asyncrat | 66cfe98bdab5ba7bc9642ae084b708deb928d4688b9bc577c5add8b021cbcafe

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

J74N3UGkQRFbJPTK.exe
Size

8.2MB
MD5

e0cf4901b5fe2a17af5a369e7faeab1b
SHA1

2d71a612c66a267d71f39769b2ab3d7e99035764
SHA256

66cfe98bdab5ba7bc9642ae084b708deb928d4688b9bc577c5add8b021cbcafe
SHA512

22dbf9e1d71822ffd6c5505a2eeffb46fbf75d5e5cec9fba619ccf78100ec9a5f6063fafce1f07bcdae3eeb8ec0732661ba15fca7bf57bb08d0943b1d0512df6
SSDEEP

196608:sfU3F+AqdanoW6dyebDOuKMXRlbO0OeRzM1Hyq:8qFovIebSDwyeZMpX

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

dns.njalla.pl:4500

dns.njalla.pl:7854

dns.njalla.si:4500

dns.njalla.si:7854

Mutex

O7kXyfiG4vsr

Attributes

delay
3
install
false
install_file
GoogleUpdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3864	powershell.exe
64	powershell.exe
1516	powershell.exe
4600	powershell.exe
1924	powershell.exe
2240	powershell.exe
840	powershell.exe
3352	powershell.exe
2608	powershell.exe
2552	powershell.exe
1476	powershell.exe
4940	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fszecc.exewkibyi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fszecc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wkibyi.exe

Drops startup file 1 IoCs

Processes:

fszecc.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk fszecc.exe
Executes dropped EXE 6 IoCs

Processes:

J74N3UGkQRFbJPTK.exeVirtual.exeVirtual.exewkibyi.exefszecc.exeapihost.exe

pid process

4920 J74N3UGkQRFbJPTK.exe
4044 Virtual.exe
2972 Virtual.exe
3380 wkibyi.exe
368 fszecc.exe
5056 apihost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk	fszecc.exe

Loads dropped DLL 10 IoCs

Processes:

J74N3UGkQRFbJPTK.exeVirtual.exeVirtual.exe

pid	process
4920	J74N3UGkQRFbJPTK.exe
4044	Virtual.exe
4044	Virtual.exe
4044	Virtual.exe
4044	Virtual.exe
2972	Virtual.exe
2972	Virtual.exe
2972	Virtual.exe
2972	Virtual.exe
2972	Virtual.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Virtual.execmd.exe

description	pid	process	target process
PID 2972 set thread context of 1612	2972	Virtual.exe	cmd.exe
PID 1612 set thread context of 4212	1612	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exepowershell.exeJ74N3UGkQRFbJPTK.execmd.exeapihost.execmd.exetimeout.exeJ74N3UGkQRFbJPTK.exefszecc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	J74N3UGkQRFbJPTK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apihost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	J74N3UGkQRFbJPTK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fszecc.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3588 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1604 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

apihost.exe

pid process

5056 apihost.exe

pid	process
3588	timeout.exe

pid	process
1604	schtasks.exe

pid	process
5056	apihost.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

Virtual.exeVirtual.execmd.exepowershell.exepowershell.exeMSBuild.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4044	Virtual.exe
2972	Virtual.exe
2972	Virtual.exe
1612	cmd.exe
1612	cmd.exe
3864	powershell.exe
3864	powershell.exe
2284	powershell.exe
4212	MSBuild.exe
2284	powershell.exe
2552	powershell.exe
2552	powershell.exe
4600	powershell.exe
4600	powershell.exe
1476	powershell.exe
1476	powershell.exe
4940	powershell.exe
4940	powershell.exe
1924	powershell.exe
1924	powershell.exe
2240	powershell.exe
2240	powershell.exe
4940	powershell.exe
840	powershell.exe
840	powershell.exe
2552	powershell.exe
2552	powershell.exe
3352	powershell.exe
3352	powershell.exe
2608	powershell.exe
2608	powershell.exe
4600	powershell.exe
4600	powershell.exe
1476	powershell.exe
1476	powershell.exe
1924	powershell.exe
2240	powershell.exe
840	powershell.exe
2608	powershell.exe
3352	powershell.exe
64	powershell.exe
64	powershell.exe
4212	MSBuild.exe
1516	powershell.exe
1516	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Virtual.execmd.exe

pid process

2972 Virtual.exe
1612 cmd.exe
1612 cmd.exe

pid	process
2972	Virtual.exe
1612	cmd.exe
1612	cmd.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

MSBuild.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefszecc.exepowershell.exeapihost.exe

description	pid	process
Token: SeDebugPrivilege	4212	MSBuild.exe
Token: SeDebugPrivilege	4212	MSBuild.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	368	fszecc.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	5056	apihost.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

J74N3UGkQRFbJPTK.exeJ74N3UGkQRFbJPTK.exeVirtual.exeVirtual.execmd.exeMSBuild.execmd.exepowershell.exewkibyi.execmd.exepowershell.exefszecc.execmd.exe

description	pid	process	target process
PID 3520 wrote to memory of 4920	3520	J74N3UGkQRFbJPTK.exe	J74N3UGkQRFbJPTK.exe
PID 3520 wrote to memory of 4920	3520	J74N3UGkQRFbJPTK.exe	J74N3UGkQRFbJPTK.exe
PID 3520 wrote to memory of 4920	3520	J74N3UGkQRFbJPTK.exe	J74N3UGkQRFbJPTK.exe
PID 4920 wrote to memory of 4044	4920	J74N3UGkQRFbJPTK.exe	Virtual.exe
PID 4920 wrote to memory of 4044	4920	J74N3UGkQRFbJPTK.exe	Virtual.exe
PID 4044 wrote to memory of 2972	4044	Virtual.exe	Virtual.exe
PID 4044 wrote to memory of 2972	4044	Virtual.exe	Virtual.exe
PID 2972 wrote to memory of 1612	2972	Virtual.exe	cmd.exe
PID 2972 wrote to memory of 1612	2972	Virtual.exe	cmd.exe
PID 2972 wrote to memory of 1612	2972	Virtual.exe	cmd.exe
PID 2972 wrote to memory of 1612	2972	Virtual.exe	cmd.exe
PID 1612 wrote to memory of 4212	1612	cmd.exe	MSBuild.exe
PID 1612 wrote to memory of 4212	1612	cmd.exe	MSBuild.exe
PID 1612 wrote to memory of 4212	1612	cmd.exe	MSBuild.exe
PID 1612 wrote to memory of 4212	1612	cmd.exe	MSBuild.exe
PID 4212 wrote to memory of 1540	4212	MSBuild.exe	cmd.exe
PID 4212 wrote to memory of 1540	4212	MSBuild.exe	cmd.exe
PID 1540 wrote to memory of 3864	1540	cmd.exe	powershell.exe
PID 1540 wrote to memory of 3864	1540	cmd.exe	powershell.exe
PID 3864 wrote to memory of 3380	3864	powershell.exe	wkibyi.exe
PID 3864 wrote to memory of 3380	3864	powershell.exe	wkibyi.exe
PID 3380 wrote to memory of 2284	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 2284	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 4600	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 4600	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 2552	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 2552	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 1476	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 1476	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 4940	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 4940	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 1924	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 1924	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 2240	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 2240	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 840	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 840	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 3352	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 3352	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 2608	3380	wkibyi.exe	powershell.exe
PID 3380 wrote to memory of 2608	3380	wkibyi.exe	powershell.exe
PID 4212 wrote to memory of 3488	4212	MSBuild.exe	cmd.exe
PID 4212 wrote to memory of 3488	4212	MSBuild.exe	cmd.exe
PID 3488 wrote to memory of 64	3488	cmd.exe	powershell.exe
PID 3488 wrote to memory of 64	3488	cmd.exe	powershell.exe
PID 64 wrote to memory of 368	64	powershell.exe	fszecc.exe
PID 64 wrote to memory of 368	64	powershell.exe	fszecc.exe
PID 64 wrote to memory of 368	64	powershell.exe	fszecc.exe
PID 368 wrote to memory of 1604	368	fszecc.exe	schtasks.exe
PID 368 wrote to memory of 1604	368	fszecc.exe	schtasks.exe
PID 368 wrote to memory of 1604	368	fszecc.exe	schtasks.exe
PID 368 wrote to memory of 1516	368	fszecc.exe	powershell.exe
PID 368 wrote to memory of 1516	368	fszecc.exe	powershell.exe
PID 368 wrote to memory of 1516	368	fszecc.exe	powershell.exe
PID 368 wrote to memory of 5056	368	fszecc.exe	apihost.exe
PID 368 wrote to memory of 5056	368	fszecc.exe	apihost.exe
PID 368 wrote to memory of 5056	368	fszecc.exe	apihost.exe
PID 368 wrote to memory of 4736	368	fszecc.exe	cmd.exe
PID 368 wrote to memory of 4736	368	fszecc.exe	cmd.exe
PID 368 wrote to memory of 4736	368	fszecc.exe	cmd.exe
PID 4736 wrote to memory of 3588	4736	cmd.exe	timeout.exe
PID 4736 wrote to memory of 3588	4736	cmd.exe	timeout.exe
PID 4736 wrote to memory of 3588	4736	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\J74N3UGkQRFbJPTK.exe
"C:\Users\Admin\AppData\Local\Temp\J74N3UGkQRFbJPTK.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\Temp\{729C9712-212D-4017-9E89-4E41BC1BC923}\.cr\J74N3UGkQRFbJPTK.exe
"C:\Windows\Temp\{729C9712-212D-4017-9E89-4E41BC1BC923}\.cr\J74N3UGkQRFbJPTK.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\J74N3UGkQRFbJPTK.exe" -burn.filehandle.attached=696 -burn.filehandle.self=700
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\Temp\{4D5EF9D1-A618-4AB0-B450-6286D516115D}\.ba\Virtual.exe
"C:\Windows\Temp\{4D5EF9D1-A618-4AB0-B450-6286D516115D}\.ba\Virtual.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Roaming\Hfdriverv4\Virtual.exe
C:\Users\Admin\AppData\Roaming\Hfdriverv4\Virtual.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wkibyi.exe"' & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wkibyi.exe"'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864

C:\Users\Admin\AppData\Local\Temp\wkibyi.exe
"C:\Users\Admin\AppData\Local\Temp\wkibyi.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fszecc.exe"' & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fszecc.exe"'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Local\Temp\fszecc.exe
"C:\Users\Admin\AppData\Local\Temp\fszecc.exe"
9⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn GoogleSys /tr "C:\ProgramData\GoogleApi\apihost.exe" /st 18:48 /du 23:59 /sc daily /ri 1 /f
10⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\GoogleApi'
10⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\ProgramData\GoogleApi\apihost.exe
"C:\ProgramData\GoogleApi\apihost.exe"
10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFC9B.tmp.cmd""
10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\timeout.exe
timeout 6
11⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d9ecfe610b58440e18d2bffe5167d71

SHA1
7afeed064042ef5e614228f678a0c595699c3d84

SHA256
2c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632

SHA512
017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e2efbfd23e33d8d07d019bdd9ca20649

SHA1
68d3b285c423d311bdf8dc53354f5f4000caf386

SHA256
f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828

SHA512
b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
09c450602dd3aa72ab453336618f5509

SHA1
181fad82e0a07b66d5cc2aae77b052c6904bf5d3

SHA256
88fbb3c18730e2b7daee56fee5b125067c77bd9b566ff1ff3245d587c0e17bdb

SHA512
a89a9cdcea5b0b76b0e476cf24cc4af92a724ab97cc2876a9b84541e9aebf2384a09e15b4ba9cb71b3d90676afb5a53befd32d160326a114214258c14141956f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
20ccd8eee8fb63b0f660c38299f815d4

SHA1
5882e3b12448a5cd6ab57008c1be852ac84cade1

SHA256
cad714968818e2c4fec544ad7aa0faf5da04809f8efd1a8699d2861d0c0809e3

SHA512
28b87bd117a752ce699bd00c651c095dcfdb2a6cf71687177862c9062c3f73243ac32ac1b709804f940eef8c1f3e233593c73c4831449742c931d8c845c9fd8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b1b541b9e38789682a7bedb532e127e0

SHA1
b920cbfa3396152a6fa35fdc368cf725ce16c159

SHA256
5506fa5ac49b755e612a22adbec016876ed6b0110debdcd2f6796355ccef0bb8

SHA512
d8d88551dc26ba0302cd44bb3665980f6273fd7cdc2995a2425e38bb27c963f189be6f8ce933a9f57e0694f6129e840354ca542508c459fc2391bcdeab5c9124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_udp2suqm.5b0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4bf45a9

Filesize
3.1MB

MD5
664856f3cac65e4c9d5030482751bf0f

SHA1
9b588196dc653ba65e7078ae2025e7fcb21dab76

SHA256
d82983ed5d960fc6ae488a10c2d9e60e6f643cfd357753505b95569e78307bd1

SHA512
bf40f99aa73604dc762cbdb90bcde596a8d4e5fa1348d72376a7cfe57a3d5dabd49f1515d3e04b79a79a6c3c3b9c5ca1abe42bf08b029049a248b0eeb4e4f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fszecc.exe

Filesize
138KB

MD5
2db6cce1c342026ad17f48d99e50cbc9

SHA1
04ca228aac2ea8478b20d91243e450897c51e2c5

SHA256
e0530afe1bb18c0c1e3cef400aaa5826fc55e7146c7fbdcf7ed9dd702840226b

SHA512
a5b41e3e5b5d747b80f19354940065e83eb996ec66555a381acd90e80f77ac2de8f282042e3ea668d4377ca4890299c499ebf98940f52067c9326f3da2b9a9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC9B.tmp.cmd

Filesize
158B

MD5
a4cadc0c9f28828ed6e8cf1b82ed24a3

SHA1
51c28f25b56c3050c58936bff1f29c5ba2fd6066

SHA256
ae308ac5eee6b23d4d9975144649d3da54e78652eccc72566992d7cf0a3f72e9

SHA512
aa87761dad531de70404ffb12618a7226927caf31667bfe9898bf0d2bfc2510ac01e3159f560e89be9043562424d5aadb446c0ebd1b4ba499dae07a6a079c824

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkibyi.exe

Filesize
7KB

MD5
8c651781dd53df2803d0bda3e9c17c86

SHA1
2da356270da05a33145c69fa3a68d0714bf8c846

SHA256
7754a9d842f7f0d7cdb3ae59b4931fcf7c13a98dae1e1b343accd7d0e328d3ac

SHA512
6d8b3fd1898dc8f3943e1f84b2e43a3a560cc1145fa03afdfa53cf2de96ed6b6e9247216b51de96cd313ebbda6b648fb36cecf51a926656ff002cfb61da2d96c

Download Submit
C:\Windows\Temp\{4D5EF9D1-A618-4AB0-B450-6286D516115D}\.ba\Dipterocarpaceae.dll

Filesize
3.3MB

MD5
ce0fa57391d0a30d8d4d4267cf7fc62a

SHA1
3d142ecb01fd9dd29eefb8608605435dab4f7e51

SHA256
425227a0b060a31b3f726f9fc5d3b5a3bd9739ba64204982a61204021424345e

SHA512
b83ee72ff13000cc05da27db20683f17fa1e412ee30abd5bdc920ff2146aaff45d4104d0dffd169be1afbecf58bdc76c5fd9ba6a6c498e1ea348f7686bc0f895

Download Submit
C:\Windows\Temp\{4D5EF9D1-A618-4AB0-B450-6286D516115D}\.ba\VBoxDDU.dll

Filesize
371KB

MD5
496df6ad1a158ed5037138e397713ef0

SHA1
287bd2219c955687baa399ded57e9ab64334c63c

SHA256
07c04290f53aaaaa7df6b6ea3a53103b6e3ef8ff658d8097617a9c48dfc6e90a

SHA512
422da26a8f50c1f02c1cc7c4bed37cdb33732039bba82f32c2a14baa8c6a7bc5544856ab26a2071b5ea8e731a296e2c69071da2f067312d05763aa3a9928bb3a

Download Submit
C:\Windows\Temp\{4D5EF9D1-A618-4AB0-B450-6286D516115D}\.ba\VBoxRT.dll

Filesize
4.1MB

MD5
54adad2532884cee2c8e6a085e5db58e

SHA1
f5e4d7ba3684a996f7bdeec53b66be035317c0f1

SHA256
3cff6c4268e1b10dfc740d30b14387a82f572000b30e3207984926ebd31bae5d

SHA512
32eba26f93627476011cedcfeb3070ced698f95826f1d076d5e9b210ea10c81cb15212c3293a618364dce75904ed8af4b3cc14dccf2cedc94b307637ddd59843

Download Submit
C:\Windows\Temp\{4D5EF9D1-A618-4AB0-B450-6286D516115D}\.ba\Virtual.exe

Filesize
3.4MB

MD5
c8a2de7077f97d4bce1a44317b49ef41

SHA1
6cb3212ec9be08cb5a29bf8d37e9ca845efc18c9

SHA256
448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4

SHA512
9815eba1566a8e33734f6a218071ec501dd1f799b1535e25d87c2b416b928ae8d15f8218cf20e685f9907ec39c202cbfc4728fe6ab9d87b3de345109f626845e

Download Submit
C:\Windows\Temp\{4D5EF9D1-A618-4AB0-B450-6286D516115D}\.ba\msvcp100.dll

Filesize
593KB

MD5
d029339c0f59cf662094eddf8c42b2b5

SHA1
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

SHA256
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

SHA512
021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

Download Submit
C:\Windows\Temp\{4D5EF9D1-A618-4AB0-B450-6286D516115D}\.ba\msvcr100.dll

Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Windows\Temp\{4D5EF9D1-A618-4AB0-B450-6286D516115D}\.ba\togeroi

Filesize
93KB

MD5
6c278a8759cc3d2c20cb31b96cceffba

SHA1
c0a1f3a3e98b004f298f7fab69a7e0b2c3230390

SHA256
e37be4d4567d1bf3efd9a0e72522440e9971c2f73e162a831d163ae0abd0bba3

SHA512
6ddeebff2f0b81a0c571d54d3941b9a768fab9e5e9117f134291a17cb3fda6cd892b72b5803b7ca9b9b120e63b31794243c1e0337da815affd558905fe6dc406

Download Submit
C:\Windows\Temp\{4D5EF9D1-A618-4AB0-B450-6286D516115D}\.ba\yji

Filesize
2.8MB

MD5
4546983da706b1d902369838e3e025e8

SHA1
c1204dd491fe9cd8f66acb2e88168cf7aa8cf833

SHA256
a74d5f8def4628a3fd1cec46962b01d968a3ebd9621b293c5a314d97ca86b479

SHA512
3181519bcf5b7b0bb9572b48b2751743d83ba971e917859224bc4e0366ef6af926ebf9c353dce653c88f746a93fc16b1e0328747e9aa448f00e08ac93620062b

Download Submit
C:\Windows\Temp\{729C9712-212D-4017-9E89-4E41BC1BC923}\.cr\J74N3UGkQRFbJPTK.exe

Filesize
8.1MB

MD5
29d068479a2ed134b1c00f910b739a6e

SHA1
b6586ad295c40df90bb2da169519cf2f01769dff

SHA256
914b4f330d93a980d9caa1258b862a0e6284a4c4876033d06ac0076a3180298c

SHA512
ac76f743a4ce42ea2018b5af64d7e5886a23441dc808a191e0194574ebd3daf689341b3df6ed05d4e74751d1574194b7a528c39dbaa8e380767815815aa53294

Download Submit
memory/368-205-0x0000000000E10000-0x0000000000E38000-memory.dmp

Filesize
160KB

Download
memory/368-206-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/368-207-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/1516-241-0x0000000005D00000-0x0000000005D4C000-memory.dmp

Filesize
304KB

Download
memory/1516-223-0x0000000004D90000-0x00000000053B8000-memory.dmp

Filesize
6.2MB

Download
memory/1516-264-0x0000000007310000-0x0000000007318000-memory.dmp

Filesize
32KB

Download
memory/1516-263-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/1516-262-0x0000000007230000-0x0000000007244000-memory.dmp

Filesize
80KB

Download
memory/1516-261-0x0000000007220000-0x000000000722E000-memory.dmp

Filesize
56KB

Download
memory/1516-260-0x00000000071F0000-0x0000000007201000-memory.dmp

Filesize
68KB

Download
memory/1516-259-0x0000000007270000-0x0000000007306000-memory.dmp

Filesize
600KB

Download
memory/1516-258-0x0000000007060000-0x000000000706A000-memory.dmp

Filesize
40KB

Download
memory/1516-256-0x0000000006FF0000-0x000000000700A000-memory.dmp

Filesize
104KB

Download
memory/1516-217-0x0000000004700000-0x0000000004736000-memory.dmp

Filesize
216KB

Download
memory/1516-243-0x0000000071CB0000-0x0000000071CFC000-memory.dmp

Filesize
304KB

Download
memory/1516-225-0x0000000004C00000-0x0000000004C22000-memory.dmp

Filesize
136KB

Download
memory/1516-226-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/1516-227-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/1516-255-0x0000000007630000-0x0000000007CAA000-memory.dmp

Filesize
6.5MB

Download
memory/1516-235-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/1516-254-0x0000000006EC0000-0x0000000006F63000-memory.dmp

Filesize
652KB

Download
memory/1516-240-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/1516-253-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/1516-242-0x0000000006C80000-0x0000000006CB2000-memory.dmp

Filesize
200KB

Download
memory/1612-54-0x00007FFC14C10000-0x00007FFC14E05000-memory.dmp

Filesize
2.0MB

Download
memory/1612-56-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download
memory/2972-50-0x00007FFBF5FC0000-0x00007FFBF6132000-memory.dmp

Filesize
1.4MB

Download
memory/2972-51-0x00007FFBF5FC0000-0x00007FFBF6132000-memory.dmp

Filesize
1.4MB

Download
memory/3380-80-0x000001BC854D0000-0x000001BC854D6000-memory.dmp

Filesize
24KB

Download
memory/3864-66-0x0000020421D20000-0x0000020421D42000-memory.dmp

Filesize
136KB

Download
memory/4044-28-0x00007FFBF5FC0000-0x00007FFBF6132000-memory.dmp

Filesize
1.4MB

Download
memory/4212-58-0x00007FFBF3D20000-0x00007FFBF5397000-memory.dmp

Filesize
22.5MB

Download
memory/4212-61-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/4212-62-0x0000023565B90000-0x0000023565C06000-memory.dmp

Filesize
472KB

Download
memory/4212-63-0x0000023565FF0000-0x0000023566276000-memory.dmp

Filesize
2.5MB

Download
memory/4212-64-0x000002354B9F0000-0x000002354BA0E000-memory.dmp

Filesize
120KB

Download
memory/5056-257-0x00000000062E0000-0x00000000062EA000-memory.dmp

Filesize
40KB

Download