
SHA256

efc1995469709c3c47b68816853480833240b5d455b975cd5dc1e13545ab3ea2
SHA512

889556c410f3d8cdc9412e777d36f1feecc857fcfac4a5d7fee9eda2de3507e7cfeb4393d7e1ff70bb040b74b8eeb11fb07ffafd915ce0e6a711b986c98272a1
SSDEEP

768:/LqvXPRKF4j7C78BIC8A+X+mazcBRL5JTk1+T4KSBGHmDbD/ph0oXfyq+SuodpqM:U/RKy7QxdSJYUbdh9qqJuodpqKmY7

Score

10^/10

asyncrat stealerium stormkitty default collection discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

options-printing.gl.at.ply.gg:29154

Attributes

delay
1
install
true
install_file
ppasshole.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ppasshole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ppasshole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ppasshole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ppasshole.exe

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4736-251-0x000000001E680000-0x000000001E7A2000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000023c45-10.dat	family_asyncrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ppasshole.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Infected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ppasshole.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ppasshole.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ppasshole.exe

Executes dropped EXE 5 IoCs

pid	Process
4736	ppasshole.exe
2660	ppasshole.exe
4788	ppasshole.exe
4188	ppasshole.exe
2568	ppasshole.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ppasshole.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ppasshole.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ppasshole.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ppasshole.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	icanhazip.com
52	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
1664	powershell.exe
4608	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1816	cmd.exe
2592	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ppasshole.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ppasshole.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
4572	timeout.exe
3788	timeout.exe
3576	timeout.exe
3068	timeout.exe
4840	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5052	ipconfig.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4796	schtasks.exe
4952	schtasks.exe
2472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4336	Infected.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe
4736	ppasshole.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4336	Infected.exe
Token: SeDebugPrivilege	4336	Infected.exe
Token: SeDebugPrivilege	4736	ppasshole.exe
Token: SeDebugPrivilege	4736	ppasshole.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2660	ppasshole.exe
Token: SeDebugPrivilege	2660	ppasshole.exe
Token: SeDebugPrivilege	4788	ppasshole.exe
Token: SeDebugPrivilege	4788	ppasshole.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	4188	ppasshole.exe
Token: SeDebugPrivilege	4188	ppasshole.exe
Token: SeDebugPrivilege	2568	ppasshole.exe
Token: SeDebugPrivilege	2568	ppasshole.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 5080	4336	Infected.exe	91
PID 4336 wrote to memory of 5080	4336	Infected.exe	91
PID 4336 wrote to memory of 1324	4336	Infected.exe	93
PID 4336 wrote to memory of 1324	4336	Infected.exe	93
PID 1324 wrote to memory of 4572	1324	cmd.exe	96
PID 1324 wrote to memory of 4572	1324	cmd.exe	96
PID 5080 wrote to memory of 4796	5080	cmd.exe	95
PID 5080 wrote to memory of 4796	5080	cmd.exe	95
PID 1324 wrote to memory of 4736	1324	cmd.exe	98
PID 1324 wrote to memory of 4736	1324	cmd.exe	98
PID 4736 wrote to memory of 1212	4736	ppasshole.exe	111
PID 4736 wrote to memory of 1212	4736	ppasshole.exe	111
PID 1212 wrote to memory of 1664	1212	cmd.exe	113
PID 1212 wrote to memory of 1664	1212	cmd.exe	113
PID 1664 wrote to memory of 4872	1664	powershell.exe	114
PID 1664 wrote to memory of 4872	1664	powershell.exe	114
PID 4736 wrote to memory of 1816	4736	ppasshole.exe	115
PID 4736 wrote to memory of 1816	4736	ppasshole.exe	115
PID 1816 wrote to memory of 4924	1816	cmd.exe	117
PID 1816 wrote to memory of 4924	1816	cmd.exe	117
PID 1816 wrote to memory of 2592	1816	cmd.exe	118
PID 1816 wrote to memory of 2592	1816	cmd.exe	118
PID 1816 wrote to memory of 1092	1816	cmd.exe	119
PID 1816 wrote to memory of 1092	1816	cmd.exe	119
PID 4736 wrote to memory of 1784	4736	ppasshole.exe	120
PID 4736 wrote to memory of 1784	4736	ppasshole.exe	120
PID 1784 wrote to memory of 2932	1784	cmd.exe	122
PID 1784 wrote to memory of 2932	1784	cmd.exe	122
PID 1784 wrote to memory of 4280	1784	cmd.exe	123
PID 1784 wrote to memory of 4280	1784	cmd.exe	123
PID 4736 wrote to memory of 4616	4736	ppasshole.exe	130
PID 4736 wrote to memory of 4616	4736	ppasshole.exe	130
PID 4736 wrote to memory of 2732	4736	ppasshole.exe	132
PID 4736 wrote to memory of 2732	4736	ppasshole.exe	132
PID 4736 wrote to memory of 4616	4736	ppasshole.exe	150
PID 4736 wrote to memory of 4616	4736	ppasshole.exe	150
PID 4736 wrote to memory of 4696	4736	ppasshole.exe	152
PID 4736 wrote to memory of 4696	4736	ppasshole.exe	152
PID 4616 wrote to memory of 3548	4616	cmd.exe	154
PID 4616 wrote to memory of 3548	4616	cmd.exe	154
PID 4696 wrote to memory of 3788	4696	cmd.exe	155
PID 4696 wrote to memory of 3788	4696	cmd.exe	155
PID 2660 wrote to memory of 3940	2660	ppasshole.exe	159
PID 2660 wrote to memory of 3940	2660	ppasshole.exe	159
PID 2660 wrote to memory of 4440	2660	ppasshole.exe	161
PID 2660 wrote to memory of 4440	2660	ppasshole.exe	161
PID 4440 wrote to memory of 3576	4440	cmd.exe	163
PID 4440 wrote to memory of 3576	4440	cmd.exe	163
PID 3940 wrote to memory of 4952	3940	cmd.exe	164
PID 3940 wrote to memory of 4952	3940	cmd.exe	164
PID 4440 wrote to memory of 4788	4440	cmd.exe	165
PID 4440 wrote to memory of 4788	4440	cmd.exe	165
PID 4788 wrote to memory of 688	4788	ppasshole.exe	167
PID 4788 wrote to memory of 688	4788	ppasshole.exe	167
PID 688 wrote to memory of 5052	688	cmd.exe	169
PID 688 wrote to memory of 5052	688	cmd.exe	169
PID 4788 wrote to memory of 3932	4788	ppasshole.exe	170
PID 4788 wrote to memory of 3932	4788	ppasshole.exe	170
PID 3932 wrote to memory of 4608	3932	cmd.exe	172
PID 3932 wrote to memory of 4608	3932	cmd.exe	172
PID 4608 wrote to memory of 3852	4608	powershell.exe	173
PID 4608 wrote to memory of 3852	4608	powershell.exe	173
PID 4788 wrote to memory of 2872	4788	ppasshole.exe	174
PID 4788 wrote to memory of 2872	4788	ppasshole.exe	174

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ppasshole.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ppasshole.exe

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ppasshole" /tr '"C:\Users\Admin\AppData\Roaming\ppasshole.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "ppasshole" /tr '"C:\Users\Admin\AppData\Roaming\ppasshole.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9599.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4572
- - C:\Users\Admin\AppData\Roaming\ppasshole.exe
    "C:\Users\Admin\AppData\Roaming\ppasshole.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:4736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ytplkq.vbs"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ytplkq.vbs"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ytplkq.vbs"
        6⤵
        
        PID:4872
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4924
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2592
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:1092
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2932
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "ppasshole"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "ppasshole"
        5⤵
        
        PID:3548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFAA3.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3788

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2384

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1452

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\ppasshole.exe
C:\Users\Admin\AppData\Local\Temp\ppasshole.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ppasshole" /tr '"C:\Users\Admin\AppData\Roaming\ppasshole.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "ppasshole" /tr '"C:\Users\Admin\AppData\Roaming\ppasshole.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC1E.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3576
- - C:\Users\Admin\AppData\Roaming\ppasshole.exe
    "C:\Users\Admin\AppData\Roaming\ppasshole.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\system32\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:688
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:5052
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rtbtca.vbs"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rtbtca.vbs"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rtbtca.vbs"
        6⤵
        
        PID:3852
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "ppasshole"
      4⤵
      PID:2872
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "ppasshole"
        5⤵
        
        PID:2912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE1A5.tmp.bat""
      4⤵
      PID:2536
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3068

C:\Users\Admin\AppData\Local\Temp\ppasshole.exe
C:\Users\Admin\AppData\Local\Temp\ppasshole.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ppasshole" /tr '"C:\Users\Admin\AppData\Roaming\ppasshole.exe"' & exit
  2⤵
  PID:1616
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "ppasshole" /tr '"C:\Users\Admin\AppData\Roaming\ppasshole.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C36.tmp.bat""
  2⤵
  PID:4060
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4840
- - C:\Users\Admin\AppData\Roaming\ppasshole.exe
    "C:\Users\Admin\AppData\Roaming\ppasshole.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0858ccd2fd5a9e0adba57a45ab323d12\Admin@GUMLNLFE_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\0858ccd2fd5a9e0adba57a45ab323d12\Admin@GUMLNLFE_en-US\System\Process.txt

Filesize
4KB

MD5
ed7271d894aae236d81a123c4bf33b79

SHA1
8118ce5df1089637b184d7dff0627900ef5bdbfb

SHA256
c76cfebf3be679229d76d3e46244c313bac1e904026c99275bafd3cc15a057a2

SHA512
739dd805794a77a693f4bfcc618d120082389dbaa2f652bbae4ba59e4a4eb3c6616775c8a0122dba4ce442f3ae1e88dca0d492263a8990060efe6a5bfcabf1c6

Download Submit
C:\Users\Admin\AppData\Local\0858ccd2fd5a9e0adba57a45ab323d12\Admin@GUMLNLFE_en-US\System\Process.txt

Filesize
759B

MD5
e00ad1204c454fe44dc8ac425b728909

SHA1
ebc9a0084c8931276d7e5c7dc9ab4b570de119d7

SHA256
656c78b15df8df2b44481645e98e623e2f1015525ad4b1c7a2b5d83dec961e8e

SHA512
9df71344872838a08f7124219b2e4f41e848d46ad3572c4aae530d03d87e8e9299e1ffe2e0e6873d7a1e0f18e16cbfcfb4f2921568b10888e9d8ab9c759b8daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ppasshole.exe.log

Filesize
2KB

MD5
3f9a82fefbab3de573ef1829337bedaa

SHA1
0cc04ae01232911b75e307ada7d92eead98cd45c

SHA256
ded7343bfe716c413a2bb568defb468f407820c879aacdb46f01b264fa7b1caa

SHA512
9ffb0deecf3b83606faa8b4cb113f470ac4a3e5f97eb3381d395e1c72c513cac742c6eb4295a6ab565a043523b7ec2be6bfa69798046c95b77f638bc431edd2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
de9d4ddc62daa4444b9178c9fc079438

SHA1
f8cb6cc6942a31142b169047ca8b0610201b7882

SHA256
d8f14ccc4389c7313eef1948a13f45a1e4e16007d45c90c309baba365641e57a

SHA512
206ca2532369f1eeddd2efec2b77512d64f6957554e4c8e8e58ac1c5db6bb567aecdb49d6bfa2e99c9647387d19052546b2e7b644394371773ec6d9190d90241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlmf2p4s.qr4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
48a487bd3544c6fb62a830c256dc7699

SHA1
31b692f6973298aa7d19ad1b42de00e2cc5d9053

SHA256
96f59d96ad8f469b549fab4ef1794e9db70987ca0aa915fd0eb7381302f8c2df

SHA512
62c2910a3f10f7dfb0b54b952662a7e85e5cd5cdb9e81725b3e27750e70cf16542a4a5520b73e74b2554a1ab205fb84ca3c402383f5d3a91ef99cdb25e1a76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp44B8.tmp.dat

Filesize
114KB

MD5
a1eeb9d95adbb08fa316226b55e4f278

SHA1
b36e8529ac3f2907750b4fea7037b147fe1061a6

SHA256
2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7

SHA512
f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp44CB.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp479E.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47B2.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47B6.tmp.dat

Filesize
20KB

MD5
0788fd5a301eee8af590ba86f8962373

SHA1
f9bfc416497504df149c2bb8a069ddf9fef514c3

SHA256
e91093a5e7905b6055b5d4838140f4aaa78587df82217b1901fd0d942feaefc5

SHA512
5a3fcb3edad1cd0a5c7eb9e7ef9e9f5dcbf5586f9ddf334ebd035f369fb2de1d67e653aea4935989e35c31cfae14823c0439181654f24b6337a885faeb449a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9599.tmp.bat

Filesize
153B

MD5
5726e6e8bf2e88a39f1d2e4710bfb8d9

SHA1
363339359f2ccc41402abcd27cc6ce5e192fa9d5

SHA256
305c6c399192848389d6a5248e042dbb95c1925ce1c3049b9162831f41d2514b

SHA512
c6318fa7381d369c3178311cc2d93949e6f400f0b34e71f3a2ae47f2ce44145d58055bdd626c480ad2d2008261cebb62415c00071951f7712eab3a9a08df02d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C36.tmp.bat

Filesize
153B

MD5
9db176df58948d8e193e73d802241098

SHA1
da64d178e404daa38be368c4e0e2fb463518b642

SHA256
935d9372f250f005d5065e49a4ba12baac8c08cfad7f2a3cd4fc758b05afd6da

SHA512
f3ab6a6a23187a4f5afb3012e729e0aa2c8f1cded195abca3c0344a67d739dd263f8eb6f314af256916a1ede8e4bd7d95e6f72775519188cc2ef4d6f56d14f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1E.tmp.bat

Filesize
152B

MD5
e53dea3d7caaf7e4913677395f7dca2b

SHA1
a28d85459d5e6b88257431464d45704d49eba240

SHA256
cf679b82f11d6cadb553f5cf65b4b072d10058e63580954aaeb5e9129c98ca29

SHA512
06e70bde64afadbc4a61680d1605a07b5771ceef55576c4dde94c8dc25a218a07a4849cd18dc1a3fd2fe6fdb01ec6803fdc6867276efb41dcef9406c78e7997a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE1A5.tmp.bat

Filesize
158B

MD5
1fe4395db31f749567264ca7c7dc1ebc

SHA1
14bd3f80580f53b4bb6498d832479ace6490b486

SHA256
0a6fb8f63829c08313370435138cfbb3f955de4728c106fa311973413de70de5

SHA512
018e34bac54a546c85bccca82caf73007d4177286a09722e93609bc84506745b37496659990b09a878fce9be9aca5fedffed169a0d786fc44d467050431ef650

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFAA3.tmp.bat

Filesize
158B

MD5
9aba7e8d11562da7193c702665350531

SHA1
c1b05401b946d1d3b735333a91898a7502ffef18

SHA256
60cd9e4cb4f7a5dabc146f6f22fa1cee61af2a1a179fbc9b812a4fa1aa38b22d

SHA512
6a9a8d3e0546a6bd5281e89d90465295378945030f871bf95167f2ee79a706f9ff91f478814612691181c9d6a857ae9b294ca53fd77fa87374ab4ffd48cece30

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytplkq.vbs

Filesize
89B

MD5
05c5db9bf8acaec559fbd7f01b6c1bde

SHA1
1d320c8214e42577894ae8460f64b2325cc72242

SHA256
09cd2238812c44cf22c3e86bc57ab3271ada9b7873646b52b48252101ff47c5a

SHA512
26115b4fc9f9aee97a92c7cbb18feede89e7fd2a7431e4bc2b26b73d6c32b70aaea872af28336a5f53a302405c87995a4ba84625db9c5c3d5b16d08b43069d65

Download Submit
C:\Users\Admin\AppData\Roaming\ppasshole.exe

Filesize
63KB

MD5
e986330d6cfb70291985b064bcef56be

SHA1
1daa9abaf721a997df355d091faadea3642bb671

SHA256
efc1995469709c3c47b68816853480833240b5d455b975cd5dc1e13545ab3ea2

SHA512
889556c410f3d8cdc9412e777d36f1feecc857fcfac4a5d7fee9eda2de3507e7cfeb4393d7e1ff70bb040b74b8eeb11fb07ffafd915ce0e6a711b986c98272a1

Download Submit
memory/1664-31-0x000002BCC8FC0000-0x000002BCC8FE2000-memory.dmp

Filesize
136KB

Download
memory/4336-0-0x00007FFD67863000-0x00007FFD67865000-memory.dmp

Filesize
8KB

Download
memory/4336-8-0x00007FFD67860000-0x00007FFD68321000-memory.dmp

Filesize
10.8MB

Download
memory/4336-7-0x00007FFD67860000-0x00007FFD68321000-memory.dmp

Filesize
10.8MB

Download
memory/4336-2-0x00007FFD67860000-0x00007FFD68321000-memory.dmp

Filesize
10.8MB

Download
memory/4336-1-0x0000000000E90000-0x0000000000EA6000-memory.dmp

Filesize
88KB

Download
memory/4736-22-0x0000000002E50000-0x0000000002E5A000-memory.dmp

Filesize
40KB

Download
memory/4736-192-0x000000001D430000-0x000000001D4AA000-memory.dmp

Filesize
488KB

Download
memory/4736-371-0x000000001D330000-0x000000001D364000-memory.dmp

Filesize
208KB

Download
memory/4736-372-0x000000001CE30000-0x000000001CEE2000-memory.dmp

Filesize
712KB

Download
memory/4736-373-0x000000001D3B0000-0x000000001D3E2000-memory.dmp

Filesize
200KB

Download
memory/4736-374-0x00000000015A0000-0x00000000015BC000-memory.dmp

Filesize
112KB

Download
memory/4736-227-0x000000001D4D0000-0x000000001D504000-memory.dmp

Filesize
208KB

Download
memory/4736-251-0x000000001E680000-0x000000001E7A2000-memory.dmp

Filesize
1.1MB

Download
memory/4736-23-0x000000001D930000-0x000000001D962000-memory.dmp

Filesize
200KB

Download
memory/4736-16-0x000000001D730000-0x000000001D8B8000-memory.dmp

Filesize
1.5MB

Download
memory/4736-15-0x000000001D5B0000-0x000000001D626000-memory.dmp

Filesize
472KB

Download
memory/4736-17-0x000000001D550000-0x000000001D56E000-memory.dmp

Filesize
120KB

Download
memory/4788-511-0x000000001C0A0000-0x000000001C0BA000-memory.dmp

Filesize
104KB

Download
memory/4788-510-0x00000000016E0000-0x0000000001714000-memory.dmp

Filesize
208KB

Download