asyncrat | 1dd578c827eb3f79672a66c65b71f4571823e78cb23481bb6a86f7b2094acc57

General

Target

Client.exe
Size

63KB
MD5

95a90a84d38204747c8f158d0cb15a86
SHA1

0ad40240b22dece3be97794eae74218521bdde56
SHA256

1dd578c827eb3f79672a66c65b71f4571823e78cb23481bb6a86f7b2094acc57
SHA512

7e49f76c37456246449a4587216f626685f27e39bdd1ef7c3aafe47b1ef94a90e13cb90769717eb6b473fec6598f5a034f897f014f2b261eab57c4b4b7728fca
SSDEEP

1536:zhLpLbRQkB4+ENtJeeiMl8GbbXw/sPzhGhZVclN:zhLpLbRQkB4ttceFmGbbX1bAzY

Score

10^/10

asyncrat default discovery evasion persistence privilege_escalation rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

NUEJFR_RT

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/c5xtcUfn

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svchost.exe	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1216 netsh.exe
4368 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Client.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1764 svchost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

27 pastebin.com
26 pastebin.com
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

ARP.EXE

pid process

2820 ARP.EXE
Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2012 tasklist.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4320 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1216	netsh.exe
4368	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe

pid	process
1764	svchost.exe

flow	ioc
27	pastebin.com
26	pastebin.com

pid	process
2820	ARP.EXE

pid	process
2012	tasklist.exe

pid	process
4320	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
discovery

System Network Connections Discovery
T1049

Processes:

NETSTAT.EXE

pid process

4028 NETSTAT.EXE

pid	process
4028	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

716 WMIC.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4660 timeout.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

1304 ipconfig.exe
4028 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3036 systeminfo.exe
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2732 schtasks.exe

pid	process
716	WMIC.exe

pid	process
4660	timeout.exe

pid	process
1304	ipconfig.exe
4028	NETSTAT.EXE

pid	process
3036	systeminfo.exe

pid	process
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exetaskmgr.exe

pid	process
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
1656	Client.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3656 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client.exetaskmgr.exesvchost.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1656	Client.exe
Token: SeDebugPrivilege	3656	taskmgr.exe
Token: SeSystemProfilePrivilege	3656	taskmgr.exe
Token: SeCreateGlobalPrivilege	3656	taskmgr.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeIncreaseQuotaPrivilege	716	WMIC.exe
Token: SeSecurityPrivilege	716	WMIC.exe
Token: SeTakeOwnershipPrivilege	716	WMIC.exe
Token: SeLoadDriverPrivilege	716	WMIC.exe
Token: SeSystemProfilePrivilege	716	WMIC.exe
Token: SeSystemtimePrivilege	716	WMIC.exe
Token: SeProfSingleProcessPrivilege	716	WMIC.exe
Token: SeIncBasePriorityPrivilege	716	WMIC.exe
Token: SeCreatePagefilePrivilege	716	WMIC.exe
Token: SeBackupPrivilege	716	WMIC.exe
Token: SeRestorePrivilege	716	WMIC.exe
Token: SeShutdownPrivilege	716	WMIC.exe
Token: SeDebugPrivilege	716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	716	WMIC.exe
Token: SeRemoteShutdownPrivilege	716	WMIC.exe
Token: SeUndockPrivilege	716	WMIC.exe
Token: SeManageVolumePrivilege	716	WMIC.exe
Token: 33	716	WMIC.exe
Token: 34	716	WMIC.exe
Token: 35	716	WMIC.exe
Token: 36	716	WMIC.exe
Token: SeIncreaseQuotaPrivilege	716	WMIC.exe
Token: SeSecurityPrivilege	716	WMIC.exe
Token: SeTakeOwnershipPrivilege	716	WMIC.exe
Token: SeLoadDriverPrivilege	716	WMIC.exe
Token: SeSystemProfilePrivilege	716	WMIC.exe
Token: SeSystemtimePrivilege	716	WMIC.exe
Token: SeProfSingleProcessPrivilege	716	WMIC.exe
Token: SeIncBasePriorityPrivilege	716	WMIC.exe
Token: SeCreatePagefilePrivilege	716	WMIC.exe
Token: SeBackupPrivilege	716	WMIC.exe
Token: SeRestorePrivilege	716	WMIC.exe
Token: SeShutdownPrivilege	716	WMIC.exe
Token: SeDebugPrivilege	716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	716	WMIC.exe
Token: SeRemoteShutdownPrivilege	716	WMIC.exe
Token: SeUndockPrivilege	716	WMIC.exe
Token: SeManageVolumePrivilege	716	WMIC.exe
Token: 33	716	WMIC.exe
Token: 34	716	WMIC.exe
Token: 35	716	WMIC.exe
Token: 36	716	WMIC.exe
Token: SeIncreaseQuotaPrivilege	780	WMIC.exe
Token: SeSecurityPrivilege	780	WMIC.exe
Token: SeTakeOwnershipPrivilege	780	WMIC.exe
Token: SeLoadDriverPrivilege	780	WMIC.exe
Token: SeSystemProfilePrivilege	780	WMIC.exe
Token: SeSystemtimePrivilege	780	WMIC.exe
Token: SeProfSingleProcessPrivilege	780	WMIC.exe
Token: SeIncBasePriorityPrivilege	780	WMIC.exe
Token: SeCreatePagefilePrivilege	780	WMIC.exe
Token: SeBackupPrivilege	780	WMIC.exe
Token: SeRestorePrivilege	780	WMIC.exe
Token: SeShutdownPrivilege	780	WMIC.exe
Token: SeDebugPrivilege	780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	780	WMIC.exe
Token: SeRemoteShutdownPrivilege	780	WMIC.exe
Token: SeUndockPrivilege	780	WMIC.exe
Token: SeManageVolumePrivilege	780	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe
3656	taskmgr.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

Client.execmd.execmd.exesvchost.execmd.exenet.exequery.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1656 wrote to memory of 3232	1656	Client.exe	cmd.exe
PID 1656 wrote to memory of 3232	1656	Client.exe	cmd.exe
PID 1656 wrote to memory of 1608	1656	Client.exe	cmd.exe
PID 1656 wrote to memory of 1608	1656	Client.exe	cmd.exe
PID 1608 wrote to memory of 4660	1608	cmd.exe	timeout.exe
PID 1608 wrote to memory of 4660	1608	cmd.exe	timeout.exe
PID 3232 wrote to memory of 2732	3232	cmd.exe	schtasks.exe
PID 3232 wrote to memory of 2732	3232	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 1764	1608	cmd.exe	svchost.exe
PID 1608 wrote to memory of 1764	1608	cmd.exe	svchost.exe
PID 1764 wrote to memory of 2948	1764	svchost.exe	cmd.exe
PID 1764 wrote to memory of 2948	1764	svchost.exe	cmd.exe
PID 2948 wrote to memory of 3036	2948	cmd.exe	systeminfo.exe
PID 2948 wrote to memory of 3036	2948	cmd.exe	systeminfo.exe
PID 2948 wrote to memory of 4548	2948	cmd.exe	HOSTNAME.EXE
PID 2948 wrote to memory of 4548	2948	cmd.exe	HOSTNAME.EXE
PID 2948 wrote to memory of 716	2948	cmd.exe	WMIC.exe
PID 2948 wrote to memory of 716	2948	cmd.exe	WMIC.exe
PID 2948 wrote to memory of 2772	2948	cmd.exe	net.exe
PID 2948 wrote to memory of 2772	2948	cmd.exe	net.exe
PID 2772 wrote to memory of 4416	2772	net.exe	net1.exe
PID 2772 wrote to memory of 4416	2772	net.exe	net1.exe
PID 2948 wrote to memory of 3980	2948	cmd.exe	query.exe
PID 2948 wrote to memory of 3980	2948	cmd.exe	query.exe
PID 3980 wrote to memory of 4344	3980	query.exe	quser.exe
PID 3980 wrote to memory of 4344	3980	query.exe	quser.exe
PID 2948 wrote to memory of 384	2948	cmd.exe	net.exe
PID 2948 wrote to memory of 384	2948	cmd.exe	net.exe
PID 384 wrote to memory of 4240	384	net.exe	net1.exe
PID 384 wrote to memory of 4240	384	net.exe	net1.exe
PID 2948 wrote to memory of 1536	2948	cmd.exe	net.exe
PID 2948 wrote to memory of 1536	2948	cmd.exe	net.exe
PID 1536 wrote to memory of 2060	1536	net.exe	net1.exe
PID 1536 wrote to memory of 2060	1536	net.exe	net1.exe
PID 2948 wrote to memory of 4644	2948	cmd.exe	net.exe
PID 2948 wrote to memory of 4644	2948	cmd.exe	net.exe
PID 4644 wrote to memory of 4868	4644	net.exe	net1.exe
PID 4644 wrote to memory of 4868	4644	net.exe	net1.exe
PID 2948 wrote to memory of 2192	2948	cmd.exe	net.exe
PID 2948 wrote to memory of 2192	2948	cmd.exe	net.exe
PID 2192 wrote to memory of 5032	2192	net.exe	net1.exe
PID 2192 wrote to memory of 5032	2192	net.exe	net1.exe
PID 2948 wrote to memory of 780	2948	cmd.exe	WMIC.exe
PID 2948 wrote to memory of 780	2948	cmd.exe	WMIC.exe
PID 2948 wrote to memory of 2012	2948	cmd.exe	tasklist.exe
PID 2948 wrote to memory of 2012	2948	cmd.exe	tasklist.exe
PID 2948 wrote to memory of 1304	2948	cmd.exe	ipconfig.exe
PID 2948 wrote to memory of 1304	2948	cmd.exe	ipconfig.exe
PID 2948 wrote to memory of 4072	2948	cmd.exe	ROUTE.EXE
PID 2948 wrote to memory of 4072	2948	cmd.exe	ROUTE.EXE
PID 2948 wrote to memory of 2820	2948	cmd.exe	ARP.EXE
PID 2948 wrote to memory of 2820	2948	cmd.exe	ARP.EXE
PID 2948 wrote to memory of 4028	2948	cmd.exe	NETSTAT.EXE
PID 2948 wrote to memory of 4028	2948	cmd.exe	NETSTAT.EXE
PID 2948 wrote to memory of 4320	2948	cmd.exe	sc.exe
PID 2948 wrote to memory of 4320	2948	cmd.exe	sc.exe
PID 2948 wrote to memory of 1216	2948	cmd.exe	netsh.exe
PID 2948 wrote to memory of 1216	2948	cmd.exe	netsh.exe
PID 2948 wrote to memory of 4368	2948	cmd.exe	netsh.exe
PID 2948 wrote to memory of 4368	2948	cmd.exe	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9460.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4660

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:3036

C:\Windows\system32\HOSTNAME.EXE
hostname
5⤵
PID:4548

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
5⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\system32\net.exe
net user
5⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
6⤵
PID:4416

C:\Windows\system32\query.exe
query user
5⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
6⤵
PID:4344

C:\Windows\system32\net.exe
net localgroup
5⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
6⤵
PID:4240

C:\Windows\system32\net.exe
net localgroup administrators
5⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
6⤵
PID:2060

C:\Windows\system32\net.exe
net user guest
5⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
6⤵
PID:4868

C:\Windows\system32\net.exe
net user administrator
5⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
6⤵
PID:5032

C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\tasklist.exe
tasklist /svc
5⤵
- Enumerates processes with tasklist
PID:2012

C:\Windows\system32\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:1304

C:\Windows\system32\ROUTE.EXE
route print
5⤵
PID:4072

C:\Windows\system32\ARP.EXE
arp -a
5⤵
- Network Service Discovery
PID:2820

C:\Windows\system32\NETSTAT.EXE
netstat -ano
5⤵
- System Network Connections Discovery
- Gathers network information
PID:4028

C:\Windows\system32\sc.exe
sc query type= service state= all
5⤵
- Launches sc.exe
PID:4320

C:\Windows\system32\netsh.exe
netsh firewall show state
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1216

C:\Windows\system32\netsh.exe
netsh firewall show config
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4368

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Account Manipulation

1

T1098

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Account Manipulation

1

T1098

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Network Service Discovery

1

T1046

Peripheral Device Discovery

1

T1120

Permission Groups Discovery

1

T1069

Local Groups

Process Discovery

Query Registry

System Information Discovery

5

T1082

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9460.tmp.bat

Filesize
151B

MD5
3781f2c076a032ac781792c8cf03c774

SHA1
5fa7dbb18906f044f10fef2d6fff420b49db14b1

SHA256
592a366590db574560bd3851105311de17822423e2928d7456d5397528384c94

SHA512
3e0af0305719e5d86db3861c58d74e58453a52c0402238df8f1d664fde800dfa2696e68edbad994e84043a6d6ba42da1a83d37c27873063364d5e2e1561709aa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
63KB

MD5
95a90a84d38204747c8f158d0cb15a86

SHA1
0ad40240b22dece3be97794eae74218521bdde56

SHA256
1dd578c827eb3f79672a66c65b71f4571823e78cb23481bb6a86f7b2094acc57

SHA512
7e49f76c37456246449a4587216f626685f27e39bdd1ef7c3aafe47b1ef94a90e13cb90769717eb6b473fec6598f5a034f897f014f2b261eab57c4b4b7728fca

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1656-0-0x00007FFB668C3000-0x00007FFB668C5000-memory.dmp

Filesize
8KB

Download
memory/1656-7-0x00007FFB668C0000-0x00007FFB67381000-memory.dmp

Filesize
10.8MB

Download
memory/1656-2-0x00007FFB668C0000-0x00007FFB67381000-memory.dmp

Filesize
10.8MB

Download
memory/1656-1-0x0000000000E80000-0x0000000000E96000-memory.dmp

Filesize
88KB

Download
memory/1764-27-0x000000001D3D0000-0x000000001D446000-memory.dmp

Filesize
472KB

Download
memory/1764-36-0x000000001D080000-0x000000001D08C000-memory.dmp

Filesize
48KB

Download
memory/1764-33-0x000000001D070000-0x000000001D07C000-memory.dmp

Filesize
48KB

Download
memory/1764-32-0x000000001CC40000-0x000000001CC4E000-memory.dmp

Filesize
56KB

Download
memory/1764-30-0x000000001D570000-0x000000001D5E8000-memory.dmp

Filesize
480KB

Download
memory/1764-29-0x000000001D380000-0x000000001D39E000-memory.dmp

Filesize
120KB

Download
memory/1764-28-0x000000001D350000-0x000000001D360000-memory.dmp

Filesize
64KB

Download
memory/3656-12-0x000001682B900000-0x000001682B901000-memory.dmp

Filesize
4KB

Download
memory/3656-19-0x000001682B900000-0x000001682B901000-memory.dmp

Filesize
4KB

Download
memory/3656-20-0x000001682B900000-0x000001682B901000-memory.dmp

Filesize
4KB

Download
memory/3656-21-0x000001682B900000-0x000001682B901000-memory.dmp

Filesize
4KB

Download
memory/3656-22-0x000001682B900000-0x000001682B901000-memory.dmp

Filesize
4KB

Download
memory/3656-23-0x000001682B900000-0x000001682B901000-memory.dmp

Filesize
4KB

Download
memory/3656-24-0x000001682B900000-0x000001682B901000-memory.dmp

Filesize
4KB

Download
memory/3656-18-0x000001682B900000-0x000001682B901000-memory.dmp

Filesize
4KB

Download
memory/3656-14-0x000001682B900000-0x000001682B901000-memory.dmp

Filesize
4KB

Download
memory/3656-13-0x000001682B900000-0x000001682B901000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads